Unfortunately, a scan like nmap or netcat can trivially use random or source
choice IP.
So a distributed denial of service (and more than a few script kiddie bots and
toolz) originate from Chinese source addresses.
The real scanner is actually behind the proxy watching it all ready for the all
important moment when the results don't equal null and he can reset your
firmware with his own.
Some of the fun items that his firmware can include are:
1) Javascript XSS tunnel browser exploit for whoever maintains the router.
2) All remote management to a list of his IPS.
3) Port forward certain packets outbound to certain IP's to another place.
4) Allow for sniffing of internal router packet traffic (all clear text email,
etc.)
5) Allow for sniffing and decrypt via ettercap and john of encrypted traffic
(passwords, etc.)
6) Create a ipsec tunnel or VPN.
7) It will usually remove certificates or help files to do this, and often one
will see very quickly the "real" web based forms, during save.
The only thing you will notice are network slowage, router reboots, and if you
are slightly saavy, fantom ports opening and system that are strangely changes
(Bonobo suddenly being implemented for instance).
Your linux system is going to have all the binary changed via RootInABox and
files low level iode changes, so you probably won't even see them via
MidnightCommander.
You are pwned = just keep ignoring it all; keep pretending that it's a nice
secure Matrix world?
Obnosis | (503)754-4452
PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM
> From: bon...@cornerstonehome.com
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: RE: starting by iptable deny all of china is a good start. - Re:OT?
> Linux-based trojans now targeting WRT and other linux-based routers
> Date: Mon, 30 Mar 2009 23:31:03 -0700
>
> If you should never get a request outside the US why should you look any
> further to deny it? This is not complete protection by any measure but it
> makes an easy first step. I used to go one step further and block my
> dynamic hosted websites (where you don't get to mess with iptables) from
> being touched by people out side their target zone (usually US and Canada).
> It immediately cuts the number of admin.php request by more then half ;)
>
> That said you still need additional protection for ips you do allow through
> to the next set of rules.
>
> -----Original Message-----
> From: plug-discuss-boun...@lists.plug.phoenix.az.us
> [mailto:plug-discuss-boun...@lists.plug.phoenix.az.us] On Behalf Of Craig
> White
> Sent: Monday, March 30, 2009 8:39 AM
> To: Main PLUG discussion list
> Subject: Re: starting by iptable deny all of china is a good start. - Re:OT?
> Linux-based trojans now targeting WRT and other linux-based routers
>
> On Mon, 2009-03-30 at 08:30 -0400, kitepi...@kitepilot.com wrote:
> > And how do I:
> > "starting by iptable deny all of china" ?
> >
> > I can figure out the "iptable" part, it is the "china" part (and other
> > possible places where I know I will only get spam from) that I am
> > unaware of...
> ----
> I do not believe that this is constructive thinking. It's easy enough for
> someone in China to use a computer somewhere else as a base for operations
> and that security doesn't come from just arbitrarily picking ranges of ip
> addresses to block. Security would necessarily require effectiveness from
> virtually everywhere - possibly even your own 'trusted' lan.
>
> Spam control on the other hand doesn't rely much on iptables at all but
> rather many layers of implementation such as RBL's, greylisting (optional
> but effective), spamassassin, smtp level restrictions and more.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Express your personality in color! Preview and select themes for HotmailĀ®.
http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
