[Lancaster] Re: Lancaster digest, Vol 1 #20 - 1 msg
Paul Dougherty
paul.dougherty at lancasterlug.org.uk
Tue May 27 15:53:00 2003
--_=_=_=IMA.BOUNDARY.HTML_1718524=_=_=_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Dear Andy and all,
This might be of interest...Zombies etc http://grc.com/dos/grcdos.htm
Best Wishes
Doc
On Tue, 27 May 2003 12:00:05 +0100, lancaster-request@mailman.lug.org.uk wrote:
>Send Lancaster mailing list submissions to
> lancaster@mailman.lug.org.uk
>
>To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.lug.org.uk/mailman/listinfo/lancaster
>or, via email, send a message with subject or body 'help' to
> lancaster-request@mailman.lug.org.uk
>
>You can reach the person managing the list at
> lancaster-admin@mailman.lug.org.uk
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Lancaster digest..."
>
>
>Today's Topics:
>
> 1. interesting security discovery (Andy Baxter)
>
>--__--__--
>
>Message: 1
>From: Andy Baxter <andy@earthsong.free-online.co.uk>
>Reply-To: andy@earthsong.free-online.co.uk
>To: lancaster@mailman.lug.org.uk
>Date: Mon, 26 May 2003 18:05:49 +0000
>Subject: [Lancaster] interesting security discovery
>
>Just to let you all know that if you're running samba (windows file sharing
>server) on your linux machines, make sure it's properly configured to refuse
>connections from the wider internet.
>
>Out of curiosity, I downloaded a packet sniffer called ethereal the other
>night to see what was going in and out of my ppp connection, and discovered
>that about every five or ten minutes, various different machines across the
>internet are trying to connect to mine and get a list of samba shares
>available on my machine, using the netbios nameserver protocol at first, then
>when they get the name, trying to open a samba connection. I looked up the
>host ips, and they are all of the sort:
>pc4-cbly1-3-cust75.glfd.cable.ntl.com
>host62-197.discord.birch.net
>(these are two real examples from the other night)
>
>i.e. most likely people on dial-up connections to big service providers. So
>either there are a lot of amateur hackers out there, or else a lot of people
>have already had their machines infected by internet worm type viruses which
>are trying to replicate themselves. I had quite a few connections from a host
>called alevrius_ (various ips) which when I looked it up seemed to be
>associated with a worm. Also 'gustavo', for which the first google result
>turned up a cracker page in Brazil...
>
>For me, the point is I'd never thought that a home user like me had to worry
>too much about security - I thought you had to be a big organisation of some
>sort to get targeted in this way. Also it's kind of interesting to know that
>under the clean surface you normally see when using the internet - web
>browsers, ftp clients etc, there is all this hidden traffic going on.
>
>Don't want to make people paranoid though - if it is a windows worm program
>that's being spread, it won't run in linux anyhow. For the time being, I've
>just stopped running samba on boot-up, and installed some firewall software,
>which I now have to work out how to configure...
>
>The thing that still puzzles me is how anybody actually knew my ip to connect
>to in the first place - there is an option in the 'host' command to get all
>the host names in a particular domain, but when I tried this on the freeserve
>modem server, it refused the connection.
>
>If you want to try this out yourself, install ethereal, run it as root,
>capture about 30mins to an hour of ppp traffic, then type 'nbns' in the
>filter window at the bottom of the screen and press 'Apply' and see what
>comes up.
>
>If I get to the point that I'm confident about how to set up security and I'm
>feeling brave, maybe I'll try opening the samba port and faking a windows C
>drive and see what they're trying to do...
>
>andy.
