[Lancaster] Re: Lancaster digest, Vol 1 #20 - 1 msg

Paul Dougherty paul.dougherty at lancasterlug.org.uk
Tue May 27 15:53:00 2003


--_=_=_=IMA.BOUNDARY.HTML_1718524=_=_=_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Dear Andy and all,
This might be of interest...Zombies etc                         http://grc.com/dos/grcdos.htm

                                                                                Best Wishes

                                                                                      Doc


On Tue, 27 May 2003 12:00:05 +0100, lancaster-request@mailman.lug.org.uk wrote:

>Send Lancaster mailing list submissions to
>	lancaster@mailman.lug.org.uk
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://mailman.lug.org.uk/mailman/listinfo/lancaster
>or, via email, send a message with subject or body 'help' to
>	lancaster-request@mailman.lug.org.uk
>
>You can reach the person managing the list at
>	lancaster-admin@mailman.lug.org.uk
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Lancaster digest..."
>
>
>Today's Topics:
>
>   1. interesting security discovery (Andy Baxter)
>
>--__--__--
>
>Message: 1
>From: Andy Baxter <andy@earthsong.free-online.co.uk>
>Reply-To: andy@earthsong.free-online.co.uk
>To: lancaster@mailman.lug.org.uk
>Date: Mon, 26 May 2003 18:05:49 +0000
>Subject: [Lancaster] interesting security discovery
>
>Just to let you all know that if you're running samba (windows file sharing 
>server) on your linux machines, make sure it's properly configured to refuse 
>connections from the wider internet.
>
>Out of curiosity, I downloaded a packet sniffer called ethereal the other 
>night to see what was going in and out of my ppp connection, and discovered 
>that about every five or ten minutes, various different machines across the 
>internet are trying to connect to mine and get a list of samba shares 
>available on my machine, using the netbios nameserver protocol at first, then 
>when they get the name, trying to open a samba connection. I looked up the 
>host ips, and they are all of the sort:
>pc4-cbly1-3-cust75.glfd.cable.ntl.com
>host62-197.discord.birch.net
>(these are two real examples from the other night)
>
>i.e. most likely people on dial-up connections to big service providers. So 
>either there are a lot of amateur hackers out there, or else a lot of people 
>have already had their machines infected by internet worm type viruses which 
>are trying to replicate themselves. I had quite a few connections from a host 
>called alevrius_ (various ips) which when I looked it up seemed to be 
>associated with a worm. Also 'gustavo', for which the first google result 
>turned up a cracker page in Brazil...
>
>For me, the point is I'd never thought that a home user like me had to worry 
>too much about security - I thought you had to be a big organisation of some 
>sort to get targeted in this way. Also it's kind of interesting to know that 
>under the clean surface you normally see when using the internet - web 
>browsers, ftp clients etc, there is all this hidden traffic going on.
>
>Don't want to make people paranoid though - if it is a windows worm program 
>that's being spread, it won't run in linux anyhow. For the time being, I've 
>just stopped running samba on boot-up, and installed some firewall software, 
>which I now have to work out how to configure...
>
>The thing that still puzzles me is how anybody actually knew my ip to connect 
>to in the first place - there is an option in the 'host' command to get all 
>the host names in a particular domain, but when I tried this on the freeserve 
>modem server, it refused the connection.
>
>If you want to try this out yourself, install ethereal, run it as root, 
>capture about 30mins to an hour of ppp traffic, then type 'nbns' in the 
>filter window at the bottom of the screen and press 'Apply' and see what 
>comes up.
>
>If I get to the point that I'm confident about how to set up security and I'm 
>feeling brave, maybe I'll try opening the samba port and faking a windows C 
>drive and see what they're trying to do...
>
>andy.
>
>
>
>
>--__--__--
>
>_______________________________________________
>Lancaster mailing list
>Lancaster@mailman.lug.org.uk
>http://mailman.lug.org.uk/mailman/listinfo/lancaster
>
>
>End of Lancaster Digest



--_=_=_=IMA.BOUNDARY.HTML_1718524=_=_=_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

<HTML>


<FONT FACE="MS Sans Serif" DEFAULT="FACE"><FONT SIZE="1" POINTSIZE="8" DEFAULT="SIZE">Dear Andy and all,<BR>

This might be of interest...Zombies etc                         http://grc.com/dos/grcdos.htm<BR>

<BR>

                                                                                Best Wishes<BR>

<BR>

                                                                                      Doc<BR>

<BR>

<BR>

On Tue, 27 May 2003 12:00:05 +0100, <FONT COLOR=0000ff><U>lancaster-request@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U> wrote:<BR>

<BR>

&gt;Send Lancaster mailing list submissions to<BR>

&gt;    <FONT COLOR=0000ff><U>lancaster@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;<BR>

&gt;To subscribe or unsubscribe via the World Wide Web, visit<BR>

&gt;    <FONT COLOR=0000ff><U>http://mailman.lug.org.uk/mailman/listinfo/lancaster<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;or, via email, send a message with subject or body 'help' to<BR>

