starting by iptable deny all of china is a good start. - Re:OT? Linux-based trojans now targeting WRT and other linux-based routers
Lisa Kachold
lisakachold at obnosis.com
Mon Mar 30 23:48:13 MST 2009
Unfortunately, a scan like nmap or netcat can trivially use random or source choice IP.
So a distributed denial of service (and more than a few script kiddie bots and toolz) originate from Chinese source addresses.
The real scanner is actually behind the proxy watching it all ready for the all important moment when the results don't equal null and he can reset your firmware with his own.
Some of the fun items that his firmware can include are:
1) Javascript XSS tunnel browser exploit for whoever maintains the router.
2) All remote management to a list of his IPS.
3) Port forward certain packets outbound to certain IP's to another place.
4) Allow for sniffing of internal router packet traffic (all clear text email, etc.)
5) Allow for sniffing and decrypt via ettercap and john of encrypted traffic (passwords, etc.)
6) Create a ipsec tunnel or VPN.
7) It will usually remove certificates or help files to do this, and often one will see very quickly the "real" web based forms, during save.
The only thing you will notice are network slowage, router reboots, and if you are slightly saavy, fantom ports opening and system that are strangely changes (Bonobo suddenly being implemented for instance).
Your linux system is going to have all the binary changed via RootInABox and files low level iode changes, so you probably won't even see them via MidnightCommander.
You are pwned = just keep ignoring it all; keep pretending that it's a nice secure Matrix world?
Obnosis | (503)754-4452
PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM
> From: boneal at cornerstonehome.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: RE: starting by iptable deny all of china is a good start. - Re:OT? Linux-based trojans now targeting WRT and other linux-based routers
> Date: Mon, 30 Mar 2009 23:31:03 -0700
>
> If you should never get a request outside the US why should you look any
> further to deny it? This is not complete protection by any measure but it
> makes an easy first step. I used to go one step further and block my
> dynamic hosted websites (where you don't get to mess with iptables) from
> being touched by people out side their target zone (usually US and Canada).
> It immediately cuts the number of admin.php request by more then half ;)
>
> That said you still need additional protection for ips you do allow through
> to the next set of rules.
>
> -----Original Message-----
> From: plug-discuss-bounces at lists.plug.phoenix.az.us
> [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Craig
> White
> Sent: Monday, March 30, 2009 8:39 AM
> To: Main PLUG discussion list
> Subject: Re: starting by iptable deny all of china is a good start. - Re:OT?
> Linux-based trojans now targeting WRT and other linux-based routers
>
> On Mon, 2009-03-30 at 08:30 -0400, kitepilot at kitepilot.com wrote:
> > And how do I:
> > "starting by iptable deny all of china" ?
> >
> > I can figure out the "iptable" part, it is the "china" part (and other
> > possible places where I know I will only get spam from) that I am
> > unaware of...
> ----
> I do not believe that this is constructive thinking. It's easy enough for
> someone in China to use a computer somewhere else as a base for operations
> and that security doesn't come from just arbitrarily picking ranges of ip
> addresses to block. Security would necessarily require effectiveness from
> virtually everywhere - possibly even your own 'trusted' lan.
>
> Spam control on the other hand doesn't rely much on iptables at all but
> rather many layers of implementation such as RBL's, greylisting (optional
> but effective), spamassassin, smtp level restrictions and more.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Express your personality in color! Preview and select themes for Hotmail®.
http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090331/c4d0b9b4/attachment.htm
More information about the PLUG-discuss
mailing list