starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers

kitepilot at kitepilot.com kitepilot at kitepilot.com
Mon Mar 30 05:30:51 MST 2009 

And how do I:
"starting by iptable deny all of china" ? 

I can figure out the "iptable" part, it is the "china" part (and other 
possible places where I know I will only get spam from) that I am unaware 
of... 

Thanks!
Enrique 

Lisa Kachold writes: 

> 
> Well, the sad fact is that _any_ machine will kick over and barf it's guts under distributed attacks; it just depends on what it does after the green slime clears..
> Also, it really helps if you run one that won't take WRT, or only runs on an arm, with small memory therefore they aren't too hot to pwn you.  Linksys put out the source, whereupon I built my own, and played with the features; you know kiddies are doing this also.   
> 
> Course, if you have a WRT-able router, it's a good idea to set it up as a small linux system, but you have to know how to work it; starting by iptable deny all of china is a good start.
> I have had mine owned regularly; I just flash it again.  Mine is easy to determine, since it suddenly starts showing AIM ports open.  Once they target you successfully, they will insidiously continue to keep track of you; rather like trophy hunting.
> I could have done a complete defcon presentation on various routers by this time.  
> That's why I always suggest to everyone, if you see something strange, you see something strange, report it, complain, study it, rather than continuing to agree with everyone in denial about the sad state of security.
> Obnosis | (503)754-4452 
> 
>  
> 
> 
> PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM 
> 
>  
> 
>  
> 
> 
>> Subject: Re: OT? Linux-based trojans now targeting WRT and other linux-based	routers
>> From: tuna at supertunaman.com
>> To: plug-discuss at lists.plug.phoenix.az.us
>> Date: Fri, 27 Mar 2009 17:57:34 -0700 
>> 
>> Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 2009:
>> > http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_routers_update
>> > 
>> > Some parts of this article made me LOL. Like:
>> > 
>> > "One type of malware connects primarily to a chat system such as IRC, 
>> > which your ordinary 14-year-old might join for the latest superstar gossip."
>> > 
>> > and:
>> > 
>> > "Each IRC network usually has hundreds of these channels, typically 
>> > starting with a hash mark in its name, such as #superstars."
>> > 
>> > and:
>> > 
>> > "A participant joining a channel who is not a human is usually a program 
>> > called a bot. There are all kinds of bots lurking in the IRC, some of 
>> > them explain UNIX commands, look up bus schedules or forecast the 
>> > weather. Some, however, await special, often secret, commands"
>> > 
>> > Which prompted me to say on IRC:
>> > [03-27-2009 14:11:10] <Charles> hahaha
>> > [03-27-2009 14:12:54] * Charles is awaiting special secret commands
>> > [03-27-2009 14:13:28] <Charles> but only if you are a superstar
>> > 
>> > Seriously though, I sadly have a lot of experience being attacked by, 
>> > and hunting down and eradicating botnets. Infected routers are really 
>> > evil, since your typical user has no way to notice or see that something 
>> > is running that should not be. This could become a real problem as WRT 
>> > and other linux-based routers become more popular. 
>> 
>> I just wish I had come up with the idea of WRT-based botnets first. :< 
>> 
>> I guess the vendors will just have to set randomly generated default
>> passwords, and pass along a little card that says "omgwtfbbq ur password
>> lol". But you KNOW that they'll never get around to that soon.
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
> _________________________________________________________________
> Internet Explorer 8 – Get your Hotmail Accelerated.  Download free!
> http://clk.atdmt.com/MRT/go/141323790/direct/01/

More information about the PLUG-discuss mailing list