I agree that you can and will get attacked from US addresses, that may or may not be US machines. However I am still failing to see the problem with block denying a large address range. For example if I am getting 1000 port scans a day from various china addresses why would I not start by denying those addresses and then moving on to other rules?  Just because it is not a 100% solution does not mean it is not a good idea to easily trim off the top 80% of your attacks before dealing with the remaining 20% in a more intelligent manor.
As for being pwnd, well it is possible he was already compromised in which case their is nothing you can do but wipe out the old and bring in the new.  I have a friend who compared a compromised system to dropping your favorite fork in a pile of feces, no mater how well you clean it you'll never feel comfortable eating with the fork again.  And since formatting/replacing a drive and reloading the OS is so easy (Even on most embedded devices) it should be done if you have the slightest inclination of being owned.

From: plug-discuss-bounces@lists.plug.phoenix.az.us [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Lisa Kachold
Sent: Monday, March 30, 2009 11:48 PM
To: plug-discuss@lists.plug.phoenix.az.us
Subject: RE: starting by iptable deny all of china is a good start. - Re:OT?Linux-based trojans now targeting WRT and other linux-based routers

Unfortunately, a scan like nmap or netcat can trivially use random or source choice IP.

So a distributed denial of service (and more than a few script kiddie bots and toolz) originate from Chinese source addresses.

The real scanner is actually behind the proxy watching it all ready for the all important moment when the results don't equal null and he can reset your firmware with his own.

Some of the fun items that his firmware can include are:

1) Javascript XSS tunnel browser exploit for whoever maintains the router.
2) All remote management to a list of his IPS.
3) Port forward certain packets outbound to certain IP's to another place.
4) Allow for sniffing of internal router packet traffic (all clear text email, etc.)
5) Allow for sniffing and decrypt via ettercap and john of encrypted traffic (passwords, etc.)
6) Create a ipsec tunnel or VPN.
7) It will usually remove certificates or help files to do this, and often one will see very quickly the "real" web based forms, during save.

The only thing you will notice are network slowage, router reboots, and if you are slightly saavy, fantom ports opening and system that are strangely changes (Bonobo suddenly being implemented for instance).

Your linux system is going to have all the binary changed via RootInABox and files low level iode changes, so you probably won't even see them via MidnightCommander.

You are pwned = just keep ignoring it all; keep pretending that it's a nice secure Matrix world?

Obnosis | (503)754-4452
PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM

> From: boneal@cornerstonehome.com
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: RE: starting by iptable deny all of china is a good start. - Re:OT? Linux-based trojans now targeting WRT and other linux-based routers
> Date: Mon, 30 Mar 2009 23:31:03 -0700
>
> If you should never get a request outside the US why should you look any
> further to deny it? This is not complete protection by any measure but it
> makes an easy first step. I used to go one step further and block my
> dynamic hosted websites (where you don't get to mess with iptables) from
> being touched by people out side their target zone (usually US and Canada).
> It immediately cuts the number of admin.php request by more then half ;)
>
> That said you still need additional protection for ips you do allow through
> to the next set of rules.
>
> -----Original Message-----
> From: plug-discuss-bounces@lists.plug.phoenix.az.us
> [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Craig
> White
> Sent: Monday, March 30, 2009 8:39 AM
> To: Main PLUG discussion list
> Subject: Re: starting by iptable deny all of china is a good start. - Re:OT?
> Linux-based trojans now targeting WRT and other linux-based routers
>
> On Mon, 2009-03-30 at 08:30 -0400, kitepilot@kitepilot.com wrote:
> > And how do I:
> > "starting by iptable deny all of china" ?
> >
> > I can figure out the "iptable" part, it is the "china" part (and other
> > possible places where I know I will only get spam from) that I am
> > unaware of...
> ----
> I do not believe that this is constructive thinking. It's easy enough for
> someone in China to use a computer somewhere else as a base for operations
> and that security doesn't come from just arbitrarily picking ranges of ip
> addresses to block. Security would necessarily require effectiveness from
> virtually everywhere - possibly even your own 'trusted' lan.
>
> Spam control on the other hand doesn't rely much on iptables at all but
> rather many layers of implementation such as RBL's, greylisting (optional
> but effective), spamassassin, smtp level restrictions and more.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Express your personality in color! Preview and select themes for Hotmail®. See how.