Very Computer

Ayup,

Two thoughts occurred to me just now.

Anyone heard of Ramen in the last month or so?

Have multi-port scanning sweeps generally been replaced with spot 1-port
vulnerability checks?

Are "people" just not probing my box, or is it no longer the holiday /
breeding season or something? Admittedly I'm getting a few scans a day, but
it doesn't seem as prevalent as it once did. (Having migrated to iptables
instead, that might help.)

Feeling strange, even more so than normal ;8)

~Tim
--
   3:06pm  up 16 days,  1:24, 12 users,  load average: 0.72, 0.61, 0.56

http://piglet.is.dreaming.org     |with their secret weapon.

I don't know about 'generally' but it seems the blatant uncoordinated
and aggressive scans have slowed greatly over the past few months. If
I actually get to watch then I notice they hit a handful of ports. If
chains is 'DENY' they just get nothing and move along for the most
part. Of course, once in a while they hit a port I have a service on.
And that makes them more interested in widening their scan. I guess
they go back to there output files and decide what hosts to continue
to 'look' at.

-Ali

--
"neener, neener, neener ;)"  -- Anonymous

Tim:

There was quite a lull, for a good part of February, it seems.

Lately I'm seeing a lot more activity in general, particularily port 53,
port 111, port 80...

Also *very* recently I've seen a lot of port 137 stuff -- did you happen
to see that "article" at slashdot.org about sharesniffer.com?

ShareSniffer is this Window$ app that takes IP blocks and searches for
open Window$ shares with the suggestion that they can be used for remote
storage -- all entirely "legal" according to the creators, because the
shares have been "deliberately" left open..

To quote:

"...We'll Bet You Didn't Know . . .

. . . you can use your own Microsoft Windows(tm) operating system to
navigate other computers that have been voluntarily shared to the Internet."

Fun, huh?

- John

--
--
John Sage
FinchHaven, Vashon Island, WA, USA
http://www.finchhaven.com/

And remember: it's spelled l-i-n-u-x, but it's pronounced "Linux"

Right. Well I'm not getting that much activity on 80/tcp: I do actually run
an httpd, which probably absorbs a few things, and snort will barf if you
look for various standard CGIs, but I last had one of those a fortnight ago.

Otherwise, yeah, there's a fair bit of 53/tcp stuff going around - I'm
certainly denying lots of it, but I'm not sure whether that's exploits or
valid xfers or what (hint: 53/*udp* is open - don't bet on anything else ;)
.

Quote:> Also *very* recently I've seen a lot of port 137 stuff -- did you happen
> to see that "article" at slashdot.org about sharesniffer.com?

I've seen a little bit of it, but I normally keep it quiet in the logs;
running a website means windoze lusers are going to try to find a reverse
name for your box, and if their reverse DNS is screwed and there isn't a
WINS server in the way, they'll ask the box itself by a connection to
137/udp. Lousy idea, that.
But snort tripped on one of the nastier sorts a few days ago, too.

Quote:> ShareSniffer is this Window$ app that takes IP blocks and searches for
> open Window$ shares with the suggestion that they can be used for remote
> storage -- all entirely "legal" according to the creators, because the
> shares have been "deliberately" left open..

It *should* be legal. You can't legislate for stupidity. Good ol' unix
motto: give 'em enough rope to hang themselves.

What you *should* consider legal action against is M$loth's fsck-up in
windoze 98 (I posted here a while back - in the `disable netbios over
modem?' dialog box, when you check `don't ask me again', it disables the
`yes' button instead of the `no' button. Wooooooooopsie!).

Quote:> To quote:

> "...We'll Bet You Didn't Know . . .

> . . . you can use your own Microsoft Windows(tm) operating system to navigate
> other computers that have been voluntarily shared to the Internet."

> Fun, huh?

Oooh, definitely. Never knew that.

They've not even cottoned-on to smbclient -I, yet? D'oh...

~Tim
--
   8:19pm  up 16 days,  6:38, 15 users,  load average: 0.95, 0.91, 0.71

http://piglet.is.dreaming.org     |Crossing the rhythm, caught in the rain.

Recovery is done.  Getting very slow scans (a probe very fif* to
thirty seconds) on a number of internal hosts by spoofing client address
on port 53 and redirecting the udp return from DNS to an internal host.
Internal host sends a notification that the port is closed.  What I am
not sure about is whether the scan is a scan of some other sort of probe
or other idiocy outside the firewall.  Have not had time to look it
over.

Have been seening an interesting DoS which seems to work on all versions
of BIND earlier than this latest beta.  I think it is being used for
some other purpose than merely DoS because it is intermittant.  It
consists of many (hundreds) of queries in a matter of a few minutes for
the same unresolvable host name.  I would have thought it was a
misconfiguration but the name changes from day to day and the user
account doesn't.  I am *very* happy that you talked me into making the
switch on bind. The newest version seems very robust.

