starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... Thanks! Enrique Lisa Kachold writes: Well, the sad fact is that _any_ machine will kick over and barf it's guts under distributed attacks; it just depends on what it does after the green slime clears.. Also, it really helps if you run one that won't take WRT, or only runs on an arm, with small memory therefore they aren't too hot to pwn you. Linksys put out the source, whereupon I built my own, and played with the features; you know kiddies are doing this also. Course, if you have a WRT-able router, it's a good idea to set it up as a small linux system, but you have to know how to work it; starting by iptable deny all of china is a good start. I have had mine owned regularly; I just flash it again. Mine is easy to determine, since it suddenly starts showing AIM ports open. Once they target you successfully, they will insidiously continue to keep track of you; rather like trophy hunting. I could have done a complete defcon presentation on various routers by this time. That's why I always suggest to everyone, if you see something strange, you see something strange, report it, complain, study it, rather than continuing to agree with everyone in denial about the sad state of security. Obnosis | (503)754-4452 PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM Subject: Re: OT? Linux-based trojans now targeting WRT and other linux-based routers From: t...@supertunaman.com To: plug-discuss@lists.plug.phoenix.az.us Date: Fri, 27 Mar 2009 17:57:34 -0700 Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009: http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_routers_update Some parts of this article made me LOL. Like: One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. and: Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars. and: A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands Which prompted me to say on IRC: [03-27-2009 14:11:10] Charles hahaha [03-27-2009 14:12:54] * Charles is awaiting special secret commands [03-27-2009 14:13:28] Charles but only if you are a superstar Seriously though, I sadly have a lot of experience being attacked by, and hunting down and eradicating botnets. Infected routers are really evil, since your typical user has no way to notice or see that something is running that should not be. This could become a real problem as WRT and other linux-based routers become more popular. I just wish I had come up with the idea of WRT-based botnets first. : I guess the vendors will just have to set randomly generated default passwords, and pass along a little card that says omgwtfbbq ur password lol. But you KNOW that they'll never get around to that soon. --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _ Internet Explorer 8 – Get your Hotmail Accelerated. Download free! http://clk.atdmt.com/MRT/go/141323790/direct/01/ --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
Excerpts from kitepi...@kitepilot.com's message of Mon Mar 30 05:30:51 -0700 2009: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... Thanks! Enrique Easy! There are online lists of Chinese and Korean IP blocks that you can deny. I found one that came with a perl script to do it all automagically. http://is.gd/pEsB That guy has some other interesting things too. Nice blog he's got goin' there. But I HIGHLY suggest you read those files to make sure there's nothing you don't want blocked out. You can just comment out things you don't want blocked in the access.list file. It's all plaintext. And definitely give ANYTHING you run as root a second look. This script is okay for me but it's always good to be a little paranoid. Lisa Kachold writes: Well, the sad fact is that _any_ machine will kick over and barf it's guts under distributed attacks; it just depends on what it does after the green slime clears.. Also, it really helps if you run one that won't take WRT, or only runs on an arm, with small memory therefore they aren't too hot to pwn you. Linksys put out the source, whereupon I built my own, and played with the features; you know kiddies are doing this also. Course, if you have a WRT-able router, it's a good idea to set it up as a small linux system, but you have to know how to work it; starting by iptable deny all of china is a good start. I have had mine owned regularly; I just flash it again. Mine is easy to determine, since it suddenly starts showing AIM ports open. Once they target you successfully, they will insidiously continue to keep track of you; rather like trophy hunting. I could have done a complete defcon presentation on various routers by this time. That's why I always suggest to everyone, if you see something strange, you see something strange, report it, complain, study it, rather than continuing to agree with everyone in denial about the sad state of security. Obnosis | (503)754-4452 PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM Subject: Re: OT? Linux-based trojans now targeting WRT and other linux-basedrouters From: t...@supertunaman.com To: plug-discuss@lists.plug.phoenix.az.us Date: Fri, 27 Mar 2009 17:57:34 -0700 Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009: http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_routers_update Some parts of this article made me LOL. Like: One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. and: Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars. and: A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands Which prompted me to say on IRC: [03-27-2009 14:11:10] Charles hahaha [03-27-2009 14:12:54] * Charles is awaiting special secret commands [03-27-2009 14:13:28] Charles but only if you are a superstar Seriously though, I sadly have a lot of experience being attacked by, and hunting down and eradicating botnets. Infected routers are really evil, since your typical user has no way to notice or see that something is running that should not be. This could become a real problem as WRT and other linux-based routers become more popular. I just wish I had come up with the idea of WRT-based botnets first. : I guess the vendors will just have to set randomly generated default passwords, and pass along a little card that says omgwtfbbq ur password lol. But you KNOW that they'll never get around to that soon. --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _ Internet Explorer 8 Get your Hotmail Accelerated. Download free! http://clk.atdmt.com/MRT/go/141323790/direct/01/ --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
