Trinity DDoS Discovered 68
BulletValentine writes "ZDNet is reporting that approximately 400 machines have been found to be running Trinity v3, a DDoS attack program. Supposedly Trinity can set up to eight different types of flood attacks. ZDNet referred readers to Internet Security Solutions for more information about the attack and precautions to take."
Too many announcements (Score:3)
Freaky... (Score:1)
"Evil beware: I'm armed to the teeth and packing a hampster!"
But somebody will read it (Score:2)
I'm hanging out in #b3eblebr0x (Score:1)
Hey...where'd all my bandwidth go?
-------------------
Great, another thing to set my flow analyser for. (Score:1)
It can keep me from having the campus getting whacked later. I just monitor for inbound connections to that port. (Or look in IRC sessions for the appropriate channels.) and have our security people follow up. MUCH better than them running around CLEANING up.
Only half the story. (Score:1)
It looks like they wanted to be the first to break the story and didn't care about what they had to leave out to gt there first.
Bloody first posters!
FatPhil
Use of IRC channel as an interface... (Score:2)
Maybe it's just me, but IRC seems like a cool way to go about doing that...
Having your own channel to issue commands to your compromised minions of systems, really really feels like something out of SnowCrash, or maybe even BatMan...
Re:But somebody will read it (Score:1)
Opensource has nothing to do with intelligent caution and care being taken. (Although it should) You don't patch a problem like this, you remain vigilant to prevent it. I mean you could hide this binary in any location under any name, have it listen to different IRC channels or even have it query a webpage at random times. How would you track that down?
Better Article. (Score:5)
-------
Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild.
The flooding commands have this format: , where flood is the type of flood, password is the agent's password, victim is the victim's IP address, and time is the length of time to flood the agent, in seconds. The available flood types are the following:
tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"
Other available commands include:
ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..." size : Set the packet size for the flood, 0 for random.
port : Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with " trinity v3 by self (an idle mind is the devil's playground)"
-------------
-Pete
Re:Only half the story. (Score:3)
oh, and the guy who posted to INCIDENTS beat out iss by >1 week.
btw, trinity is old news to the skr1p+ k1ddi3 scene.
--
So how do I know it is Trinity? (Score:2)
Even though this is bad... (Score:1)
While I know cracking is a bad thing, I think some of these guys should get an award for creative thinking. And to see a *real* cracker break into a system with definite, calculated measures... it's just... wow.
Sorry, I know they shouldn't be given extra reason to do this stuff, but I stand impressed.
400 Hosts? (Score:1)
I'm really interested to find out how this was distributed though...
What? (Score:5)
Why do I smell old fish? It sounds to me that there is an attempt to sell a product by scare-mongering. How can an IRC chat session install files in a directory that requires root permissions? If someone is chatting in IRC as root and allows unchecked software to be installed from a remote server, aren't they getting what they deserve in the same way that I would get my just deserts from driving my car without motor oil? Open-source does not equate to security in spite of stupidity!!
Is this (Score:1)
Your day can only be going so well, when you're quoting Keanu Reeves.
script kiddies, ready, set, go! (Score:1)
-- Sirius
Root these b*stards out (Score:2)
I am so tired of hearing of these kinds of exploits. MS and Mac use these actions as an excuse to say the Unices are security hazards. Either these kiddies need to grow up or we must keep up our watch for these tools. Of course, I don't need to say this to most of you, but it is those that are lax in maintaining their machines that put others at risk.
nahtanoj
Funny name (Score:1)
DDoS and IRC (Score:3)
Honestly, this was probably conceived of so somebody could flood an irc server and get it to split from the rest of the network. Especially if it is using irc as a control interface.
I find this kind of thing quite prevalent in many places. I was speaking to a kid (he's only 15) the other day who "created" a local ls exploit just for fun. This kind of thing freaks me out.
Software like this gets put on servers either through social engineering (convincing the admin to install it) or even more commonly by finding systems with security holes that have been well documented, "rooting" the system, and installing anything the attacker deems neccessary. It is fairly simple to do this.
