[LUAU] Millenium Worm

[George Toft]

bbraun at sparcy.synack.net wrote:
> 
> You use RedHat or SuSE don't you?

Yeah.


> All these have been known about for a year or more.
> Check the bugtraq and rootshell advisories on the
> things referenced in the script.
> 
> mountd was a major one that redhat screwed up on
> big time.  It was known a long time before the
> distribution was shipped.  In fact Olaf
> (the maintainer) posted information about the
> exploit to the linux nfs mailing lists, I believe.
> Almost all other distributions were using a
> relativly recent version of mountd, so they were
> ok.
> 
> The pop and imap exploits were running around about
> a year ago now, I think.  If you're running an open
> pop or imap server, you deserve what you get.  

No red face here - no pop and no imap in my inetd.conf.

> I
> don't know of a single pop or imap server that hasn't
> had major problems in the past, and I at least mucked
> with UW's imap and pop servers last summer, found
> a potential exploit in the *kerberos* code, and the
> maintainers response was "I don't maintain that code.
> If there is a potential security issue with it, the
> code will be removed in the next release."  Whatever.
> 
> And then the bind exploit...  Well over a year old.
> 
> Not that I seriously expect people to keep up with
> the latest software, you can spend a serious amount
> of time doing that.  The main point is that most of
> you are running relativly recent distributions, and
> still people like RedHat are shipping distributions
> with known security holes.  These things don't go
> away if you ignore them.
> Another thing is that a stock installation of any
> OS is likely to have serious problems.  Do I really
> need to be running an anonymous ftp server on my
> desktop?  

I have ftp, but not anonymous.


> Do I really want to nfs export / to
> everyone? (solaris) Do I really need 4 accounts without
> a password and with a valid shell? (IRIX)
> 
> As Bill Cheswick of Bell Labs says, all services should
> be turned off by default, until you run a script
> called "screw-me".
> 
> These script kiddie attacks are bad and you can argue
> that these people are bad and evil and should go away.
> But you really get what you deserve, I think.

That's the part I have a hard time with.  I conscienciously
removed everything except telnet and ftp, and have
set my tcp-wrappers to deny all except local and my lan.
I applied the errata to be current.  I'm putting
forth effort, and all I get is "You get what you deserve."
Thanks alot.  It wasn't just you, but the person
that wrote the worm said pretty much the same thing.

Live and learn, I guess.

George
--
     __   __  __________  __
    / /  / / / / __  / / / /  Home Page: http://luau.hi.net
   / /__/ /_/ / /_/ / /_/ /
  /____/\____/_/ /_/\____/  LUAU - Linux Users AnonymoUs - Hawaii

   To unsubscribe: echo unsubscribe luau | mail majordomo at luau.hi.net
           LUAU meetings are the 3rd Tuesday of each month 6pm