Worms versus Bots
Paul Jakma
paul at clubi.ie
Wed May 5 09:13:02 UTC 2004
On Tue, 4 May 2004, chuck goolsbee wrote:
> So maybe they WOULD be better with a "WebTV" model.
>
> Or a Macintosh.
or a cheap Lidel or WalMart PC with Fedora 1 on it. Epiphany,
Evolution and OpenOffice would keep vast majority of the basic
computer users happy. Distributions like Fedora[0] are pretty much
invulnerable to mass, automated worm infections[1].
Automated worms would literally be a thing of the past if everyone
switched to Fedora, RHEL or if the current dominant OS vendor adopted
similar measures (apparently they will be). Judging by the amount of
packets (couple per s) I get in to common vulnerability ports, there
are a lot of worm infected machines out there:
# iptables -L scans -v | awk 'BEGIN { printf ("\n%5s %6s %4s
%20s\n", "pkts", "bytes", "prot", "dest port"); } NR > 2 && $1 ~
/^[0-9]/ { sub (/^dpt:/, "", $11); pkts += $1; bytes += $2; printf
("%5d %6d %4s %20s\n", $1, $2, $4, $11);} END { printf ("-----
------\n%5d %6d\n", pkts, bytes);}'
pkts bytes prot dest port
1721 82856 tcp microsoft-ds
874 42008 tcp 135
455 21944 tcp netbios-ssn
322 15456 tcp 3127
36 1788 tcp ms-sql-s
661 31776 tcp 2745
309 14832 tcp 6129
82 3960 tcp swat
427 20556 tcp 1025
263 20514 udp netbios-ns
36 14544 udp ms-sql-m
----- ------
5186 270234
that's maybe an hours worth or less of counting too. And what uses
TCP ports 1327 and 2745?
0. http://people.redhat.com/drepper/nonselsec.pdf[2]
1. Though not to trojans which attack human vulnerabilities
obviously, or non buffer overflow attacks, eg scripting language
vulnerabilities, though these are rare.
2. Obviously, the 2 main mechanisms described in the paper originate
elsewhere in concept, but Fedora is probably the first OS of
sufficient use to a basic computer user to put it all together.
regards,
--
Paul Jakma paul at clubi.ie paul at jakma.org Key ID: 64A2FF6A
warning: do not ever send email to spam at dishone.st
Fortune:
QOTD:
Money isn't everything, but at least it keeps the kids in touch.
More information about the NANOG
mailing list