VanLUG Email Archive
Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate
Andrew Daviel (andrew@andrew.triumf.ca)
Thu, 18 Jan 2001 11:53:18 -0800 (PST)
On Thu, 18 Jan 2001, Yakov N Miles wrote:
> Would my LinkSys blue box firewall be a useful defense against this kind
> of malicious attack? Currently I only allow SSH (port 22) IDENT (port 113)
> and HTTPS/SSL(port 443) through my LinkSys blue box firewall/router/switch.
Yes. The worm propagates with ftp and http on port 27374 (normally address
search protocol).
Normal security measures are sufficient, i.e. blocking unwanted services
and doing updates.
It's kind of a wake-up all though in that it shows that there are enough
Linux boxes out there that this could work, and that we might
expect more of the same. The whole thing takes a few seconds to infect
a box and maybe minutes to copy itself to another victim, compared
with hours or days with a human hacker doing a scan, checking for
possibilities, trying a few exploits, breaking in, downloading tools,
starting them up etc. etc.
With this one, once a box is infected it inoculates itself, so it
does not go out of control like the Morris worm, but there does not seem
to be any limit to the scanning. It keeps generating random class B
subnets to scan and will survive a reboot.
Oh yes - it's malicious (erases all "index.html" files)
-- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security@triumf.ca-- This message came to you via the Vancouver Linux Users Group mailing list. For unsubscription instructions do not email the list, but rather send mail to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Tue 03 Jul 2001 - 18:31:58