>
>
>
>
>--__--__--
>
>_______________________________________________
>Lancaster mailing list
>Lancaster@mailman.lug.org.uk
>http://mailman.lug.org.uk/mailman/listinfo/lancaster
>
>
>End of Lancaster Digest
--_=_=_=IMA.BOUNDARY.HTML_1718524=_=_=_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
<HTML>
<FONT FACE="MS Sans Serif" DEFAULT="FACE"><FONT SIZE="1" POINTSIZE="8" DEFAULT="SIZE">Dear Andy and all,<BR>
This might be of interest...Zombies etc http://grc.com/dos/grcdos.htm<BR>
<BR>
Best Wishes<BR>
<BR>
Doc<BR>
<BR>
<BR>
On Tue, 27 May 2003 12:00:05 +0100, <FONT COLOR=0000ff><U>lancaster-request@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U> wrote:<BR>
<BR>
>Send Lancaster mailing list submissions to<BR>
> <FONT COLOR=0000ff><U>lancaster@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
><BR>
>To subscribe or unsubscribe via the World Wide Web, visit<BR>
> <FONT COLOR=0000ff><U>http://mailman.lug.org.uk/mailman/listinfo/lancaster<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
>or, via email, send a message with subject or body 'help' to<BR>
> <FONT COLOR=0000ff><U>lancaster-request@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
><BR>
>You can reach the person managing the list at<BR>
> <FONT COLOR=0000ff><U>lancaster-admin@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
><BR>
>When replying, please edit your Subject line so it is more specific<BR>
>than "Re: Contents of Lancaster digest..."<BR>
><BR>
><BR>
>Today's Topics:<BR>
><BR>
> 1. interesting security discovery (Andy Baxter)<BR>
><BR>
>--__--__--<BR>
><BR>
>Message: 1<BR>
>From: Andy Baxter <<FONT COLOR=0000ff><U>andy@earthsong.free-online.co.uk<FONT COLOR=000000 DEFAULT="COLOR"></U>><BR>
>Reply-To: <FONT COLOR=0000ff><U>andy@earthsong.free-online.co.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
>To: <FONT COLOR=0000ff><U>lancaster@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
>Date: Mon, 26 May 2003 18:05:49 +0000<BR>
>Subject: [Lancaster] interesting security discovery<BR>
><BR>
>Just to let you all know that if you're running samba (windows file sharing <BR>
>server) on your linux machines, make sure it's properly configured to refuse <BR>
>connections from the wider internet.<BR>
><BR>
>Out of curiosity, I downloaded a packet sniffer called ethereal the other <BR>
>night to see what was going in and out of my ppp connection, and discovered <BR>
>that about every five or ten minutes, various different machines across the <BR>
>internet are trying to connect to mine and get a list of samba shares <BR>
>available on my machine, using the netbios nameserver protocol at first, then <BR>
>when they get the name, trying to open a samba connection. I looked up the <BR>
>host ips, and they are all of the sort:<BR>
>pc4-cbly1-3-cust75.glfd.cable.ntl.com<BR>
>host62-197.discord.birch.net<BR>
>(these are two real examples from the other night)<BR>
><BR>
>i.e. most likely people on dial-up connections to big service providers. So <BR>
>either there are a lot of amateur hackers out there, or else a lot of people <BR>
>have already had their machines infected by internet worm type viruses which <BR>
>are trying to replicate themselves. I had quite a few connections from a host <BR>
>called alevrius_ (various ips) which when I looked it up seemed to be <BR>
>associated with a worm. Also 'gustavo', for which the first google result <BR>
>turned up a cracker page in Brazil...<BR>
><BR>
>For me, the point is I'd never thought that a home user like me had to worry <BR>
>too much about security - I thought you had to be a big organisation of some <BR>
>sort to get targeted in this way. Also it's kind of interesting to know that <BR>
>under the clean surface you normally see when using the internet - web <BR>
>browsers, ftp clients etc, there is all this hidden traffic going on.<BR>
><BR>
>Don't want to make people paranoid though - if it is a windows worm program <BR>
>that's being spread, it won't run in linux anyhow. For the time being, I've <BR>
>just stopped running samba on boot-up, and installed some firewall software, <BR>
>which I now have to work out how to configure...<BR>
><BR>
>The thing that still puzzles me is how anybody actually knew my ip to connect <BR>
>to in the first place - there is an option in the 'host' command to get all <BR>
>the host names in a particular domain, but when I tried this on the freeserve <BR>
>modem server, it refused the connection.<BR>
><BR>
>If you want to try this out yourself, install ethereal, run it as root, <BR>
>capture about 30mins to an hour of ppp traffic, then type 'nbns' in the <BR>
>filter window at the bottom of the screen and press 'Apply' and see what <BR>
>comes up.<BR>
><BR>
>If I get to the point that I'm confident about how to set up security and I'm <BR>
>feeling brave, maybe I'll try opening the samba port and faking a windows C <BR>
>drive and see what they're trying to do...<BR>
><BR>
>andy.<BR>
><BR>
><BR>
><BR>
><BR>
>--__--__--<BR>
><BR>
>_______________________________________________<BR>
>Lancaster mailing list<BR>
><FONT COLOR=0000ff><U>Lancaster@mailman.lug.org.uk<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
><FONT COLOR=0000ff><U>http://mailman.lug.org.uk/mailman/listinfo/lancaster<FONT COLOR=000000 DEFAULT="COLOR"></U><BR>
><BR>
><BR>
>End of Lancaster Digest<BR>
<BR>
</HTML>
--_=_=_=IMA.BOUNDARY.HTML_1718524=_=_=_--