[Lancaster] Andy's security discovery

Richard Robinson RichardRobinson at beulah.qualmograph.org.uk
Thu May 29 18:23:01 2003 

> From: Andy Baxter <andy@earthsong.free-online.co.uk>
> Subject: [Lancaster] interesting security discovery
> 
> For me, the point is I'd never thought that a home user like me had to worry 
> too much about security - I thought you had to be a big organisation of some 
> sort to get targeted in this way. ...
> 
> The thing that still puzzles me is how anybody actually knew my ip to connect 
> to in the first place - there is an option in the 'host' command to get all 
> the host names in a particular domain, but when I tried this on the freeserve 
> modem server, it refused the connection.


It needn't be personal - an attempt specifically at you, because of
anything you are. I think for the last few years, a lot of this has been
random, simply try any machine you can find and see if you get a result.

for (a=0;a<256;a++)
  for (b=0;b<256;b++)
    for (c=0;c<256;c++)
	   for (d=0;d<256;d++)
		{ use a.b.c.d as an IP number and see what you can do with it ...
		}

will, given enough time, cover the whole internet.

I have also heard that address ranges known to belong to dialup ISP
providers, particularly those using dynamic addresses, are favourite
targets for this kind of randon scanning - since, if an address is
dynamic, then if you try it once and get nowhere, it's still worth
trying again later in case it's been assigned to someone else with
less security in the meantime (and there's a better chance it''ll be some
windows-box-at-home-with-bad-security, compared with a static address).

> If I get to the point that I'm confident about how to set up security and I'm 
> feeling brave, maybe I'll try opening the samba port and faking a windows C 
> drive and see what they're trying to do...

And make it respond _really_ slowly, to make it more expensive for the
bastards <grin>. There's a webpage somewehere ... honeypot.org ?

It _is_ interesting to see what lies under the surface of the net, yes.
I wonder what proportion of all the traffic is this kind of noxious junk
? If you're running a webserver, try looking at the logs and spot the
attempts at C:\this-that-and-the-other. Attempts to exploit the M$
webserver, which I think FrontPage (??) installs on lots of peoples'
machines without their quite realising it.

I think the moral is that, if you have any sort of connection to the
outside world, there _will_ be attempts on it. I now have a hardware
firewall box, and am much happier.



-- 
Richard Robinson
"The whole plan hinged upon the natural curiosity of potatoes" - S. Lem