On Mon, 2009-03-30 at 08:30 -0400, kitepi...@kitepilot.com wrote: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... I do not believe that this is constructive thinking. It's easy enough for someone in China to use a computer somewhere else as a base for operations and that security doesn't come from just arbitrarily picking ranges of ip addresses to block. Security would necessarily require effectiveness from virtually everywhere - possibly even your own 'trusted' lan. Spam control on the other hand doesn't rely much on iptables at all but rather many layers of implementation such as RBL's, greylisting (optional but effective), spamassassin, smtp level restrictions and more. Craig --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
Agree... But for as long as my people doesn't have friends in Asia, I may as well block them all... :) Enrique Craig White writes: On Mon, 2009-03-30 at 08:30 -0400, kitepi...@kitepilot.com wrote: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... I do not believe that this is constructive thinking. It's easy enough for someone in China to use a computer somewhere else as a base for operations and that security doesn't come from just arbitrarily picking ranges of ip addresses to block. Security would necessarily require effectiveness from virtually everywhere - possibly even your own 'trusted' lan. Spam control on the other hand doesn't rely much on iptables at all but rather many layers of implementation such as RBL's, greylisting (optional but effective), spamassassin, smtp level restrictions and more. Craig --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
Andrew Tuna Harris wrote: Excerpts from kitepi...@kitepilot.com's message of Mon Mar 30 05:30:51 -0700 2009: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... Thanks! Enrique Easy! There are online lists of Chinese and Korean IP blocks that you can deny. I found one that came with a perl script to do it all automagically. http://is.gd/pEsB That guy has some other interesting things too. Nice blog he's got goin' there. But I HIGHLY suggest you read those files to make sure there's nothing you don't want blocked out. You can just comment out things you don't want blocked in the access.list file. It's all plaintext. And definitely give ANYTHING you run as root a second look. This script is okay for me but it's always good to be a little paranoid. Lisa Kachold writes: Well, the sad fact is that _any_ machine will kick over and barf it's guts under distributed attacks; it just depends on what it does after the green slime clears.. Also, it really helps if you run one that won't take WRT, or only runs on an arm, with small memory therefore they aren't too hot to pwn you. Linksys put out the source, whereupon I built my own, and played with the features; you know kiddies are doing this also. Course, if you have a WRT-able router, it's a good idea to set it up as a small linux system, but you have to know how to work it; starting by iptable deny all of china is a good start. I have had mine owned regularly; I just flash it again. Mine is easy to determine, since it suddenly starts showing AIM ports open. Once they target you successfully, they will insidiously continue to keep track of you; rather like trophy hunting. I could have done a complete defcon presentation on various routers by this time. That's why I always suggest to everyone, if you see something strange, you see something strange, report it, complain, study it, rather than continuing to agree with everyone in denial about the sad state of security. Obnosis | (503)754-4452 PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM Subject: Re: OT? Linux-based trojans now targeting WRT and other linux-based routers From: t...@supertunaman.com To: plug-discuss@lists.plug.phoenix.az.us Date: Fri, 27 Mar 2009 17:57:34 -0700 Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009: http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_routers_update Some parts of this article made me LOL. Like: One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. and: Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars. and: A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands Which prompted me to say on IRC: [03-27-2009 14:11:10] Charles hahaha [03-27-2009 14:12:54] * Charles is awaiting special secret commands [03-27-2009 14:13:28] Charles but only if you are a superstar Seriously though, I sadly have a lot of experience being attacked by, and hunting down and eradicating botnets. Infected routers are really evil, since your typical user has no way to notice or see that something is running that should not be. This could become a real problem as WRT and other linux-based routers become more popular. I just wish I had come up with the idea of WRT-based botnets first. : I guess the vendors will just have to set randomly generated default passwords, and pass along a little card that says omgwtfbbq ur