Luke can't get mail thru.  I think my configuration is burping on the
relay in his network.

Turns out the black hats were using the AIM hole to drop me email that
started AIM in the background and drop a worm on my dialup system(s).
You can find it documented out there on the web.  There are 65000000
vulnerable hosts AND ALL WE GET IS A NOTICE POSTED SOMEWHERE IN
NETHER_NETHER LAND... figures.  Jeeze.

There is still one hosed MICROSUCKS AGAIN box on my net.  The rest are
clean.  That one opens an nterm upon connection to the dialup server.

Yes Tim they are still there.  As to Ramen, perhaps it has been
retrained?

Later.
I have not forgotten that I owe a few folks a bit of work...  when I get
this next ISP cleaned up, Ill get on it.

Now there's a story for you.  Kid in my Cisco class spends about 40k to
have a couple of sweet Dell servers built (I would have done it for half
that... but I don't have a shiny office in a big city...sooo...) Three
months ago the boy goes out finds a *high speed* engineering firm and
gets these two boxes built...  The DAMN DELL SHIPS WITH RH6.2 AND ALL
THE BUILT IN HOLES.  He also has a nice shiny new NT box dropped beside
it.  Forty eight dialups and a T-1 go in two days later.  Thirty six
hours after that he is cracked to the bare metal...  The *high speed*
engineering firm performs maintenance on the box for THREE FSCKIN MONTHS
after that and NEVER NOTICES A THING.

Meantimes, the NT server is well cracked too.  Now I have to educate the
poor kid, the engineering firm (who don't want to do a reinstall because
they figure they have the expertise in house to fix it in place) and I
am getting $10.00 per hour...

Anyone see something wrong with this picture?  I think I should ask for
more money,
eh? But he's a good kid, wants to do the right thing and seems to try to
listen.

Just another victim of the *semi-literate* engineering*business
bastards that are running the Internet these days.  Oh, well.

Later
-m-

[d00d, you're upside-down today. Something wrong?]

Quote:> Recovery is done. Getting very slow scans (a probe very fif* to thirty
> seconds)

That's slow? That would wake me up, would that...

Quote:> on a number of internal hosts by spoofing client address on port 53 and
> redirecting the udp return from DNS to an internal host.

Hokay.

This is one of those things that worries me, slightly. I, for one, block
all incoming 53/tcp stuff except from our listed provider of secondary DNS.
(UDP is open, because after all, *someone* has to *use* us as a
nameserver!)
But now that I've gone over the iptables, I'm not at all convinced whether
all the SYNs I see for 53/tcp are valid attempts to xfer off us, or how
many are actual probes, but there sure are a lot of 'em compared to any
other ports around.
So I'm relying quite a lot on _fwlogcheck_ and various other things...

Quote:> Have been seening an interesting DoS which seems to work on all versions
> of BIND earlier than this latest beta. I think it is being used for some
> other purpose than merely DoS because it is intermittant. It consists of
> many (hundreds) of queries in a matter of a few minutes for the same
> unresolvable host name. I would have thought it was a misconfiguration
> but the name changes from day to day and the user account doesn't. I am
> *very* happy that you talked me into making the switch on bind. The
> newest version seems very robust.

I did? Cool ;8)

To me, a retroactive path application is Bad. It means there was
$time_interval between an alert and me getting off my ass and fixing
something, where someone could've got me. There's nothing so satisfying as
being able to say `so what? I'm on 9.2.0-snapshot-whatever' and staying
ahead of the game that way. (And obviously, nothing so annoying to everyone
else ;8)

[snip]

Quote:> Forty eight dialups and a T-1 go in two days later. Thirty six hours
> after that he is cracked to the bare metal... The *high speed*
> engineering firm performs maintenance on the box for THREE FSCKIN MONTHS
> after that and NEVER NOTICES A THING.

D'oh!! :(

Sometimes I wonder if I'd notice something going wrong. Then I think,
`maybe' ;8)

Quote:> Just another victim of the *semi-literate* engineering*business
> bastards that are running the Internet these days.  Oh, well.

I think I know how you feel :8)

~Tim
--
   9:50am  up 19 days, 20:08, 13 users,  load average: 0.02, 0.34, 0.41

http://www.veryComputer.com/     |

huh?  musta plugged the darned thing in upside down again.  :) Gotta
watch that.  I just flipped the plug,
is that better?

Luke, ratted me out, eh?

Having a lot of trouble send email to you Mike, is your mail server
working properly?

--
Regards
Luke
------
On the requirements it said: Windows 98 or better - so I installed Linux
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------