Hackers Enjoy a Bad Patch

Hackers Enjoy a Bad Patch

Post by `WarpKa » Tue, 17 Sep 2002 19:45:15



http://www.vnunet.com/News/1134941

<!--
 In a separate report published earlier this month, MI2G indicated that
 Windows was the most vulnerable operating system and the one most likely
 to be hacked.

The company said the number of attacks on Windows-based systems was
steadily rising, increasing by five percent in June and 12 percent in
July. In comparison, it found that attacks on Linux systems were falling,
and in June they declined by as much as 39 percent.
-->

`nuff said.

 
 
 

Hackers Enjoy a Bad Patch

Post by Bone » Tue, 17 Sep 2002 20:30:01


[snip]

Quote:> The company said the number of attacks on Windows-based systems was
> steadily rising, increasing by five percent in June and 12 percent in
> July. In comparison, it found that attacks on Linux systems were falling,
> and in June they declined by as much as 39 percent.

But still, Linux accounts for some 36% of machines compromised. That is
nothing to sneeze at, and further shows how clueless administrators continue
to be stupid, regardless of operating system being administrated. Note how
there is a (primary Linux-based) worm circulating which takes advantage of
bugs in OpenSSL that were patched over 45 days ago. No one asked, but I'll
mention that I'm *still* getting CodeRed and Admin worm attacks in my
webserver logs. Incredible.

--
Bones

 
 
 

Hackers Enjoy a Bad Patch

Post by `WarpKa » Tue, 17 Sep 2002 23:47:56




> [snip]

>> The company said the number of attacks on Windows-based systems was
>> steadily rising, increasing by five percent in June and 12 percent in
>> July. In comparison, it found that attacks on Linux systems were
>> falling, and in June they declined by as much as 39 percent.

> But still, Linux accounts for some 36% of machines compromised. That is
> nothing to sneeze at, and further shows how clueless administrators
> continue to be stupid, regardless of operating system being
> administrated. Note how there is a (primary Linux-based) worm
> circulating which takes advantage of bugs in OpenSSL that were patched
> over 45 days ago. No one asked, but I'll mention that I'm *still*
> getting CodeRed and Admin worm attacks in my webserver logs. Incredible.

That is quite true.  Being an admin for a small network isn't easy.
Administering a large network has to be a new bottle of Advil every other
day.

I normally look at security sites and hang out in places on IRC networks
where I can grab info from other people who are actually experimenting on
a daily basis.

Usually, it's a cat and mouse game.  Especially in IRC channels.  But
then again, everyone here pretty much knows the pros and cons of IRC.
The pros being that you learn more and more from the first hand
experience of others in your field who are more or less "gray hats."  The
badside is that you're often the guinea pig of their efforts...heh.

Security sites normally don't get this information until an epidemic
begins.

Nevertheless, I braced myself for it.

A quick workaround was to touch /tmp/.bugtraq.c; chmod 000
/tmp/.bugtraq.c; chattr +isu /tmp/.bugtraq.c

After that, I sorta took my time in upgrading.

=:P

 
 
 

Hackers Enjoy a Bad Patch

Post by Anthony Freemon » Wed, 18 Sep 2002 00:47:51



> A quick workaround was to touch /tmp/.bugtraq.c; chmod 000
> /tmp/.bugtraq.c; chattr +isu /tmp/.bugtraq.c

I understand the 'i' switch, but why the 's' and 'u' on the chattr command.

--
michael brown
"Don't believe anything you hear, and only half of what you see"

 
 
 

Hackers Enjoy a Bad Patch

Post by `WarpKa » Wed, 18 Sep 2002 01:32:16




>> A quick workaround was to touch /tmp/.bugtraq.c; chmod 000
>> /tmp/.bugtraq.c; chattr +isu /tmp/.bugtraq.c

> I understand the 'i' switch, but why the 's' and 'u' on the chattr
> command.

<!-- snipped from the man page.
       A  file with the `i' attribute cannot be modified: it can-
       not be deleted or renamed, no link can be created to  this
       file  and  no  data  can  be written to the file. Only the
       superuser can set or clear this attribute.

       When  a  file  with  the `u' attribute set is deleted, its
       contents are saved.  This allows the user to ask  for  its
       undeletion.
-->

Sorry...just +iu.  The +s was just a habit I guess.  I forgot what I used
it on.

