[CentOS] an actual hacked machine, in a preserved state

Wed Jan 4 03:40:38 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Tue, Jan 3, 2012 at 6:49 PM, Bennett Haselton <bennett at peacefire.org> wrote:
>
>>> Of the compromised machines on the Internet, what proportion do you
>>> think were hacked via MITM-and-advanced-crypto, compared to exploits in
>>> the services?
>> Proportions don't matter.  Unless you have something extremely
>> valuable to make this machine a target or someone captured your
>> password and connection destination it was probably a random hit of a
>> random probe.  It doesn't matter if they are likely to work or not,
>> some do.
>
> I either disagree or I'm not sure what you're saying.  What do you mean
> that "proportions don't matter"?

I mean, if you get hit by lightning, did it really matter that you
didn't have the more likely heart attack?

> If attack A is 1,000 times more likely
> to work than attack B, you don't think it's more important to guard
> against attack A?

It's not either/or here.  You could be the guy who gets hit by lightning.


>>> Case in point: in the *entire history of the Internet*, do you think
>>> there's been a single attack that worked because squid was allowed to
>>> listen on a non-standard port, that would have been blocked if squid had
>>> been forced to listen on a standard port?
>> Generalize that question to 'do you think attacks are helped by
>> permitting applications to use ports the administrator didn't expect
>> them to use' and the answer is clearly yes.  There are certainly rogue
>> trojans around that do who-knows-what on other connections while
>> pretending to be your normal applications.
>
> Well that seems like it would be trivial for the trojan to circumvent --
> just listen on the standard port, and if you receive a connection that
> contains the "secret handshake", switch that connection over into trojan
> mode, while continuing to serve other users' standard requests on the
> same port.  Wouldn't that work?  In that case it seems like a case of a
> restriction that might work until it becomes widely deployed enough for
> trojan authors to take it into account, at which point it becomes obsolete.

Do you lock your doors or just leave them open because anyone who
wants in can break a window anyway?

-- 
   Les Mikesell
     lesmikesell at gmail.com