Use nmap to scan an ip range. Keep details on what OS/daemons it is running. Search all your favorite script kiddie sites for exploits on those systems. Use exploit. Get root. Install DDoS daemon. Flood IRC server.
Look how '1337 you are now (*not*)!!!
Damn! (Score:1)
Re:Even though this is bad... (Score:1)
Creative? Nothing personal, but you've got pretty low standards for creativity. Using an IRC channel, you've got a single point of failure. It also becomes not too difficult to watch the channel and send out "your system has been compromised" mail to the various affected people.
If I wanted to do something like that, I'd probably use Usenet. Come up with a simple algorithm where messages get hashed into IP addresses to be flooded -- use something where it's not too difficult to invent a realistic-looking message that would contain a given target address. Then use something non-unique for the trigger mechanism (say, any e-mail address with 27 characters and 9 vowels). The downside is that with Usenet, you're dealing with a much more public mechanism, but the upside is that you've got much less central authority to stop an attack. And the added kicker is that you can't just go around accusing everyone with a matching e-mail address of being a cracker (but it'd still be to the cracker's benefit to do it from a disposable account).
Absolutely DO NOT follow that link. (Score:2)
---
ISS (Score:1)
Re:Damn! (Score:1)
Re:Only half the story. (Score:1)
Re:Even though this is bad... (Score:2)
However, I think that as we approach more and more intrusion on our privacy, especially our computer privacy, it isn't hard to see a Big Brother type situation in our future.
I see this kind of work as our "well-armed militia."
I think it's important that there are tools to take out tracking systems and privacy intrusion devices, just in case they are needed in the future.
Re:Even though this is bad... (Score:1)
The Usenet thing is interesting, but the IRC thing was done first. Your version is simply improving on an existing crack, which is kinda kiddie-ish, IMO.
Re:Freaky... (Score:4)
Step 1: Obtain pre-made buffer overflow tool of the week.
Step 2: Sweep blocks of IP addresses for vulnerable machines (it's frighening how many publically accessible boxes aren't hardened).
Step 3: Gain access to vulnerable machines by "rooting" them, usually with a premade rootkit (most malicious attackers actually have no idea how most of the tools they use or the systems they're breaking into, work).
Step 4: With this newfound access to often many machines in a single sweep, install whatever you want (eg: Trinity) on them all.
Once the attacker has amassed enough machines to be his or her zombies, the attacker can trigger DDoS software on them all to hammer a specific site.
I don't know what's more frightening; the number of neglected servers running old, vulnerable services... or the growing number of home desktops with megabit+ net connections infected with remote administration trojans.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
Does it come in rpm and deb format?? (Score:1)
I guess this is kinda repetitive but you have to actually have something called root rights to install not only a library but a server that listens in port something...
Trinity (someone needs a miracle, very funny...) is just a symptom, not a illness.
If someone get rights to install a root shell server controlled by IRC (very creative)then the DDoS part is just an application. Today DDoS, tommorrow....who knows....
So, we have not only 1 but 400 admins out there who actually got Trinity installed in their systems somehow...does any of them have actually a clue of how this happened???!!!
I found Waldo (Score:1)
Now if only I could find his missing hat in the picture...
Re:Root these b*stards out (Score:1)
Of course, if someone came out with a trojan that was just a bit of code and a makefile, anything from BeOS to NeXTStep could be a potential host. Has anything like that been spread before?
HERE IS THE ARTICLE. DID YOU READ IT DUMB AZZ???!1 (Score:1)
X-Force
X-Force Home
Alerts
Serious Fun
Mail Lists
Security Library
Protoworx
Submissions
Feedback
Advanced Search
Alerts
Back to Alert List
Internet Security Systems Security Alert
September 5, 2000
Trinity v3 Distributed Denial of Service tool
Synopsis:
A new Distributed Denial of Service tool, "Trinity v3", has been
discovered in the wild. There have been reports of up to 400 hosts running
the Trinity agent. In one Internet Relay Chat (IRC) channel on the
Undernet network, there are 50 compromised hosts with Trinity running,
with new hosts appearing every day. It is not known how many different
versions of Trinity are in the wild.