 
 
 

Hackers Enjoy a Bad Patch

Post by Charlie Eber » Wed, 18 Sep 2002 06:19:42




> [snip]

> > The company said the number of attacks on Windows-based systems was
> > steadily rising, increasing by five percent in June and 12 percent in
> > July. In comparison, it found that attacks on Linux systems were falling,
> > and in June they declined by as much as 39 percent.

> But still, Linux accounts for some 36% of machines compromised. That is
> nothing to sneeze at, and further shows how clueless administrators continue
> to be stupid, regardless of operating system being administrated. Note how
> there is a (primary Linux-based) worm circulating which takes advantage of
> bugs in OpenSSL that were patched over 45 days ago. No one asked, but I'll
> mention that I'm *still* getting CodeRed and Admin worm attacks in my
> webserver logs. Incredible.

> --
> Bones

Well, some administrators, Windows Administrators, are just crooked, evil, shits!

I remember a couple of years back, they brought in two RedHat servers to
do something and the evil shits blocked them off from the corporate
firewall so they couldn't communicate with the outside world and
conduct the business they were bought for.

Then they sent a guy over from 3 states away to get it installed,
tested and set up right.  He did so.  Then the evil shits screwed
it up again.

Funny though, the evil shits couldn't keep their Windows servers
up either.  

I have no idea what their doing now.  I got sick and tired of
the *and work elsewhere.

Evil shits they were though.  

No doubt about it.

I've had my Debian Server up for about 3 years now.  

It just never quits and never needs rebooting.

The most networking trouble I've had was when
I lost a cable modem a year ago.  Got that
replaced and everything was just fine.

Linux is damn hard to kill or*up.

You have to intend on doing it.

Charlie

 
 
 

Hackers Enjoy a Bad Patch

Post by Mike » Wed, 18 Sep 2002 19:10:25




   Date: Mon, 16 Sep 2002 21:47:56 GMT
Partial reproduction follows:

Quote:> A quick workaround was to touch /tmp/.bugtraq.c;
> chmod 000 /tmp/.bugtraq.c; chattr +isu /tmp/.bugtraq.c
> After that, I sorta took my time in upgrading.

So, uh, there's a flaw in something you're (presumably) running that
allows arbitrary code execution, so your response is to protect your
system against one specific implementation of an exploit for it, and
then cease worrying about it?

Knowing full well that if someone created a version that,  say, used
/tmp/.bugtraq.C, your machine would be infected?

Madness, absolute madness.
--
Mike.   Remove "-spam" to mail me.  Better yet, don't mail me. ;-)

 
 
 

Hackers Enjoy a Bad Patch

Post by `WarpKa » Wed, 18 Sep 2002 21:00:18





>    Date: Mon, 16 Sep 2002 21:47:56 GMT
> Partial reproduction follows:

>> A quick workaround was to touch /tmp/.bugtraq.c; chmod 000
>> /tmp/.bugtraq.c; chattr +isu /tmp/.bugtraq.c

>> After that, I sorta took my time in upgrading.

> So, uh, there's a flaw in something you're (presumably) running that
> allows arbitrary code execution, so your response is to protect your
> system against one specific implementation of an exploit for it, and
> then cease worrying about it?

> Knowing full well that if someone created a version that,  say, used
> /tmp/.bugtraq.C, your machine would be infected?

> Madness, absolute madness.

I said I sorta took my time in upgrading...I didn't say I ceased worrying
about it.

Re-read and comprehend.

I expect a 3 page essay by tomorrow afternoon on what you took your time
to understand.

 
 
 

Hackers Enjoy a Bad Patch

Post by Mike » Wed, 18 Sep 2002 22:04:12




   Date: Tue, 17 Sep 2002 19:00:18 GMT
Partial reproduction follows:




>>    Date: Mon, 16 Sep 2002 21:47:56 GMT
>> Partial reproduction follows:
>>> A quick workaround was to touch /tmp/.bugtraq.c;
>>> chmod 000 /tmp/.bugtraq.c; chattr +isu /tmp/.bugtraq.c
>>> After that, I sorta took my time in upgrading.
>> So, uh, there's a flaw in something you're (presumably) running that
>> allows arbitrary code execution, so your response is to protect your
>> system against one specific implementation of an exploit for it, and
>> then cease worrying about it?
>> Knowing full well that if someone created a version that,  say, used
>> /tmp/.bugtraq.C, your machine would be infected?
>> Madness, absolute madness.
> I said I sorta took my time in upgrading...I didn't say I ceased
> worrying about it.

Okay, so you protected your system against a specific implementation of
the exploit, and then sat back and continued worrying about it. Gotcha.

