Pages

Friday, March 2

Vista




Now, I have heard that Vista isn’t all it’s cracked up to be.

No surprise. I did play with it at CompUSA for a few minutes. It’s still Windows. All the GUI stuff you do Bill, can only make it better. But it’s still STINKOWS!!!

This ad from Apple says it best IMO:
apple-getamac-security_480x376.mov

Yeah it’s a bit exaggerated, but dude, annoying.

OSX does require you to put in a password, but to change SYSTEM stuff, and and things like that. That’s what I hear Vista is trying to be like, but I’ve heard it’s much more annoying. Anyone that has both want to weigh in on it?


Classic

Solaris Worm



Okay, so Sun made a whoopsie and committed some code to Login that apparently introduced a vulnerability that existed waaaay back in 1994. (Awesome)

Well it wasn’t long before someone coupled together a shell script and the exploit, packaged it up, and send it flying across the internet.

Now.

1) If you got infected, IMO, it’s your own dumb fault. If you are running Solaris (or ANYTHING) with a publicly facing open port 23 (telnet), you are nuts. Mmmkay?
2) If you didn’t patch or shutoff the vulnerable service when the vulnerability came out. You are just nuts..

Jose Nazario over at Arbor sent this into the Internet Storm Center: this article That outlines it.

If you look at the port graph over at the ISC: Check it out You can see the amount of port 23 scans have shot up.




The thing I want you to pay attention to, is the number of targets shot up to around 50K, but the sources were very very low. An isolated subnet in France. Hmmm..

Anyway, Sun made a “Worm removal script” here that you can use, but lets take a look at it.

The worm creates files in /var/adm and /var/spool/lp called “.profile” -- okay, makes sense.

/var/spool/lp/admins/.lp <-- okay.
/var/adm/sa/.adm <-- okay..

Heres the processes the worm spawns, and how to kill them:

/bin/pkill -9 -u lp 'lpshut|lpsystem|lpadmin|lpmove|lpusers|lpfilter|lpstat|lpd|lpsched|lpc'

/bin/pkill -9 -u adm 'devfsadmd|svcadm|cfgadm|kadmind|zoneadmd|sadm|sysadm|dladm|bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|ttyadmd|consadmd|metadevadm'

Have fun. While you are at it. get rid of Solaris.

Vista




Now, I have heard that Vista isn’t all it’s cracked up to be.

No surprise. I did play with it at CompUSA for a few minutes. It’s still Windows. All the GUI stuff you do Bill, can only make it better. But it’s still STINKOWS!!!

This ad from Apple says it best IMO:
apple-getamac-security_480x376.mov

Yeah it’s a bit exaggerated, but dude, annoying.

OSX does require you to put in a password, but to change SYSTEM stuff, and and things like that. That’s what I hear Vista is trying to be like, but I’ve heard it’s much more annoying. Anyone that has both want to weigh in on it?


Classic

Solaris Worm



Okay, so Sun made a whoopsie and committed some code to Login that apparently introduced a vulnerability that existed waaaay back in 1994. (Awesome)

Well it wasn’t long before someone coupled together a shell script and the exploit, packaged it up, and send it flying across the internet.

Now.

1) If you got infected, IMO, it’s your own dumb fault. If you are running Solaris (or ANYTHING) with a publicly facing open port 23 (telnet), you are nuts. Mmmkay?
2) If you didn’t patch or shutoff the vulnerable service when the vulnerability came out. You are just nuts..

Jose Nazario over at Arbor sent this into the Internet Storm Center: this article That outlines it.

If you look at the port graph over at the ISC: Check it out You can see the amount of port 23 scans have shot up.




The thing I want you to pay attention to, is the number of targets shot up to around 50K, but the sources were very very low. An isolated subnet in France. Hmmm..

Anyway, Sun made a “Worm removal script” here that you can use, but lets take a look at it.

The worm creates files in /var/adm and /var/spool/lp called “.profile” -- okay, makes sense.

/var/spool/lp/admins/.lp <-- okay.
/var/adm/sa/.adm <-- okay..

Heres the processes the worm spawns, and how to kill them:

/bin/pkill -9 -u lp 'lpshut|lpsystem|lpadmin|lpmove|lpusers|lpfilter|lpstat|lpd|lpsched|lpc'

/bin/pkill -9 -u adm 'devfsadmd|svcadm|cfgadm|kadmind|zoneadmd|sadm|sysadm|dladm|bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|ttyadmd|consadmd|metadevadm'

Have fun. While you are at it. get rid of Solaris.