&gt;    <FONT COLOR=0000ff><U>lancaster-request@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;<BR>

&gt;You can reach the person managing the list at<BR>

&gt;    <FONT COLOR=0000ff><U>lancaster-admin@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;<BR>

&gt;When replying, please edit your Subject line so it is more specific<BR>

&gt;than "Re: Contents of Lancaster digest..."<BR>

&gt;<BR>

&gt;<BR>

&gt;Today's Topics:<BR>

&gt;<BR>

&gt;   1. interesting security discovery (Andy Baxter)<BR>

&gt;<BR>

&gt;--__--__--<BR>

&gt;<BR>

&gt;Message: 1<BR>

&gt;From: Andy Baxter &lt;<FONT COLOR=0000ff><U>andy@earthsong.free-online.co.uk<FONT COLOR=000000 DEFAULT="COLOR"></U>&gt;<BR>

&gt;Reply-To: <FONT COLOR=0000ff><U>andy@earthsong.free-online.co.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;To: <FONT COLOR=0000ff><U>lancaster@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;Date: Mon, 26 May 2003 18:05:49 +0000<BR>

&gt;Subject: [Lancaster] interesting security discovery<BR>

&gt;<BR>

&gt;Just to let you all know that if you're running samba (windows file sharing <BR>

&gt;server) on your linux machines, make sure it's properly configured to refuse <BR>

&gt;connections from the wider internet.<BR>

&gt;<BR>

&gt;Out of curiosity, I downloaded a packet sniffer called ethereal the other <BR>

&gt;night to see what was going in and out of my ppp connection, and discovered <BR>

&gt;that about every five or ten minutes, various different machines across the <BR>

&gt;internet are trying to connect to mine and get a list of samba shares <BR>

&gt;available on my machine, using the netbios nameserver protocol at first, then <BR>

&gt;when they get the name, trying to open a samba connection. I looked up the <BR>

&gt;host ips, and they are all of the sort:<BR>

&gt;pc4-cbly1-3-cust75.glfd.cable.ntl.com<BR>

&gt;host62-197.discord.birch.net<BR>

&gt;(these are two real examples from the other night)<BR>

&gt;<BR>

&gt;i.e. most likely people on dial-up connections to big service providers. So <BR>

&gt;either there are a lot of amateur hackers out there, or else a lot of people <BR>

&gt;have already had their machines infected by internet worm type viruses which <BR>

&gt;are trying to replicate themselves. I had quite a few connections from a host <BR>

&gt;called alevrius_ (various ips) which when I looked it up seemed to be <BR>

&gt;associated with a worm. Also 'gustavo', for which the first google result <BR>

&gt;turned up a cracker page in Brazil...<BR>

&gt;<BR>

&gt;For me, the point is I'd never thought that a home user like me had to worry <BR>

&gt;too much about security - I thought you had to be a big organisation of some <BR>

&gt;sort to get targeted in this way. Also it's kind of interesting to know that <BR>

&gt;under the clean surface you normally see when using the internet - web <BR>

&gt;browsers, ftp clients etc, there is all this hidden traffic going on.<BR>

&gt;<BR>

&gt;Don't want to make people paranoid though - if it is a windows worm program <BR>

&gt;that's being spread, it won't run in linux anyhow. For the time being, I've <BR>

&gt;just stopped running samba on boot-up, and installed some firewall software, <BR>

&gt;which I now have to work out how to configure...<BR>

&gt;<BR>

&gt;The thing that still puzzles me is how anybody actually knew my ip to connect <BR>

&gt;to in the first place - there is an option in the 'host' command to get all <BR>

&gt;the host names in a particular domain, but when I tried this on the freeserve <BR>

&gt;modem server, it refused the connection.<BR>

&gt;<BR>

&gt;If you want to try this out yourself, install ethereal, run it as root, <BR>

&gt;capture about 30mins to an hour of ppp traffic, then type 'nbns' in the <BR>

&gt;filter window at the bottom of the screen and press 'Apply' and see what <BR>

&gt;comes up.<BR>

&gt;<BR>

&gt;If I get to the point that I'm confident about how to set up security and I'm <BR>

&gt;feeling brave, maybe I'll try opening the samba port and faking a windows C <BR>

&gt;drive and see what they're trying to do...<BR>

&gt;<BR>

&gt;andy.<BR>

&gt;<BR>

&gt;<BR>

&gt;<BR>

&gt;<BR>

&gt;--__--__--<BR>

&gt;<BR>

&gt;_______________________________________________<BR>

&gt;Lancaster mailing list<BR>

&gt;<FONT COLOR=0000ff><U>Lancaster@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;<FONT COLOR=0000ff><U>http://mailman.lug.org.uk/mailman/listinfo/lancaster<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>

&gt;<BR>

&gt;<BR>

&gt;End of Lancaster Digest<BR>

<BR>


</HTML>


--_=_=_=IMA.BOUNDARY.HTML_1718524=_=_=_--