Quote:> Re-read and comprehend.

Yes, sir.

Quote:> I expect a 3 page essay by tomorrow afternoon on what you took your
> time to understand.

Are we talking 24-line pages, or A4 or Letter sized sheets in 8pt font?

Well, I'll give it a shot, but this is going to be quite difficult. Can
I count this fluff as part of the essay? Dammit, and I'm further cursed
by an irrational need to full-justify ever single f*cking line. *.

Oh well.  Without further ado, I submit for your approval the following
essay on the topic of, "What Michael took his time to understand."

...

I believe that the failure in understanding, regrettably, lies not with
my interpretation of your post (wherein you said you "sorta took [your]
time in upgrading"), but rather lies in your interpretation of my reply
to the aforementioned post.

It is certainly true, however,  that I was perhaps a little blunt in my
response; my intention was to highlight what I perceived to be a rather
strange response to discovering one's system is potentially vulnerable,
and in so doing, I quite likely created the misconception that I hadn't
fully grasped the meaning and implications of what you were saying. For
that, I can only offer my sincerest apologies.

As to why I found your reaction so strange in the first place, allow me
to explain.  This perception of mine (that is, of your reaction to this
situation being unusual, unexpected, or "strange") is largely due to my
assumptions about yourself and your own motivations.  It's likely these
assumptions may be mistaken, so allow me to elaborate in a neat little,
space-consuming, numbered list:

1. By the mere fact that you took action (the quick workaround that you
   mentioned) to secure your system from the potential attack indicates
   that you are concerned about your system's security,  or at the very
   least would prefer it not become another victim of the exploit.

2. You said that you "took [your] time in upgrading".   This implies to
   me that you knew an upgrade would solve the problem at the time that
   you were implementing the workaround, which further implies that the
   upgrade was available in one form or another for your system.

3. My understanding of common security practices is such that,  upon an
   administrator who is security-conscious (as I assumed you to be, due
   to point #1 above) discovering that they are vulnerable to a problem
   for which an update which corrects the problem exists, would wish to
   upgrade to the new version in the shortest possible amount of time.

So, given that I was operating under these assumptions -- which may, of
course, be partially or wholly inaccurate -- it follows that I would be
expecting someone in your position to acquire an updated version of the
software in question that corrects the problem.

Since you indicated that your response to this potential exploit was to
implement a "quick workaround" for the particular problem (whilst still
leaving the actual problem unfixed and open to potential abuse), I felt
somewhat compelled to respond in the manner I did.  The purpose of this
was more to warn others that the quick workaround you posted should not
be considered in any way a "solution" to the problem.

I did not mean to imply that you personally considered it a solution as
such; however, your implied complacency (in that you "took your time in
upgrading") may have been interpreted by others as an excuse not to get
the appropriate update(s) for their system(s).  I certainly saw that it
could be taken in that way,  and chose to respond as if that was indeed
what you intended, as a tool to make my point about it not being a very
good solution to the problem clearer.

Clearly, you took offense at the manner in which I responded to you, so
I apologise and hereby retract any statements which you found offensive
as my intention was not to berate, scold, make fun of or flame you, but
merely to warn others that correcting the symptom of a flaw is *not* an
effective solution.

I hope this clears matters up.
--
Mike.   Remove "-spam" to mail me.  Better yet, don't mail me. ;-)
:wq  (Hot damn, only two typos in that whole piece!)

 
 
 

1. perl-hacker != c hacker.. Perl5a8+ binary wanted

I may be a perl hacker, but I'm not a c hacker.  And as such, I've
been unable to get perl5a8 to compile, notwithstanding the sexy
new config scripts.  Could someone upload a linux binary,
dynamically linked, to sunsite or tsx or some other publicly-
available archive site?

[p.s.: I know that there's going to be a lot of other required
stuff, like libdld, and libdbm, but hey, just mention it and
leave it to the alpha hackers to straighten out the rest.]


2. ksh question

3. 014 Bad Bad Bad !!! for Linux

4. Funny Pixels on screen

5. Bad, bad, bad VM behaviour in 2.4.10

6. Network not set up correctly

7. Bad driver...Bad bad driver

8. how to initialize the curses screen with the shell state ?

9. Bad, bad, bad error...

10. SoftwarBuyLine.com is bad, bad, bad...

11. Is patch 108991-17 bad?

12. very bad latency on RedHat 7.1 with GeForce2 AND low-latency patch

13. look for a patch: bad inode handling