Linux

Linux related stories

Top Exploits of the Week #1

Quicktime 0day

I thought I’d try something different (excuse me if its been done before, oh well). Every week I will be making a list of the top 5 exploits of the week, details about them, etc.

So lets get the ball rolling:

#1 Internet Explorer 7 XML Buffer Overflow Exploit (Vista Target) — This remote beauty executes remote code on a vulnerable (probably still unpatched) Internet Explorer 7 machine running Windows Vista. Coded by muts.

#2 Internet Explorer 7 XML Buffer Overflow Exploit (XP SP3 Target) — Exploits the same bug as above but executes code on a Windows XP SP3 target. Coded by Guido Landi.

#3 XOOPS 2.3.1 Multiple LFI Exploits — XOOPS suffers from a few local file inclusion bugs, and DSecRG has some code for you.

#4 Linux Kernel ATMSVC DoS Exploit — Send a kernel into an infinite loop by locally running this exploit on a vulnerable machine. Code by Jon Oberheide.

#5 phpMyAdmin 3.1.0 XSRF Exploit — Cross site scripting attacks are more dangerous than most developers think. Here is exploit code, just don’t have phpMyAdmin open in another tab! Provided by Michael Brooks.

See you all next week with more. Bug on :)

SSH Gets Attacked

SSH

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ’00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.

Igniting Linux Desktop Security

Active Connections

Long ago, my all-time favorite desktop firewall was none other than sygate pro (symantec junkies sought-and-destroyed a while back). I loved all of its seemingly superior and cool features that really just made me feel great about using it on some servers and workstations. But like most other desktop firewalls, sygate is/was windows only. But this article isn’t about just any desktop firewall; it is about Firestarter, the Linux GUI firewall solution.

Firestarter is a nice, sleek, Desktop-safe, open source and server or workstation setting network security solution. Say that 128 times fast! Haha. If you are an administrator or just a savvy Linux Desktop user who wants to feel a little more secure on your network, you’ll probably love Firestarter.

Some of the great features of Firestarter include a graphical user interface to configuring firewall rules and settings, a nice wizard to walk you through it, real-time event monitor to check on intrusion attempts or the like, in and outbound network access policy control, port forwarding, the ability to whitelist and blacklist traffic, viewing network connections, advanced kernel tuning to provide somewhat protection against [flooding, broadcasting, spoofing, typical DoS attacks], and much more!

Firestarter sits atop of iptables and it works quite nicely to control traffic in and out of your workstation or server. I’ll even give you a couple of quick and smile examples. Say you got XYZ Linux running ZYX Desktop system and you want to be able to transfer files (or data) via XZY, but only from a certain IP address. Simply add a rule in Firestarter and watch it work. What if you want to completely (for the boundries of this tool) block access from xx.xxx.xx.xxx? Add a rule to blacklist it on outboard traffic. Volia! Simple firewalling made super easy. I use Firestarter and I absolutely love it. So if you haven’t already tried Firestarter, I recommend you give it a shot! I can’t imagine you being disappointed.

Policy

Websites Beware

Websites Beware

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m':

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.