password lol. But you KNOW that they'll never get around to that soon. --- I only perused it quickly, but it looked to me like that guys script blocks EVERYTHING except trusted IPs, not just china? It has an INPUT -p tcp --dport 22 -j DROP at the end. I don't understand why it goes through the trouble to block china IP blocks, if its blocking *everything* other than the trusted list anyway? *The access.list file is pre-configured to drop packets from all of the IP blocks* at http://www.okean.com/antispam/sinokorea.html. However, you should jump to the bottom of *access.list* and add any trusted IP's (e.g., work and home) that you want to accept SSH traffic from. _By default, any other incoming requests on port 22 from addresses you don't trust will be dropped_. Please tell me if I am wrong, after all it is Monday morning and I may not be thinking clearly :) --- PLUG-discuss
Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
I'm gonna ignore most of the implications of this and just say one thing that you're apparently not considering... Once you implement a methodology, you then become committed to maintaining the implementation and ip address ranges change, people go to China for visiting, other people might have to troubleshoot your implementations, etc. I try hard not to solve symptoms by implementing narrowly targeted solutions but rather focus on the larger problems. I see a lot of smtp thuggery coming from eastern Europe and South America, not just China. Postfix does a really good job of bandwidth and pipeline limiting. Craig On Mon, 2009-03-30 at 11:45 -0400, kitepi...@kitepilot.com wrote: Agree... But for as long as my people doesn't have friends in Asia, I may as well block them all... :) Enrique Craig White writes: On Mon, 2009-03-30 at 08:30 -0400, kitepi...@kitepilot.com wrote: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... I do not believe that this is constructive thinking. It's easy enough for someone in China to use a computer somewhere else as a base for operations and that security doesn't come from just arbitrarily picking ranges of ip addresses to block. Security would necessarily require effectiveness from virtually everywhere - possibly even your own 'trusted' lan. Spam control on the other hand doesn't rely much on iptables at all but rather many layers of implementation such as RBL's, greylisting (optional but effective), spamassassin, smtp level restrictions and more. --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
Agree too... Man, I hate intelligent people, they make me look sooo dumb!:) Very valid point. ET Craig White writes: I'm gonna ignore most of the implications of this and just say one thing that you're apparently not considering... Once you implement a methodology, you then become committed to maintaining the implementation and ip address ranges change, people go to China for visiting, other people might have to troubleshoot your implementations, etc. I try hard not to solve symptoms by implementing narrowly targeted solutions but rather focus on the larger problems. I see a lot of smtp thuggery coming from eastern Europe and South America, not just China. Postfix does a really good job of bandwidth and pipeline limiting. Craig On Mon, 2009-03-30 at 11:45 -0400, kitepi...@kitepilot.com wrote: Agree... But for as long as my people doesn't have friends in Asia, I may as well block them all... :) Enrique Craig White writes: On Mon, 2009-03-30 at 08:30 -0400, kitepi...@kitepilot.com wrote: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... I do not believe that this is constructive thinking. It's easy enough for someone in China to use a computer somewhere else as a base for operations and that security doesn't come from just arbitrarily picking ranges of ip addresses to block. Security would necessarily require effectiveness from virtually everywhere - possibly even your own 'trusted' lan. Spam control on the other hand doesn't rely much on iptables at all but rather many layers of implementation such as RBL's, greylisting (optional but effective), spamassassin, smtp level restrictions and more. --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers
Excerpts from Charles Jones's message of Mon Mar 30 08:46:35 -0700 2009: Andrew Tuna Harris wrote: Excerpts from kitepi...@kitepilot.com's message of Mon Mar 30 05:30:51 -0700 2009: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... Thanks! Enrique Easy! There are online lists of Chinese and Korean IP blocks that you can deny. I found one that came with a perl script to do it all automagically. http://is.gd/pEsB That guy has some other interesting things too. Nice blog he's got goin' there. But I HIGHLY suggest you read those files to make sure there's nothing you don't want blocked out. You can just comment out things you don't want blocked in the access.list file. It's all plaintext. And definitely give ANYTHING you run as root a second look. This script is okay for me but it's always good to be a little paranoid. Lisa Kachold writes: Well, the sad fact is that _any_ machine will kick over and barf it's guts under distributed attacks; it just depends on what it does after the green slime clears.. Also, it really helps if you run one that won't take WRT, or only runs on an arm, with small memory therefore they aren't too hot to pwn you. Linksys put out the source, whereupon I built my own, and played with the features; you know kiddies are doing this also. Course, if you have a WRT-able router, it's a good idea to set it up as a small linux system, but you have to know how to work it; starting by iptable deny all of china is a good start. I have had mine owned regularly; I just flash it again. Mine is easy to determine, since it suddenly starts showing AIM ports open. Once they target you successfully, they will insidiously continue to keep track of you; rather like trophy hunting. I could have done a complete defcon presentation on various routers by this time. That's why I always suggest to everyone, if you see something strange, you see something strange, report it, complain, study it, rather than continuing to agree with everyone in denial about the sad state of security. Obnosis | (503)754-4452 PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM Subject: Re: OT? Linux-based trojans now targeting WRT and other linux-basedrouters From: t...@supertunaman.com To: plug-discuss@lists.plug.phoenix.az.us Date: Fri, 27 Mar 2009 17:57:34 -0700 Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009: http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_routers_update Some parts of this article made me LOL. Like: One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. and: Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars. and: A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands Which prompted me to say on IRC: [03-27-2009 14:11:10] Charles hahaha [03-27-2009 14:12:54] * Charles is awaiting special secret commands [03-27-2009 14:13:28] Charles but only if you are a superstar Seriously though, I sadly have a lot of experience being attacked by, and hunting down and eradicating botnets. Infected routers are really evil, since your typical user has no way to notice or see that something is running that should not be. This could become a real problem as WRT and other linux-based routers become more popular. I just wish I had come up with the idea of WRT-based botnets first. : I guess the vendors will just have to set randomly generated default passwords, and pass along a little card that says omgwtfbbq ur password lol. But you KNOW that they'll never get around to that soon. --- I only perused it quickly, but it looked to me like that guys script blocks EVERYTHING except trusted IPs, not just china? It has an INPUT -p tcp --dport 22 -j DROP at the end. I don't understand why it goes through the trouble to block china IP blocks, if its blocking *everything* other than the trusted list anyway? Right, so just comment out that bit and you're fine. *The access.list file is pre-configured to drop packets from all of the IP blocks* at http://www.okean.com/antispam/sinokorea.html. However, you should jump to the bottom of *access.list* and add any trusted IP's
RE: starting by iptable deny all of china is a good start. - Re: OT?Linux-based trojans now targeting WRT and other linux-based routers
Would you believe he's only doing it for his Grandma, who lives in Pasadena, and she only gets on the internet on Sundays ? -Original Message- From: plug-discuss-boun...@lists.plug.phoenix.az.us [mailto:plug-discuss-boun...@lists.plug.phoenix.az.us] On Behalf Of Andrew Tuna Harris Sent: Monday, March 30, 2009 9:01 AM To: plu@lists.plug.phoenix.az.usMain PLUG discussion list Subject: Re: starting by iptable deny all of china is a good start. - Re: OT?Linux-based trojans now targeting WRT and other linux-based routers Excerpts from Charles Jones's message of Mon Mar 30 08:46:35 -0700 2009: Andrew Tuna Harris wrote: Excerpts from kitepi...@kitepilot.com's message of Mon Mar 30 05:30:51 -0700 2009: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... Thanks! Enrique Easy! There are online lists of Chinese and Korean IP blocks that you can deny. I found one that came with a perl script to do it all automagically. http://is.gd/pEsB That guy has some other interesting things too. Nice blog he's got goin' there. But I HIGHLY suggest you read those files to make sure there's nothing you don't want blocked out. You can just comment out things you don't want blocked in the access.list file. It's all plaintext. And definitely give ANYTHING you run as root a second look. This script is okay for me but it's always good to be a little paranoid. Lisa Kachold writes: Well, the sad fact is that _any_ machine will kick over and barf it's guts under distributed attacks; it just depends on what it does after the green slime clears.. Also, it really helps if you run one that won't take WRT, or only runs on an arm, with small memory therefore they aren't too hot to pwn you. Linksys put out the source, whereupon I built my own, and played with the features; you know kiddies are doing this also. Course, if you have a WRT-able router, it's a good idea to set it up as a small linux system, but you have to know how to work it; starting by iptable deny all of china is a good start. I have had mine owned regularly; I just flash it again. Mine is easy to determine, since it suddenly starts showing AIM ports open. Once they target you successfully, they will insidiously continue to keep track of you; rather like trophy hunting. I could have done a complete defcon presentation on various routers by this time. That's why I always suggest to everyone, if you see something strange, you see something strange, report it, complain, study it, rather than continuing to agree with everyone in denial about the sad state of security. Obnosis | (503)754-4452 PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM Subject: Re: OT? Linux-based trojans now targeting WRT and other linux-basedrouters From: t...