Impact:
Distributed Denial of Service attacks can bring down a network by flooding
target machines with large amounts of traffic. In February of this year,
several of the Internet's biggest websites, including Yahoo, Amazon.com,
Ebay and Buy.com were taken down for extended periods of time by tools
similar to Trinity.
Description:
Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at
it connects to an Undernet IRC server on port 6667. There is a list of
servers in the binary:
204.127.145.17
216.24.134.10
208.51.158.10
199.170.91.114
207.173.16.33
207.96.122.250
205.252.46.98
216.225.7.155
205.188.149.3
207.69.200.131
207.114.4.35
When Trinity connects, it sets its nickname to the first 6 characters of
the host name of the affected machine, plus 3 random letters or numbers.
For example, the computer named machine.example.com would connect and set
its nickname to machinabc, where abc is 3 random letters or numbers. If
there is a period in the first 6 characters of the host name, the period
is replaced by an underscore. In our copy of Trinity, it joins the IRC
channel #b3eblebr0x using a special key. Once it's in the channel, the
agent will wait for commands. Commands can be sent to individual Trinity
agents, or sent to the channel and all agents will process the command.
The flooding commands have this format:
, where flood is the type of flood, password is the agent's
password, victim is the victim's IP address, and time is the length of
time to flood the agent, in seconds. The available flood types are the
following:
tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"
Other available commands include:
ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..."
size : Set the packet size for the flood, 0 for random.
port : Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with
" trinity v3 by self (an idle mind is the devil's playground)"
Another binary found on affected systems is
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as
simple backdoor program that listens on TCP port 33270 for connections.
When a connection is established, the attacker sends a password to get a
root shell. The password in the binaries that we have analyzed is "!@#".
When the uucico binary is executed it changes its name to "fsflush".
Recommendations:
Scan all systems for port 33270 connections. If any connections are found,
telnet to that port and type "!@#". A system has been compromised if there
is a root shell present after a successful connection to port 33270.
Use "ps" and "lsof" in the following manner to identify a port-shell
installed by Trinity:
#
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)
#
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root cwd DIR 8,1 4096 306099
uucico 6862 root rtd DIR 8,1 4096 2 /
uucico 6862 root txt REG 8,1 4312 306589
uucico 6862 root mem REG 8,1 344890 416837
uucico 6862 root mem REG 8,1 4118299 416844
uucico 6862 root 0u CHR 136,2 4
uucico 6862 root 1u CHR 136,2 4
uucico 6862 root 2u CHR 136,2 4
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)
# ps 6862
PID TTY STAT TIME COMMAND
6862 pts/2 S 0:00 fsflush
Since the Trinity v3 agent does not listen on any ports, it may be
difficult to detect unless you are watching for suspicious IRC traffic. If
a machine that has a Trinity agent installed is found, it may have been
completely compromised. The operating system must be completely
reinstalled along with any available security patches.
Public chat systems can pose a legitimate security risk. It is up to each
user's discretion to protect from malicious content distributed via these
networks.
ISS RealSecure already contains functionality that may aid in detection of
Trinity. Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the
RealSecure console to help track IRC activity. These decodes can detect
joins to the IRC channel #b3eblebr0x, as well as behavior associated with
Trinity. In addition, security administrators may choose to enable a
connection event for TCP port 33270 to detect connections to the portshell
that Trinity is installed on.
ISS Internet Scanner can be configured to scan machines on your
network with the TCP Port Scanner turned on. The TCP Port Scanner can be
enabled by selecting it under the Services category in the Policy Editor.
The TCP Port Scanner should be configured to scan port 33270. If machines
are found to be listening on this port, they may have the Trinity
portshell installed.
The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner,
RealSecure, and System Scanner.
Additional Information:
This information has been researched by Jon Larimer of
the Internet Security Systems X-Force.
