Linux Mint Forums

[Husse]

Hm - a little war going on?
Perhaps this could be boiled down to
D1Wayne claiming that nasty things could happen if you work on it (not at the beginning though)
marcus0263 and scorp123 stating that you really have to work so hard to achieve the bad things that they really don't happen

[marcus0263]

Hm - a little war going on?
Perhaps this could be boiled down to
D1Wayne claiming that nasty things could happen if you work on it (not at the beginning though)
marcus0263 and scorp123 stating that you really have to work so hard to achieve the bad things that they really don't happen

Yes you have to really work on it

The point being put across is no *nix's are not immune but it is 10000+ more difficult to create nasties to break into a *nix system. Unlike M$ were all you need is basic VB skills to code a 1/2 page to down 1/2 the M$ systems in the globe. Also nothing replaces basic common sense like not cruising the internet as root.

It's like this, you can drive your car down the road every day with a fire suit and helmet, but do you really need to?

As for the argument about "*nix's just not being popular", well what do the big banks, government defense systems etc. critical and financial systems run?

[scorp123]

proof of concept, proves they vulnerability,

It proves a theory ... but putting a this into practice & reality is a different thing altogether. As I wrote in my earlier posting: Yes, there can be Linux viruses. But are they in the wild? NO. There once was some stupid worm that would attack PHP pages, but that hardly doesn't count as "virus" as this thing no matter what it did could never ever compromise the entire OS.

The real danger for a Linux system comes in the form of human hackers ... not virues. Different OS'es, different weaknesses.

And human hackers are very much a reality and a real threat to anyone running a UNIX-like system (be that Linux, BSD, HP-UX, Solaris, whatever.... ). But not viruses ...

the bug mentioned earler, is proof, that 1 digruntle person on adevelopemnt team could easily sabotage a project.

Totally harmless compared to what a real hacker can do to your network if he finds a way in ...

All this virus talk is just FUD and nonsense, sorry to say so

the link was simply to illustrate how easy it would be to slip in malicious or faulty code.

Or it rather illustrates that certain companies better check their procedures again and how the hell infected Windows machines were allowed to access a critical production area

Most likely some idiot with a Laptop ... maybe a sales guy? They travel around, travel from sales show to sales show, and don't always have enough bandwidth so that they could update their anti-virus definitions. They go home over the weekend, their kid takes the laptop for a ride, installs some games or other software of unknown origin, maybe even a "trainer" or "cheat", or maybe even a "key generator" ... and whhhhooooops!!!!! Laptop catches an infection and the sales guy doesn't realise it yet. So he comes back into corporate HQ, plugs in his laptop into the corporate network ... and whhhhoooops!! We have a virus spreading through the corporate LAN's ... Too bad if it reaches the factories and even gets hard-pressed onto driver CD's and USB-keys ...

That's how it works ... on Windows

And here is UNIX / Linux:

You have a lazy admin who keeps that one "not so important" web server unpatched and unguarded for too long ... "Ya know, it's just holding some boring marketing material, nobody is going to look at that anyway, so we need not hurry with those stupid patches ... Let's patch our 'high-profile' systems first, OK?"... Yeah right. Been there, heard this BS before ...

But a human hacker has been paying close attention: He's been port scanning your web site for the past few weeks and knows pretty much which TCP/IP and UDP ports are open, and he almost has an orgasm when he finds that your stupid admin still hasn't patched that old and obsolete application server version: It's time for a remote buffer overflow! He will send so many bogus signals until the application server dies, leaving a wide open root shell behind ...

So our hacker waits until the darkness of the night puts a shroud over everything. Like a vampire he's been sleeping all day long, just for this one night when he will strike.

And then he prepares his attack: One final portscan with "nmap" in stealth mode, just to make sure one last time that nobody has fixed the security holes in the meantime. Better cautious than sorry, he triggers a few more scans, activates a few "packet generators" and generates some fake traffic, just to make sure he isn't running into a trap or "honeypot".

He keeps his eyes glued to the console ... everything silent. The target is real, it's clear, and it's darkest night: The admin must be sleeping now. It is time ...

And then he strikes: He activates a few C programs and shell scripts that generate the necessary traffic that will kill the application server he's been observing so long ... a few "packet generators" in the background keep the routers busy with fake IP headers so that it will be very hard to trace the origin of this attack back to our hacker ...

Target down! The application server dies a miserable death after receiving this punishment of bogus IP packets, and because the admin was so stupid and never put the server process into a root jail or a virtual machine (e.g. Xen) the application server's death leaves a root shell behind ... Our hacker is in Heaven! He's the "King of the World" ...

