Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SF new column announcement: Linux worm overrated

from [James Eaton-Lee] Network Security [Permanent Link]
Subject: Re: SF new column announcement: Linux worm overrated
Date: Thu, 10 Nov 2005 23:53:43 +0000 
On Fri, 2005-11-11 at 00:45 +0800, Alex Nordstrom wrote:

Friday, 11 November 2005 00:13, Moderator wrote:

Linux worm overrated
http://www.securityfocus.com/columnists/368


That may well be, but I've seen two attacks in the last week, one from 
an Indonesian host and one Taiwanese, so it's definitely out there. It 
looks more active at the moment than Nimda, which has declined a lot 
since this time last year (although that might have more to do with the 
fact that I since decided to drop all packets from China and South 
Korea).


A very, very cursory look (egrep 'xmlrpc|hints|awstats' * |wc -l) at the
logs of an apache box which has been sitting online for ~2 weeks gives
286 lines of related activity - there are no pages on this server with
any of those three strings in them, so these are all (probably)
automated attacks.

Looking a little more carefully, it seems that there have been 7 unique
attacking addresses (quite a few lines for so few clients, thanks to a
mod_security log dropping most of this traffic as well as access_log
entries for the error 500s).

It is obviously overrated - but the "novelty of a bi-annual Linux worm"
does indeed tend to generate some hype. Especially funny though, since
this isn't really a linux worm - it just has a platform-specific
payload. ;)

Actually, what strikes me as interesting in this particular instance is
the fact that the worm exploits web applications - given the complete
commoditization of web hosting (and, thanks to the low profit margins,
the lack of effort which frequently goes into shared hosting
environments), I'd hazard that this and more web-related intrusions &
worms is a sign of a growing shift bringing web apps alongside socket
apps as targetable. 

I have to say, I wonder how many of thousands of freely available
webapps that are out there (especially PHP ones, seemingly) even realise
that such considerations exist - I remember talking to a developer on an
(actually fairly large) LAMP app 12 months ago and being shocked when
he'd never heard the term "SQL Injection" before. ;)

 - James.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SF new column announcement: Linux worm overrated, Alex Nordstrom
Next by Date:  Automatic Password Generator Tools on Unix Platform, j . sonsurkar
Previous by Thread:  Re: SF new column announcement: Linux worm overrated, Alex Nordstrom
Next by Thread:  Automatic Password Generator Tools on Unix Platform, j . sonsurkar
Indexes:  [Date] [Thread] [Top] [All Lists]