______
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBORMoMTRfJiV99eG9AQH4uQP9FJlj+quxhqRM8Nd
EvtueaGc7dnI08EUgiUCUERjpYCtI8CnL2Gw4kETkmk6wWe
dB4iDKv+NjutECNH3SS71n7D6wkJlNUSk/rJ+WHyHhlwmDH
TLzqCqcKos0=
=kZmQ
-----END PGP SIGNATURE-----
Copyright ©1994-2000 Internet Security Systems, Inc.
All Rights Reserved. Sales Inquiries: sales@iss.net
Re:Triumph -- may be of several kinds (Score:1)
Hahahahaa.
Ah? ha! ha Ha Ha hahA AhA hA hA.
U ALL R FFFFFFUKED!!
->mafiaboy
Re:DDoS and IRC (Score:3)
It's nice to say "you can't blame a protocol for these problems", but when 99% of the protocol's users are annoying 12 yr olds, then I do.
sig:
id and Trinity (Score:1)
Re:What? (Score:4)
Re:DDoS and IRC (Score:1)
Y'know, whenever something like this happens you all (well, many of you) instantly start spouting about script kiddies, making it seem like these DDoS attacks:
a) Are pranks by kids who don't know any better
b) Require no real skills whatsoever.
What is being described here requires quite a bit of time and intelligence to create and deploy, and in using IRC to issue commands it's also one helluva nifty hack.
How many of you who say doing this stuff is "easy" could actually pull it off? "They just run root kits and install whatever they want." Oh really? And how does that work? Here's an IP. Go at it and impress me. The clock is ticking.
I'm sure quite a few readers could pull this off very quickly, but I'm also fairly sure that they aren't the ones yelling "script kiddie", either.
There is skill and dedication involved here, even if it's not to the level of those who author the tools. I think by trying to belittle the perpetrators, people are really just trying to make the problem seem much less severe than it actually is, and thereby make themselves feel better.
Re:script kiddies, ready, set, go! (Score:1)
Your comment points out the Security through Obscurity viewpoint on how to go about things. Rather than tell people as soon as you have problems, you try to hide them, as to prevent more people from finding out about them and therefore exploiting them.
The other viewpoint, of course, is that you tell everyone about these insecurities; even though you may be taking a risk by telling people who would exploit this information, you would also be telling system administrators who could then fix their systems, and therefore the script kiddies wouldn't be able to attack their system.
The major problem with security though obscurity, especially with trinity, is that if you don't let people know about trojans and such, it will still propogate, in underground scenes, which may even be more dangerous. DDoS tools, lame as they are, still can be very dangerous, especially when these tools are installed on machines with fast internet connections, and it is much more efficent to tell people about them than not.
Free solution to Trinity (Score:2)
MashPotato - Mobile Array of Support Helpers for Potato
Re:So how do I know it is Trinity? (Score:2)
Oi! Stop that.
Pax,
White Rabbit +++ Divide by Cucumber Error ++
Re:Freaky... some info (Score:1)
(If you're already irc savvy, then you likely won't get anything out of the article).
http://theorygroup.com/Theory/irc.html
Re:Funny name (Score:1)
--
Paying Attention to Our Systems (Score:1)
There's no excuse for ignoring your systems once they're up, and, some basic detection software should be mandated for future distros of any *n*x. Admins should read up on services that want to launch on start-up, as well, and, I'd also love to see a linux box come with a good set of firewall rules in the startup scripts by default.
I've had quite a few servers scanned over the past month for the rpc services, and the machines have acted appropriately. Including responding to the AC who "owns me" and who proceeded to scan 3 of my boxes. He/she may be correct and own my box. Truth is, I haven't heard from him/her since the scans. And, before anyone mentions it: I get CERT alerts; Security Focus is a daily stop.
Might seem off-topic. But, they're getting in through the rpc services. [securityfocus.com] Firewall them. Then we won't hear a bunch of FUD about how insecure Linux is.....