Quick! He opens a connection to his underground IRC channel and tells his hacker buddies about his new system that he just got into. "0wn3d" as some people would say ... real hackers don't talk like that though

Two or three of his buddies get onto the party and also connect to the now compromised system.

Now the real work begins .... Scan the internal network without any of the admins or the "Intrusion Detecion System" noticing! And of course: Place backdoors, keyloggers and trojans somewhere ... Chances are that the admins will patch the application server now that it crashed under "unknown circumstances", so our hacker friends need a new way in. So they place a few backdoors: They are already "root", so nothing is stopping them from modifying a few system binaries and adding "more features" to them. The "postfix" mail daemon gets modified so that it will silenty open a backdoor once it's active. And the "apache" web server gets "patched" too and now will sniff the network for interesting traffic and send the results to a bogus e-mail address on Hotmail.com ...

Uh oh ... it's morning. Time to disconnect.

A few nights later our hackers are back. And with great amusement they see that this lazy stupid admin indeed patched the application server, but he obviously didn't notice anything else; especially he hasn't noticed yet the presence of those unwanted hacker guests and their "special" binary versions they installed.

Armed with the log files their sniffers produced in the past few nights they are now armed with usernames and passwords of several system user and mail accounts; and they find more vulnerabilities further inside the network. They compromise more systems .... And then they find the "holy grail": The database server which hosts all the credit card transactions and which keeps a record of all those precious credit card numbers ...

The next morning you can read this in the newspaper: Hackers stole 300'000 credit card numbers from company XYZ ...

That's what can happen on UNIX / Linux and if you are too lazy and/or too stupid to properly take care of your servers ....

But viruses?? No. Definitely no.

[scorp123]

As for the argument about "*nix's just not being popular", well what do the big banks, government defense systems etc. critical and financial systems run?

Bingo!! But what most (Ex- ?) Windows people don't get is that *nix has it's fair share of vulnerabilities ... of course it has, it would be foolish to claim the opposite. But those vulnerabilities just ain't viruses

Let's talk about foolish UNIX admins not placing their servers behind properly configured firewalls, let's talk about stupid wannabe admins never taking care of patching their systems, let's talk about running some wacky and ugly hacks on your web server that a third-party company developed for your company -- your boss insists that this piece of cow dung has to be installed on your server despite the fact that this thing is opening too many TCP ports and yet nobody could so far really tell you why precisely those ports have to be open, let's talk about buffer overflows, stupid admins running root shells in "screen" and leaving those shells open for months ... let's talk about stupid users running unknown software that does funny things such as firewall hole punching (Hamachi anyone? Or Skype? ) ... Let's talk about reverse SSH tunnels that could be easily used as backdoors, let's discuss manipulated daemons that do a lot more than what they're supposed to do, let's touch the topic of angry ex-employees who know too much about your corporate network's topology and all the daemons that run on each of your servers and who got too many unsettled scores to settle .... Let's talk about all this and the tune suddenly changes: *This* is the stuff UNIX people like marcus or me are afraid of ... if there is any such thing, then it's stuff like *THIS* .... But not "viruses"

[marcus0263]

As for the argument about "*nix's just not being popular", well what do the big banks, government defense systems etc. critical and financial systems run?

Bingo!! But what most (Ex- ?) Windows people don't get is that *nix has it's fair share of vulnerabilities ... of course it has, it would be foolish to claim the opposite. But those vulnerabilities just ain't viruses

Let's talk about foolish UNIX admins not placing their servers behind properly configured firewalls, let's talk about stupid wannabe admins never taking care of patching their systems, let's talk about running some wacky and ugly hacks on your web server that a third-party company developed for your company -- your boss insists that this piece of cow dung has to be installed on your server despite the fact that this thing is opening too many TCP ports and yet nobody could so far really tell you why precisely those ports have to be open, let's talk about buffer overflows, stupid admins running root shells in "screen" and leaving those shells open for months ... let's talk about stupid users running unknown software that does funny things such as firewall hole punching (Hamachi anyone? Or Skype? Very Happy ) ... Let's talk about reverse SSH tunnels that could be easily used as backdoors, let's discuss manipulated daemons that do a lot more than what they're supposed to do, let's touch the topic of angry ex-employees who know too much about your corporate network's topology and all the daemons that run on each of your servers and who got too many unsettled scores to settle .... Let's talk about all this and the tune suddenly changes: *This* is the stuff UNIX people like marcus or me are afraid of ... if there is any such thing, then it's stuff like *THIS* .... But not "viruses"

Yep big difference between stupidity and normal everyday browsing and operations. Hence issues with like with M$ going to a website that has their banner ads being served up from an infected server. M$ you will infect and compromise you entire OS, doesn't happen with *nix. Why? It's called ActiveX, the *nix world doesn't have that security nightmare.