@supertunaman.com To: plug-discuss@lists.plug.phoenix.az.us Date: Fri, 27 Mar 2009 17:57:34 -0700 Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009: http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_r outers_update Some parts of this article made me LOL. Like: One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. and: Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars. and: A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands Which prompted me to say on IRC: [03-27-2009 14:11:10] Charles hahaha [03-27-2009 14:12:54] * Charles is awaiting special secret commands [03-27-2009 14:13:28] Charles but only if you are a superstar Seriously though, I sadly have a lot of experience being attacked by, and hunting down and eradicating botnets. Infected routers are really evil, since your typical user has no way to notice or see that something is running that should not be. This could become a real problem as WRT and other linux-based routers become more popular. I just wish I had come up with the idea of WRT-based botnets first. : I guess the vendors will just have to set randomly generated default passwords, and pass along a little card that says omgwtfbbq ur password lol. But you KNOW that they'll never get around to that soon. --- I only perused it quickly, but it looked to me like that guys script blocks EVERYTHING except trusted IPs, not just
Re: starting by iptable deny all of china is a good start. - Re: OT?Linux-based trojans now targeting WRT and other linux-based routers
great learning experience! On Mon, Mar 30, 2009 at 4:44 PM, Bob Elzer bob.el...@gmail.com wrote: Would you believe he's only doing it for his Grandma, who lives in Pasadena, and she only gets on the internet on Sundays ? -Original Message- From: plug-discuss-boun...@lists.plug.phoenix.az.us [mailto:plug-discuss-boun...@lists.plug.phoenix.az.us] On Behalf Of Andrew Tuna Harris Sent: Monday, March 30, 2009 9:01 AM To: plu@lists.plug.phoenix.az.usMain PLUG discussion list Subject: Re: starting by iptable deny all of china is a good start. - Re: OT?Linux-based trojans now targeting WRT and other linux-based routers Excerpts from Charles Jones's message of Mon Mar 30 08:46:35 -0700 2009: Andrew Tuna Harris wrote: Excerpts from kitepi...@kitepilot.com's message of Mon Mar 30 05:30:51 -0700 2009: And how do I: starting by iptable deny all of china ? I can figure out the iptable part, it is the china part (and other possible places where I know I will only get spam from) that I am unaware of... Thanks! Enrique Easy! There are online lists of Chinese and Korean IP blocks that you can deny. I found one that came with a perl script to do it all automagically. http://is.gd/pEsB That guy has some other interesting things too. Nice blog he's got goin' there. But I HIGHLY suggest you read those files to make sure there's nothing you don't want blocked out. You can just comment out things you don't want blocked in the access.list file. It's all plaintext. And definitely give ANYTHING you run as root a second look. This script is okay for me but it's always good to be a little paranoid. Lisa Kachold writes: Well, the sad fact is that _any_ machine will kick over and barf it's guts under distributed attacks; it just depends on what it does after the green slime clears.. Also, it really helps if you run one that won't take WRT, or only runs on an arm, with small memory therefore they aren't too hot to pwn you. Linksys put out the source, whereupon I built my own, and played with the features; you know kiddies are doing this also. Course, if you have a WRT-able router, it's a good idea to set it up as a small linux system, but you have to know how to work it; starting by iptable deny all of china is a good start. I have had mine owned regularly; I just flash it again. Mine is easy to determine, since it suddenly starts showing AIM ports open. Once they target you successfully, they will insidiously continue to keep track of you; rather like trophy hunting. I could have done a complete defcon presentation on various routers by this time. That's why I always suggest to everyone, if you see something strange, you see something strange, report it, complain, study it, rather than continuing to agree with everyone in denial about the sad state of security. Obnosis | (503)754-4452 PLUG Linux Security Labs 2nd Saturday Each mo...@noon - 3PM Subject: Re: OT? Linux-based trojans now targeting WRT and other linux-basedrouters From: t...@supertunaman.com To: plug-discuss@lists.plug.phoenix.az.us Date: Fri, 27 Mar 2009 17:57:34 -0700 Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009: http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_r outers_update Some parts of this article made me LOL. Like: One type of malware connects primarily to a chat system such as IRC, which your ordinary 14-year-old might join for the latest superstar gossip. and: Each IRC network usually has hundreds of these channels, typically starting with a hash mark in its name, such as #superstars. and: A participant joining a channel who is not a human is usually a program called a bot. There are all kinds of bots lurking in the IRC, some of them explain UNIX commands, look up bus schedules or forecast the weather. Some, however, await special, often secret, commands Which prompted me to say on IRC: [03-27-2009 14:11:10] Charles hahaha [03-27-2009 14:12:54] * Charles is awaiting special secret commands [03-27-2009 14:13:28] Charles but only if you are a superstar Seriously though, I sadly have a lot of experience being attacked by, and hunting down and eradicating botnets. Infected routers are really evil, since your typical user has no way to notice or see that something is running that should not be. This could become a real problem as WRT and other linux-based routers become more popular. I just wish I had come up with the idea of WRT-based botnets first. : I guess the vendors will just have to set randomly generated default passwords, and pass along a little card that says omgwtfbbq ur password lol. But you KNOW that they'll never get around to that soon.