LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Alan Kennington <akenning@dog.topology.org>
To : Nick Morrison <nickm@bhwb.nsw.gov.au>
Date: Tue, 30 Jan 2001 11:46:18 +1030
Re: apparent vulnerability of [Redhat] linux 6.2
On Tue, Jan 30, 2001 at 11:25:42AM +1030, Nick Morrison wrote:
>
> RH 6.2 - the default install, on an original RH 6.2 CD - has an
> easy-to-exploit security hole in the wu-ftpd daemon. The patches have been
> on the RH site since a day after the hole was discovered. They're easy to
> download and apply.
You might be interested to know I just got another
response just now to a port scan report:
=============================================================
nighthawk.CS.Berkeley.EDU has been disconnected from the network.
It was apparently root compromised.
We advised the system administrators of nighthawk to install a new
clean operating system and the latest LPRng rpm on their Red Hat
Linux system.
=============================================================
Just liek the previous one from Rutgers, this one is at a
well-known big educational institution, and they're going to
wipe the disk and start again!
I guess my point is that even in esteemed educational
institutions, there are bound to be those 1% of people at the
least-knowledge-of-computer-science end of the spectrum who
will let their machines be vulnerable.
Therefore pointing the finger at the weak and the lazy is not
going to stop widespread machine vulnerability.
I think that the Bastille linux idea of giving users a simple
means to tighten their system is a good idea.
Anyway, this isn't a major soap-box thing.
I'm just commenting in passing on some things for
curiosity's sake.
Perhaps I should also mention, though, that since I
don't permit FTP on my site now (once bitten, twice paranoid),
my firewall logs a zillion probes every day which you might not
notice if you're allowing FTP.
The probe rate has increased _hugely_ in the last month.
Mostly it's TCP port 12345 (NetBus), but also 111, 515, 21, etc. etc.
And about half the probes are from Korean IP space.
I'm pretty sure it isn't just my little nook of IP space that's
being hit, although 203.* is shared between Australia and Korea etc.
Cheers again,
Alan Kennington.
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page