Re: starting by iptable deny all of china is a good start. -…

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: mike havens
Date:  
To: Main PLUG discussion list
Subject: Re: starting by iptable deny all of china is a good start. - Re: OT?Linux-based trojans now targeting WRT and other linux-based routers
great learning experience!

On Mon, Mar 30, 2009 at 4:44 PM, Bob Elzer <> wrote:

> Would you believe he's only doing it for his Grandma, who lives in
> Pasadena,
> and she only gets on the internet on Sundays ?
>
>
> -----Original Message-----
> From:
> [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Andrew
> "Tuna" Harris
> Sent: Monday, March 30, 2009 9:01 AM
> To: >Main PLUG discussion list
> Subject: Re: starting by iptable deny all of china is a good start. - Re:
> OT?Linux-based trojans now targeting WRT and other linux-based routers
>
> Excerpts from Charles Jones's message of Mon Mar 30 08:46:35 -0700 2009:
> > Andrew "Tuna" Harris wrote:
> > > Excerpts from 's message of Mon Mar 30 05:30:51
> -0700 2009:
> > >
> > >> And how do I:
> > >> "starting by iptable deny all of china" ?
> > >>
> > >> I can figure out the "iptable" part, it is the "china" part (and
> > >> other possible places where I know I will only get spam from) that
> > >> I am unaware of...
> > >>
> > >> Thanks!
> > >> Enrique
> > >>
> > >>
> > >
> > > Easy! There are online lists of Chinese and Korean IP blocks that
> > > you can deny. I found one that came with a perl script to do it all
> > > automagically.
> > >
> > > http://is.gd/pEsB
> > >
> > > That guy has some other interesting things too. Nice blog he's got
> goin'
> > > there.
> > >
> > > But I HIGHLY suggest you read those files to make sure there's
> > > nothing you don't want blocked out. You can just comment out things
> > > you don't want blocked in the access.list file. It's all plaintext.
> > >
> > > And definitely give ANYTHING you run as root a second look. This
> > > script is okay for me but it's always good to be a little paranoid.
> > >
> > >
> > >> Lisa Kachold writes:
> > >>
> > >>
> > >>> Well, the sad fact is that _any_ machine will kick over and barf it's
> guts under distributed attacks; it just depends on what it does after the
> green slime clears..
> > >>> Also, it really helps if you run one that won't take WRT, or only
> runs
> on an arm, with small memory therefore they aren't too hot to pwn you.
> Linksys put out the source, whereupon I built my own, and played with the
> features; you know kiddies are doing this also.
> > >>>
> > >>> Course, if you have a WRT-able router, it's a good idea to set it up
> as a small linux system, but you have to know how to work it; starting by
> iptable deny all of china is a good start.
> > >>> I have had mine owned regularly; I just flash it again. Mine is easy
> to determine, since it suddenly starts showing AIM ports open. Once they
> target you successfully, they will insidiously continue to keep track of
> you; rather like trophy hunting.
> > >>> I could have done a complete defcon presentation on various routers
> by
> this time.
> > >>> That's why I always suggest to everyone, if you see something
> strange,
> you see something strange, report it, complain, study it, rather than
> continuing to agree with everyone in denial about the sad state of
> security.
> > >>> Obnosis | (503)754-4452
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>> Subject: Re: OT? Linux-based trojans now targeting WRT and other
> linux-based    routers
> > >>>> From: 
> > >>>> To: 
> > >>>> Date: Fri, 27 Mar 2009 17:57:34 -0700

> > >>>>
> > >>>> Excerpts from Charles Jones's message of Fri Mar 27 14:19:05 -0700
> 2009:
> > >>>>
> > >>>>> http://www.linux-magazine.com/online/news/psyb0t_attacks_linux_r
> > >>>>> outers_update
> > >>>>>
> > >>>>> Some parts of this article made me LOL. Like:
> > >>>>>
> > >>>>> "One type of malware connects primarily to a chat system such as
> > >>>>> IRC, which your ordinary 14-year-old might join for the latest
> superstar gossip."
> > >>>>>
> > >>>>> and:
> > >>>>>
> > >>>>> "Each IRC network usually has hundreds of these channels,
> > >>>>> typically starting with a hash mark in its name, such as
> #superstars."
> > >>>>>
> > >>>>> and:
> > >>>>>
> > >>>>> "A participant joining a channel who is not a human is usually a
> > >>>>> program called a bot. There are all kinds of bots lurking in the
> > >>>>> IRC, some of them explain UNIX commands, look up bus schedules
> > >>>>> or forecast the weather. Some, however, await special, often
> secret,
> commands"
> > >>>>>
> > >>>>> Which prompted me to say on IRC:
> > >>>>> [03-27-2009 14:11:10] <Charles> hahaha
> > >>>>> [03-27-2009 14:12:54] * Charles is awaiting special secret
> > >>>>> commands
> > >>>>> [03-27-2009 14:13:28] <Charles> but only if you are a superstar
> > >>>>>
> > >>>>> Seriously though, I sadly have a lot of experience being
> > >>>>> attacked by, and hunting down and eradicating botnets. Infected
> > >>>>> routers are really evil, since your typical user has no way to
> > >>>>> notice or see that something is running that should not be. This
> > >>>>> could become a real problem as WRT and other linux-based routers
> become more popular.
> > >>>>>
> > >>>> I just wish I had come up with the idea of WRT-based botnets
> > >>>> first. :<
> > >>>>
> > >>>> I guess the vendors will just have to set randomly generated
> > >>>> default passwords, and pass along a little card that says
> > >>>> "omgwtfbbq ur password lol". But you KNOW that they'll never get
> around to that soon.
> > >>>> ---------------------------------------------------
> > >>>>
> > I only perused it quickly, but it looked to me like that guys script
> > blocks EVERYTHING except trusted IPs, not just china? It has an "INPUT
> > -p tcp --dport 22 -j DROP" at the end. I don't understand why it goes
> > through the trouble to block china IP blocks, if its blocking
> > *everything* other than the trusted list anyway?
> Right, so just comment out that bit and you're fine.
>
> > "*The access.list file is pre-configured to drop packets from all of the
> > IP blocks* at http://www.okean.com/antispam/sinokorea.html. However,
> > you should jump to the bottom of *access.list* and add any trusted IP's
> > (e.g., work and home) that you want to accept SSH traffic from. _By
> > default, any other incoming requests on port 22 from addresses you don't
> > trust will be dropped_."
> >
> > Please tell me if I am wrong, after all it is Monday morning and I may
> > not be thinking clearly :)
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>




--
:-)~MIKE~(-:
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss