Re: Possible remote vulnerability in SSH-1.2.27

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Sat Oct 05 2002 - 02:32:50 PDT

Next message: discipulus: "Strange Folder"

Previous message: Matt Power: "Re: Unusual volume: UDP:137 probes"
In reply to: Alexandru Balan: "Re: Possible remote vulnerability in SSH-1.2.27"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya

hey.. that's my idea too .. at least to provide level-1 
first defense against script kiddies ...
	move su, tar, make, gcc, mail, too ... very important

it wont necessarily discourage them... their script and
attack will be deposited ... but the scripts wont be able
to continue to "call home" for further info about what 
to do next... like d/l more attack codes etc

when that initial script does get installed on your box,
you better fix that pupppy asap before the come back in
again ... ( find out the exploit they used to gain access
in the first place )

one of the boxes ( that they didnt want touched ) did get
hit with the slapper wormlast week .. but it didnt do much
else since the binaries was missing
	- so now their boxes was updated/patched no matter
	how hard they prevented me from updating it...
	( and in the process,,, printer services died..
	( lpd got replaced w/ LPrng but that was fixable
	( and no data loss due to [cr/h]acker etc

c ya
alvin

On 4 Oct 2002, Alexandru Balan wrote:

> > Bottom line, just have a tripwire installed/configured and you'll "have" them by dinner. Maybe they think "hey its so simple that they wont even see it or bother to remove it", who knows..
> 
> Assuming you have 'em. What then ? Sue them ? afaik they have to be
> caught _in the act_ .A few days ago i saw a policeman searching a
> windows machine for logs regarding Credit Card fraud. He searched in "My
> Documents" and that was that. Well, i ask you gents.. how would that man
> tell the difference between a "l33t h3x0r" DDOS-ing and a peaceful
> BitchX user ? (both sittin' next to one another with putty sessions
> open). 
> About tripwire... i don't have the patience to setup tripwire on a P1
> 90Mhz 16Mb RAM. A guy gave a better idea on another list. Simply mv
> wget,ftp,lynx and all regular progs used by skiddies sumplace else and
> that would discourage them a bit (i find the situation rather amusing
> myself). 
> 
> --
> Jay (need fresh coffee) 
> 
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: discipulus: "Strange Folder"
Previous message: Matt Power: "Re: Unusual volume: UDP:137 probes"
In reply to: Alexandru Balan: "Re: Possible remote vulnerability in SSH-1.2.27"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 05 2002 - 15:27:03 PDT