Dear all,
I though I would try to give early warnings instead of picking up the
bits later...
There is a new wave of site scanning going around, this time it starts
nice and unobtrusive using telnet connections. The idea is to grab the
banners, quick Perl on them to determine the host type and then use a
suitable attack for the target.
Fortunately Digital UNIX is not very popular as a target,
prob. because there aren't as many out there as there are Suns,
etc. Still, this is a bit of a disadvantage because people on BUGTRAQ
(
http://geek-girl.com/bugtraq) don't really examine it as much.
What I suggest to thwart this site-scanning is quite simple:
o /etc/issue[.net] modify so that it doesn't give any user
id. If you want to be smart write a different operating system
name in the banner[1].
o Use TCP/Wrappers and secure your machine in the first place
against more than just telnet. Then use the "banners facility"
as above.
Note that unpatched older versions of DU are vulnerable to attacks to
bind, for example.
Just for completness the scanning proceeds as follows:
o single telnet attempt to DNS machines (easy to find),
o AXFR (which you should block to all machiens except
secondaries using the xfrnets option in /etc/named.boot, see
man named),
o from the AXFR (zone transfer) try using telnet all the other
boxes, single attempt again, just to get the banner,
o attack using suitable means in due time.
Hope this helps,
Ciao,
Arrigo
Notes:
[1] It is rather amusing to try something like:
SINIX v4.32/a
which is a Siemens UNIX look-alike banner (fake of course) on
a DU box. The hackers get rather confused. Or even
Linux 2.0.36
which then floods you with POP-3/IMAP exploits (remember to
patch your popper first... Qualcomm popper is not a good
idea!) using i386 binary buffer overflows.
--
Arrigo Triulzi <arrigo_at_albourne.com> - Peripatetic Wizard
Albourne Partners Ltd. - London, UK
APL Financial Services (Overseas) Ltd. - Nicosia, Cyprus
Received on Mon Jan 18 1999 - 09:26:34 NZDT