This Just In: HACKERS WILL STEAL YOUR HOUSE AND KILL YOU

Advertisements

The New Cuckoo’s Egg

The EYE TRIPLE EE has an article about the recent (2005) Greek cellphone hack which left the entirety of the Greek government tapped via their cellphones. It’s light on details but still an interesting read.

If anyone’s wondering, the runtime code modification usually only happens in virtual machines or mainframe style systems with “machine partitions”. The fact that someone seems to have gotten outside of that and mapped it effectively is wildly good stuff. It’s very likely that on some level an employee of both the cellphone provider and the hardware vendor were in on it since it would require a fair bit of knowledge about what vodafone was seeing to hide effectively.

Linux Arcanum and SMART Warnings

If Languages Were Religions is riotously funny.

I finally figured out what’s wrong with my desktop. For the longest time the instrumentation was just weird. It would crash randomly, have strange bus problems (which I thought were related to aging video cards), and the voltage from the power supply would have a noticeable bit of noise from it. Other than the generic logs of “your computer has recovered from a serious error” there was nothing to point to. MEMTEST would show all the DIMMs had a bad line, so I just assumed the mobo was slowly dying and figured one day I would come home to it not working.

Finally one day I happened to be reading the syslog on my Linux box trying to track down this one idiot on a modem who was trying to hack it when I got the message:

Dec 17 08:29:39 HopsAndBarley smartd[2532]: Device: /dev/sdb, Failed SMART usage Attribute: 9 Power_On_Hours.

OH MY GOD SMART ACTUALLY WORKED. Basically it’s saying my old Linux drive, the one I use all the time, is crapping out. I checked to see where the spare was and realized that the spare became the windows drive (120GB) and my windows drive became my Linux drive. The spare-spare drive I had is a 10GB drive I used to use as a raw device for caching DVD data while authoring. Which means I have no device at all. So I have a choice. I can go through my windows drive and reload it, thus creating enough space for a Linux partition or I can run the computer without the Linux drive entirely and give up my primary OS for the sake of having anything to use at all.

Since the botnets have been a pain recently I came up with a new /etc/hosts.deny

ALL : .ru
ALL : .cn
ALL : UNKNOWN

Basically, if you’re from a .ru, or from .cn, or your IP doesn’t resolve to a hostname, you’re not connecting.

And of course all the other security stuff is in place like denying root login, which seems to be what most of the idiots out there are after.

Here’s the types of logs:

Dec 16 13:12:03 HopsAndBarley sshd[2917]: Invalid user t1na from 195.162.62.230

These actually go on for quite a few usernames and the guy’s working off a default list. These will now be denied outright by TCPWrappers since they’re caught by hosts.deny’s UNKNOWN directive.

Oct 24 20:19:11 HopsAndBarley sshd[9074]: Invalid user newsletter from 59.145.145.146
Oct 24 20:19:14 HopsAndBarley sshd[9079]: reverse mapping checking getaddrinfo for dsl-kk-static-146.145.145.59.airtelbroadband.in [59.145.145.146] failed – POSSIBLE BREAK-IN ATTEMPT!

That asshole is from india. I’m trying to decide if I want to blacklist India from connecting to me except that I have Indian friends. I simply set my SSH max auth retries down to 1 and set the “connect” timeout to 5 seconds making it prohibitively expensive time-wise to try this crap.

And finally this poor asshole wins the award:

Dec 8 14:52:29 HopsAndBarley sshd[15188]: Invalid user felix from 62.141.122.246
Dec 8 14:52:31 HopsAndBarley sshd[15193]: reverse mapping checking getaddrinfo for dial-up-1-118.spb.co.ru [62.141.122.246] failed – POSSIBLE BREAK-IN ATTEMPT!

Because it took him so long to connect, he was at it for over 12 hours.

Now, stuff that makes me less happy is that this is OpenSuSE. I love SuSE, it feels like RedHat Done Right. But some of their default security settings aren’t appropriate to a desktop system. I realize there’s probably times where having UNKNOWN hosts denied access would ruin someones websurfing experience, but having SSH respawn indefinitely with no delay or max auth retries is sloppy. On the other hand, OpenSuSE and SuSE in general is really good at not spawning services it doesn’t need, and the default firewall for a desktop host is really restrictive (actually, it denies all inbound traffic without matching outbound traffic). It’s OK to have this as a point defense, but in todays age of browser based exploits, it wouldn’t surprise me in the least to find out someone starts killing Linux desktops by connecting to localhost once they have your browser. A firewall is nice, but defense in depth is a requirement.