Excerpts from Charles Jones's message of Mon Mar 30 08:46:35 -0700 2009: > Andrew "Tuna" Harris wrote: > > Excerpts from kitepi...@kitepilot.com's message of Mon Mar 30 05:30:51 > > -0700 2009: > > > >> And how do I: > >> "starting by iptable deny all of china" ? > >> > >> I can figure out the "iptable" part, it is the "china" part (and other > >> possible places where I know I will only get spam from) that I am unaware > >> of... > >> > >> Thanks! > >> Enrique > >> > >> > > > > Easy! There are online lists of Chinese and Korean IP blocks that you > > can deny. I found one that came with a perl script to do it all > > automagically. > > > > http://is.gd/pEsB > > > > That guy has some other interesting things too. Nice blog he's got goin' > > there. > > > > But I HIGHLY suggest you read those files to make sure there's nothing > > you don't want blocked out. You can just comment out things you don't > > want blocked in the access.list file. It's all plaintext. > > > > And definitely give ANYTHING you run as root a second look. This script > > is okay for me but it's always good to be a little paranoid. > > > > > >> Lisa Kachold writes: > >> > >> > >>> Well, the sad fact is that _any_ machine will kick over and barf it's > >>> guts under distributed attacks; it just depends on what it does after the > >>> green slime clears.. > >>> Also, it really helps if you run one that won't take WRT, or only runs on > >>> an arm, with small memory therefore they aren't too hot to pwn you. > >>> Linksys put out the source, whereupon I built my own, and played with the > >>> features; you know kiddies are doing this also. > >>> > >>> Course, if you have a WRT-able router, it's a good idea to set it up as a > >>> small linux system, but you have to know how to work it; starting by > >>> iptable deny all of china is a good start. > >>> I have had mine owned regularly; I just flash it again. Mine is easy to > >>> determine, since it suddenly starts showing AIM ports open. Once they > >>> target you successfully, they will insidiously continue to keep track of > >>> you; rather like trophy hunting. > >>> I could have done a complete defcon presentation on various routers by > >>> this time. > >>> That's why I always suggest to everyone, if you see something strange, > >>> you see something strange, report it, complain, study it, rather than > >>> continuing to agree with everyone in denial about the sad state of > >>> security. > >>> Obnosis | (503)754-4452 > >>> > >>> > >>> > >>> > >>> PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>>> Subject: Re: OT? Linux-based trojans now targeting WRT and other > >>>> linux-based routers > >>>> From: t...@supertunaman.com > >>>> To: plug-discuss@lists.plug.phoenix.az.us > >>>> Date: Fri, 27 Mar 2009 17:57:34 -0700 > >>>> > >>>> Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009: > >>>> > >>>>> http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_routers_update > >>>>> > >>>>> Some parts of this article made me LOL. Like: > >>>>> > >>>>> "One type of malware connects primarily to a chat system such as IRC, > >>>>> which your ordinary 14-year-old might join for the latest superstar > >>>>> gossip." > >>>>> > >>>>> and: > >>>>> > >>>>> "Each IRC network usually has hundreds of these channels, typically > >>>>> starting with a hash mark in its name, such as #superstars." > >>>>> > >>>>> and: > >>>>> > >>>>> "A participant joining a channel who is not a human is usually a > >>>>> program > >>>>> called a bot. There are all kinds of bots lurking in the IRC, some of > >>>>> them explain UNIX commands, look up bus schedules or forecast the > >>>>> weather. Some, however, await special, often secret, commands" > >>>>> > >>>>> Which prompted me to say on IRC: > >>>>> [03-27-2009 14:11:10] <Charles> hahaha > >>>>> [03-27-2009 14:12:54] * Charles is awaiting special secret commands > >>>>> [03-27-2009 14:13:28] <Charles> but only if you are a superstar > >>>>> > >>>>> Seriously though, I sadly have a lot of experience being attacked by, > >>>>> and hunting down and eradicating botnets. Infected routers are really > >>>>> evil, since your typical user has no way to notice or see that > >>>>> something > >>>>> is running that should not be. This could become a real problem as WRT > >>>>> and other linux-based routers become more popular. > >>>>> > >>>> I just wish I had come up with the idea of WRT-based botnets first. :< > >>>> > >>>> I guess the vendors will just have to set randomly generated default > >>>> passwords, and pass along a little card that says "omgwtfbbq ur password > >>>> lol". But you KNOW that they'll never get around to that soon. > >>>> --------------------------------------------------- > >>>> > I only perused it quickly, but it looked to me like that guys script > blocks EVERYTHING except trusted IPs, not just china? It has an "INPUT > -p tcp --dport 22 -j DROP" at the end. I don't understand why it goes > through the trouble to block china IP blocks, if its blocking > *everything* other than the trusted list anyway? Right, so just comment out that bit and you're fine.
> "*The access.list file is pre-configured to drop packets from all of the > IP blocks* at http://www.okean.com/antispam/sinokorea.html. However, > you should jump to the bottom of *access.list* and add any trusted IP's > (e.g., work and home) that you want to accept SSH traffic from. _By > default, any other incoming requests on port 22 from addresses you don't > trust will be dropped_." > > Please tell me if I am wrong, after all it is Monday morning and I may > not be thinking clearly :) --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