[Sanchopinky]

Thx guys for your interest I installed clamAV and Firestarter and while I'm running firestarter it says "Detected hit from 192.168.1.42" and the icon starts flashing red.

Is this anything to be concerned about?

nvm I found out it was an online game I play..

http://ip-lookup.net/?62.146.69.28

[scorp123]

"Detected hit from 192.168.1.42"

There are ranges that never ever could originate from anywhere but from your own internal network because they are regarded as "Private Ranges" according to RFC 1918 (as sysadmin I know that stupid number by heart ...). All the details are here:
http://www.faqs.org/rfcs/rfc1918.html

Wikipedia's article on this (easier to understand):
http://en.wikipedia.org/wiki/Private_network

Therefore: IP addresses that start with 10.* something (10.0.0.0 – 10.255.255.255), 172.16.* something up to 172.31.255.255, and last but not least 192.168.* something can never ever originate from anywhere but from your own internal network.

These addresses don't even get routed on the internet (you don't get anywhere!), e.g. no ISP on this planet and in this universe can use these address ranges on the Internet or give any such address to any customer. You have to use some form of address translation between such a private range address and the official IP address(es) you got from your ISP.

The only thing you really need to be worried about is if you use WLAN and you see such private IP addresses that are definitely not used by any of your PC's or Laptops .... In that case it could be that someone cracked your WLAN-keys and broke into your network ...

Too bad if that hacker / cracker does something illegal and you are being held liable (after all it was your ISP subscription, and your IP address out there, right? ...) ... So in case you use WLAN it's always a good idea to keep an eye on such things.

I myself use WPA2 encryption and I only allow specific MAC-addresses into my network, just to be on the safe side.

[Husse]

Scorp is right about these address ranges, but
some ISPs may use them and put their customers on one of this nets, the 10.xxx one the most like candidate or sometimes even 192.168.x.x.
Telia, the large swedish operator that is active in many parts of the world, used the 10 range, don't know if they still do.
The nameservers I used the first years on the internet was 10.0.0.1 and 10.0.0.10 ....
But if your ISP does not use this "half illegal" method, it's from your own network

[clem]

I use no encryption, no filtering, I have DHCP enabled, my essid is broadcasted, I don't even monitor accesses to my router.

My secret? I live in the middle of nowhere. Best security ever

10.xxx.xxx.xxx should only be used by companies, individuals within their own networks. It's not made for ISPs to use (and if they do, certainly not as public IP addresses). But Husse is right as well, it's only a standard after all, and like all standards it all depends how much people decide to follow it.

Clem

[Sanchopinky]

Sorry to bump this but what about javascript exploits?

Is linux still safe from that?

[Husse]

what about javascript exploits?
Is linux still safe from that?

Short answer yes.
It could probably (not sure) be used to do something to your /home but for anything else it would need sudo....

[scorp123]

Sorry to bump this but what about javascript exploits? Is linux still safe from that?

Long answer: ...it depends.

There was once (two years ago?) some bug in Firefox that would allow a web page to access your clipboard ... Too bad if the clipboard contained the root password or your credit card number ...

Such rare and exotic bugs aside, JavaScript normally can't do much to your system as "a whole". Your user account however is a different question. Depending on what sort of nasty exploit we are talking about it could maybe try to kidnap your bookmarks, or try to steal stored passwords (that's why everybody is taking "phishing" so seriously these days). But usually such bugs and security holes get fixed really quick -- that's the true beauty of open source software.

Out of the very same reasons you should never ever run a web browser as superuser "root"

Another thing making things really hard for writers of malware is a law coming from genetics and biology: The more diverse a life form is, the less susceptible it is to a virus attack.

The same is true for software. Monocultures such as Windows are vulnerable to malware and viruses because "it's all the same". Linux however is different: Every Linux distro is a slight bit different from the rest ... and this is good! It makes it really really hard for malware to attack a Linux system as it cannot know in advance what distro it will encounter ....

Attacks from human hackers are a different story: they are a real threat, especially to web and database servers facing the Internet.