Hi all, tell its Friday, Earl get's a little time out to post.
Message: 16 To: xsprite@bigfoot.com Cc: alug@stu.uea.ac.uk Subject: Re: [Alug] Virus on Linux? From: MJ Ray markj@cloaked.freeserve.co.uk Organization: Cat-killingly bad Date: 22 Jun 2001 12:49:23 +0100
xsprite@bigfoot.com writes:
If you have a high amount of bandwidth, or your isp provides a service such as cable, you are likely to get scanned (I do atleast once every two days or so) whether the scan is for open netbios shares or the latest s'kiddie 0day.
My home dial-up machine gets scanned pretty much every evening for samba shares. I intend to develop a small samba share of poisoned files padded out with 0s (so they compress well and go up the modem fast).
The most likely culprit here is sharesniffer. (www.sharesniffer.com) It's looking for Windoze (but will of course find any SMB public shares) I have a load of virus algorithms in zip form I could let you have if you wish to set up a SMB 'honeypot' - sorry about the misappropriation. I was actually thinking of doing something like this, put a load of XL/Word files on a drive which are actually just these things. Some are disk crunchers, others boot sector infectors (TSR as well), others just lock your cpu into infinite loops etc. The 'nice' approach would be to just call them MyVeryImportantCreditCardsDetails.doc or something, and the lame script kiddie who has just scanned your machine for things will download it and probably try to open it in Word straight away, excited at the perceived goodies. ..... one would hope that such a donkey is not running a good virus checker. Many are in Assembler for easy inclusion into any proggie..... Been looking for an excuse to use them (only have them for research purposes .... honest..!) Cheers Earl
Yes, don't let anything listen to the external interface unless absolutely necessary. netstat -a will show what's listening. inetd always seems to want to listen to everything, but you can use "ALL: ALL EXCEPT 127." in hosts.deny (man hosts_access) to pin that down to only the local machine (change to taste) for most services it starts. Commenting out some lines in /etc/X11/*/Xaccess is also good, as in running X with -nolisten tcp if you don't use that.
And use ipchains/iptables just to be sure.
Good Advice ....
-- MJR
Sorry, I was to have been at the last meet to do a little security demo but couldn't make it at the last minute. This is still a plan if it is still required. Sorry I've forgotten but I know there are a few others who are into this sort of thing (to the point of test-hacking their own machines, playing with nmap/nessus and others. It would be a good idea to collaborate for this, and do a proper job of it as a team... Mail me off list guys and let's start planning, we could have a nice little demo together for the next meet. Cheers Earl Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Albert Einstein)