Linux rocks!!! www.dedserius.com [dedserius.com]
Why not set up dummy directories? (Score:1)
Even better, a polymorphic /usr/lib and /usr/bin system! That way, only the local user (and maybe root on a /dev/tty) would be able to change things, as this is the way it should be.
One offtopic thing, but I need to fix a NT4 system: Is there a way to get to the recovery console/command line? I need to replace \WINNT\System32\shlwapi.dll because of a checksum error (eek.)
Re:Even though this is bad... (Score:1)
Re:Why not set up dummy directories? (Score:1)
From what I understand, though, this DDoS client is installed and started by exploiting an rpc.statd root hole that existed in RedHat a version or 2 back. Good reason to keep up on known exploits, eh?
_____
Re: DDoS and IRC -- The root problem is social. (Score:1)
"There is skill and dedication involved here, even if it's not to the level of those who author the tools. I think by trying to belittle the perpetrators, people are really just trying to make the problem seem much less severe than it actually is, and thereby make themselves feel better."
VERY well said. If all teenagers were smart enough to run DoS attacks, this would be such a different world as to be unrecognizable.
Hackers do us a favor by showing the security holes, the things that need fixing.
The root problem is social: 1) Women have babies that they do not have the psychological and financial resources to care for. 2) Children who aren't cared for become people who have a lot of inner conflict. 3) Some people with inner conflict choose to make their conflict a problem for others. 4) People who haven't been cared for often have children who also aren't cared for, causing the social process to repeat.
Re:What? (Score:1)
Re:DDoS and IRC (Score:1)
I used to be a script kiddie, and I gave that bullshit up when I realized how stupid we all were compared to those who were actually creating new things. Now I get paid to contribute to open source software. =)
Anonymous for obvious reasons.
Re:Freaky... (Score:2)
Step 1: get the latest exploits
Step 2: Sweep IP blocks for vulnerable machines
Step 3: gain access to them and install SSH, add your own user account, and change the root password.
Step 4: secure the box, leave a polite message about the admin needing to be fired, and remove any other traces of your passage.
Once we've secured enough machines through these methods, kiddies won't be able to use them. Unfortunately, a lot of people don't like the idea that they could possibly be insecure, and resist and sort of proactive effort to cut off clueless admins at the knees.
Look how much resistance the RBL and MAPS and ORBS get.. and they're just shutting down "rather harmless" open relays. Compare this with a fleet of rooted boxen, and you see how much more serious *this* issue is.
--
Thanks for the (Score:1)
Re:Does it come in rpm and deb format?? (Score:1)
Re:chatting dangerous (Score:1)
I've been involved in the MUSH/MUX [svdltd.com] scene for several years now and have not heard of ANYONE who has had their machine hacked as a result. Not one. Quite simply, these centralised systems (which never get these 'splits' either) treat stuff like your IP address as privileged information and as such only the system admin can see it.
Not necessarily old neglected servers either... (Score:2)
What scares me is the number of remote exploits that have been found over the years in Linux-based utilities, and the difficulty of securing current Linux distributions in the face of all of these potential exploits. I have come to the conclusion that Linux is safe on the Internet only when configured as a single-purpose device with all other software removed. Thus I have an old Cyrix P150 now serving as a firewall doing nothing but IP masquerading and (internal) name resolution (it is not listening on the external network). The only service port open is OpenSSH. I have the thing wired to detect and counter all sorts of attacks, but I'm not going to go into that because one of those programs opens me up to a rather insidious Denial of Service attack that's harder to trace than the typical ping flood or smurf.
Does that make me secure? No. If it wasn't for the need to run CIPE, I would dump Linux on my firewall and run OpenBSD there.
BTW, if anybody wants a root kit, I saved the one the script kiddies left for me :-). Very interesting work. Obviously a derivative of one that I encountered in 1997 or so, but with some interesting twists. I especially liked the sweet little hack of 'ssh' that sits on a high port and gives instant root access to the attacker connecting to that port with the right private key. There's a couple of things I would do, if I were the author of this kit, to make it harder to detect though... I won't go into details here though, for obvious reasons. In any event, this particular kit is easily detectable by anybody who routinely examines the contents of their /var/log directory... and if you type 'locate t0rn' you'll see some files that 'ls' says don't exist... 'nuff said. If you're running Linux and you're connected to the Internet, you'd best go check 'locate' results now :-).
