great learning experience! On Mon, Mar 30, 2009 at 4:44 PM, Bob Elzer wrote: > Would you believe he's only doing it for his Grandma, who lives in > Pasadena, > and she only gets on the internet on Sundays ? > > > -----Original Message----- > From: plug-discuss-bounces@lists.plug.phoenix.az.us > [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Andrew > "Tuna" Harris > Sent: Monday, March 30, 2009 9:01 AM > To: "plu>"@lists.plug.phoenix.az.us>Main PLUG discussion list > Subject: Re: starting by iptable deny all of china is a good start. - Re: > OT?Linux-based trojans now targeting WRT and other linux-based routers > > Excerpts from Charles Jones's message of Mon Mar 30 08:46:35 -0700 2009: > > Andrew "Tuna" Harris wrote: > > > Excerpts from kitepilot@kitepilot.com's message of Mon Mar 30 05:30:51 > -0700 2009: > > > > > >> And how do I: > > >> "starting by iptable deny all of china" ? > > >> > > >> I can figure out the "iptable" part, it is the "china" part (and > > >> other possible places where I know I will only get spam from) that > > >> I am unaware of... > > >> > > >> Thanks! > > >> Enrique > > >> > > >> > > > > > > Easy! There are online lists of Chinese and Korean IP blocks that > > > you can deny. I found one that came with a perl script to do it all > > > automagically. > > > > > > http://is.gd/pEsB > > > > > > That guy has some other interesting things too. Nice blog he's got > goin' > > > there. > > > > > > But I HIGHLY suggest you read those files to make sure there's > > > nothing you don't want blocked out. You can just comment out things > > > you don't want blocked in the access.list file. It's all plaintext. > > > > > > And definitely give ANYTHING you run as root a second look. This > > > script is okay for me but it's always good to be a little paranoid. > > > > > > > > >> Lisa Kachold writes: > > >> > > >> > > >>> Well, the sad fact is that _any_ machine will kick over and barf it's > guts under distributed attacks; it just depends on what it does after the > green slime clears.. > > >>> Also, it really helps if you run one that won't take WRT, or only > runs > on an arm, with small memory therefore they aren't too hot to pwn you. > Linksys put out the source, whereupon I built my own, and played with the > features; you know kiddies are doing this also. > > >>> > > >>> Course, if you have a WRT-able router, it's a good idea to set it up > as a small linux system, but you have to know how to work it; starting by > iptable deny all of china is a good start. > > >>> I have had mine owned regularly; I just flash it again. Mine is easy > to determine, since it suddenly starts showing AIM ports open. Once they > target you successfully, they will insidiously continue to keep track of > you; rather like trophy hunting. > > >>> I could have done a complete defcon presentation on various routers > by > this time. > > >>> That's why I always suggest to everyone, if you see something > strange, > you see something strange, report it, complain, study it, rather than > continuing to agree with everyone in denial about the sad state of > security. > > >>> Obnosis | (503)754-4452 > > >>> > > >>> > > >>> > > >>> > > >>> PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>>> Subject: Re: OT? Linux-based trojans now targeting WRT and other > linux-based routers > > >>>> From: tuna@supertunaman.com > > >>>> To: plug-discuss@lists.plug.phoenix.az.us > > >>>> Date: Fri, 27 Mar 2009 17:57:34 -0700 > > >>>> > > >>>> Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700 > 2009: > > >>>> > > >>>>> http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_r > > >>>>> outers_update > > >>>>> > > >>>>> Some parts of this article made me LOL. Like: > > >>>>> > > >>>>> "One type of malware connects primarily to a chat system such as > > >>>>> IRC, which your ordinary 14-year-old might join for the latest > superstar gossip." > > >>>>> > > >>>>> and: > > >>>>> > > >>>>> "Each IRC network usually has hundreds of these channels, > > >>>>> typically starting with a hash mark in its name, such as > #superstars." > > >>>>> > > >>>>> and: > > >>>>> > > >>>>> "A participant joining a channel who is not a human is usually a > > >>>>> program called a bot. There are all kinds of bots lurking in the > > >>>>> IRC, some of them explain UNIX commands, look up bus schedules > > >>>>> or forecast the weather. Some, however, await special, often > secret, > commands" > > >>>>> > > >>>>> Which prompted me to say on IRC: > > >>>>> [03-27-2009 14:11:10] hahaha > > >>>>> [03-27-2009 14:12:54] * Charles is awaiting special secret > > >>>>> commands > > >>>>> [03-27-2009 14:13:28] but only if you are a superstar > > >>>>> > > >>>>> Seriously though, I sadly have a lot of experience being > > >>>>> attacked by, and hunting down and eradicating botnets. Infected > > >>>>> routers are really evil, since your typical user has no way to > > >>>>> notice or see that something is running that should not be. This > > >>>>> could become a real problem as WRT and other linux-based routers > become more popular. > > >>>>> > > >>>> I just wish I had come up with the idea of WRT-based botnets > > >>>> first. :< > > >>>> > > >>>> I guess the vendors will just have to set randomly generated > > >>>> default passwords, and pass along a little card that says > > >>>> "omgwtfbbq ur password lol". But you KNOW that they'll never get > around to that soon. > > >>>> --------------------------------------------------- > > >>>> > > I only perused it quickly, but it looked to me like that guys script > > blocks EVERYTHING except trusted IPs, not just china? It has an "INPUT > > -p tcp --dport 22 -j DROP" at the end. I don't understand why it goes > > through the trouble to block china IP blocks, if its blocking > > *everything* other than the trusted list anyway? > Right, so just comment out that bit and you're fine. > > > "*The access.list file is pre-configured to drop packets from all of the > > IP blocks* at http://www.okean.com/antispam/sinokorea.html. However, > > you should jump to the bottom of *access.list* and add any trusted IP's > > (e.g., work and home) that you want to accept SSH traffic from. _By > > default, any other incoming requests on port 22 from addresses you don't > > trust will be dropped_." > > > > Please tell me if I am wrong, after all it is Monday morning and I may > > not be thinking clearly :) > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- :-)~MIKE~(-: