[NMLUG] Oops! Linux Bug Escapes Early

Robbins, Wesley L nmlug@swcp.com
Fri, 30 Nov 2001 11:05:09 -0700


Well I spent 5 hours reloading and rebuilding my 
home web server / firewall do to it being jacked
yesterday.

And I had 938 cmd.exe iis attempts in the snort 
log from the last two days.  

The problem is well over half the people out there 
are not installing patches for months or ever. 

I clean a friends machine several months ago that
was hijacked and used as a searcher for other machines 
with dns , ftp, send mail and others...... It had a 
list on it of well over 7K machines it had found.
His ISP never got called or anything from a person
noticing there machine had been scanned from this 
address.

Unless people configure the machine to tell them 
when a patch is available. It is almost pointless 
to argue when a patch is released. In my opinion.

But I seem to be the worlds worst at setting up an 
even semi-secure home box....So my opinion should 
not really count.


   


-----Original Message-----
From: Matt Grommes [mailto:mattg@spinn.net]
Sent: Friday, November 30, 2001 10:28 AM
To: nmlug@swcp.com
Subject: Re: [NMLUG] Oops! Linux Bug Escapes Early


There's no way to give patches to the people who need them and also keep 
the exploit info out of the hands of the crackers/black hats/etc. (I'm 
ignoring the for-pay security lists that CERT, Bind, and others have 
suggested because that's a bunch of crap. Their argument is related to 
this issue, I just don't want to start a 2 front discussion.) As soon as 
a hole is known about by a vendor, they better release a patch I say. 
What if somebody finds out about the hole at the same time as say, 
Redhat, and writes an exploit. While I'm waiting around for Redhat, 
SuSE, etc, to get together on a coordinated release this guy with his 
exploit tool is cracking my website. If Redhat comes up with a patch 
quicker than Mandrake, Slackware or whoever, good for them. It shows 
that they're on the ball and protecting their customers. Maybe the 
slacker distros who are holding up the release should be thankful for 
Redhat's speedy coders and modify Redhat's patch for the hole.



Warner Losh wrote:

> In message <3C07B7BD.8020906@spinn.net> Matt Grommes writes:
> : Also, I don't know how I feel about these "coordinated releases". To me,

> : it just gives crackers more time to exploit the holes.
> 
> You definitely see a huge spike in penetration attempts after people
> go public with these things.  A few days is *REALLY* needed to get
> fixes in place.  Some crackers may exploit the holes in the interrum,
> but more people upgrade if the fixes are in place when the advisory is
> issued.
> 
> I know.  I'm the former FreeBSD security officer and on the SO team.
> I'm pissed at redhat for jumping the gun, since it makes more mop up
> work for me.
> 
> <grump>
> 
> Warner
> ------------------------------------------------------
> To UNSUBSCRIBE send a message to nmlug-request@swcp.com
> with only the word unsubscribe in the body.  More
> information can be found at www.nmlug.org/info.html
> -----------------------------------------------------
> 
> 
> 


-- 

			--   Matt Grommes   --
"All these worlds are belong to you, except Europa. Take off no zigs there."

------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------


------------------------------------------------------
To UNSUBSCRIBE send a message to nmlug-request@swcp.com
with only the word unsubscribe in the body.  More
information can be found at www.nmlug.org/info.html
-----------------------------------------------------