-E
Root kits hide their ports (Score:2)
There are some tools to detect that 'netstat' and 'ps' are no longer reporting the same stuff as what's being reported in /proc, but these tools do not come with the typical Linux distribution and could easily be hacked themselves if they became common. I won't mention particular tools 'cause I don't want to give the kiddies an idea what they're facing when they go against my system :-}.
-E
Daemons and library paths... (Score:2)
Unfortunately, no current Linux distribution comes with intrusion detection tools installed, running, or even mentioned in the documentation. They should. Especially given Linux's lousy record in this area (yes, problems are fixed quickly, but there are so MANY of them...).
-E
Re:Why not set up dummy directories? (Score:1)
SysInternals is a cool company - they seem to like Open Source too. See this page [sysinternals.com] for all the source code freely available. Remember that tree in "A Charlie Brown Christmas"? Maybe NT only needs a little love to grow. Nahh.
Re:DDoS and IRC (Score:2)
Oh, and once you add pictures, it attracts porn too.
Re:BFD (Score:1)
Yeah, call everyone stupid... (Score:1)
It's really kind of rank how everyone who considers him/herself a *n?x geek blames everyone's security problems on stupidity. So because I didn't spend a year or two reading Linux manuals and experimenting before hooking up to the Internet, *I* am to be blamed for the fact that 90% of the default *n?x installs are full of gaping holes? That's like a car manufacturer blaming the consumer for not knowing his car leaked gasoline, thus fixing it before he drove it anywhere. "What do you mean you didn't know it was leaking, stupid? It's not our problem it blew up! Everyone knows that cars leak gas and have to be fixed before use! Sheesh. Idiot."
Knowledge should be used responsibly. When you hand out an insecure product to a mass of people that you *know* aren't going to understand how to secure it, that's just inexcusably irresponsible. The more you say, "Those stupid users, it's all their fault!!" the more you blind yourself to the fact that the real problem is at the source, and security problems like this will just continue. Until the people who hand out the software decide to take responsibility and secure their products *before* they get to the user, things will only get worse. Expecting each user to not only become a *n?x expert, but to be one before receiving the software , is simply unfeasible.
Or, to put it another way, it's just plain stupid.
MSFT burned its way into the history books with operating systems so full of holes that today they have to be protected from approximately 47,000 different viruses (at least that's what Norton Antivirus tells me, I take it with a grain of salt). Why the free software community seems to be bent on replacing them as the newest totally insecure product, is beyond me. They seem to be doing a damn good job of it though. If they followed an OpenBSD [openbsd.org]-like philosophy, we'd have a lot fewer problems.
=============================================
1024 (Score:1)
Re:Why not set up dummy directories? (Score:1)
http://www.hotdog.co.uk/software/winternals/NTF
Crewd
Re:Funny name (Score:1)
BS! (Score:1)
Re:Only half the story. (Score:1)
I did look on security focus before I posted my first comment, but it was such _old news_ that it was no longer on the front pages (it's in the archive).
Now they have a link to the ZDNet article, which seems a waste of time considering how watered down it is.
Cheers again.
FatPhil
Re:Even though this is bad... (Score:1)
The Usenet thing is interesting, but the IRC thing was done first. Your version is simply improving on an existing crack, which is kinda kiddie-ish, IMO.
The IRC trick is a fairly old method used often by trojan programs to report back that a box has been hacked. Nothing that new here.
Re:Even though this is bad... (Score:2)
Old Hat (Score:1)
(off topic)
I've tried to set up a little mini-honeypot to see what these SubSeven probers would try after finding a machine with that port open, but only one has actually tried anything; maybe I need to work out more of the protocol to fake it better. (And I would appreciate any pointers on that, especially on what the "UFU" command means - for some reason, SubSeven's source code isn't available)