1. Forum
  2. FidoNet
  3. OS2BBS

  • Xpost Jack Troughton Part 1

    From Mike Luther@1:117/3001 to All on Monday, June 04, 2001 19:12:52
    Cross posted message from comp.s.os2.misc

    =========================================================================
    From: jake@jakesplace.dhs.org (Jack Troughton)
    Newsgroups: comp.os.os2.networking.misc,comp.os.os2.misc
    Subject: Re: OT: Anatomy of a hacker attack
    Reply-To: jake@jakesplace.dhs.org
    Date: Sun, 03 Jun 2001 02:03:39 GMT

    On 1 Jun 2001 19:29:14 GMT, Christian Hennecke scribbled:

    On Fri, 1 Jun 2001 13:34:32, jake@jakesplace.dhs.org (Jack Troughton) >
    wrote:

    I feel I should note that this capability has inherently been >> present in OS/2 for a long time now... however, nobody's been >> exploiting them.

    Could you tell us a bit more about that?

    Well, the stack in OS/2 since _at least_ 4.1 has been a full implementation of the BSD stack, as ported to OS/2 from AIX by IBM. I'm sure that some of these clowns would be able to build nasty packets using the warp stack. However, for a DDoS attack, an ability to have it on OS/2 doesn't buy you very much as there
    aren't a huge number of OS/2 systems out there. Also, we don't have a fully integrated mail client like Outlook... and you _can't_ depend on people not being able to see the extensions on an OS/2 system: as soon as you send a rexx script by email everyone's going to immediately see that it's a program. This makes distributing them by email to clueless newbies a lot less likely to get you very far.

    I bet that OS/2 could be a good development platform for these guys,though. However, I'm sure they'll stick with their Windows
    systems... trojans, DDoS attacks, and the like all depend on getting your bots on as many systems as possible. The internet is turning out to be like other monocultures (in biology, I mean); once something gets in that can attack the monoculture, it just spreads like crazy. Usually in orange groves and things like that, the farmers just burn the infected trees....

    The risk is certainly present though; while the
    OS/2 community is more savvy as a whole, there's certainly nothing >> preventing it from being done. I think I know the kind of app we >> need; a process lister/socket lister, which can show which app is >> using which socket, and permit the user to kill the apps. Of course,>> since the stack comes with nice tools included, you can do this >> pretty easily now... but that's not so easy for people who are >> afraid of the command line. A PM program that would let people do >> that would be a lot better for new/naive users.

    I think that would make a really nice topic for a HowTo for the OS/2 > eZine
    or the VOICE Newsletter. What about taking us
    non-networking-experts by the hand, Jack?

    Get go.exe from hobbes:

    http://hobbes.nmsu.edu/pub/os2/util/process/go_15.zip

    This will list running programs on your computer.

    The other command you need to know is already on your system; it's called netstat... and the switch that is key is -s.

    Here's some sample output:

    First, here's go.exe:

    -----------------------begin
    GO! v1.5 - (c) 1993-95 by Carsten Wimmer <cawim@train.oche.de>

    List of Processes:

    P-ID PPID Session Thr Prio CPU Time Name
    ---- ---- ------- --- ---- -------------- ---------------------------
    1272 0 005 Det 10 0200 0:05:17.34 WEASEL.EXE
    1078 0 013 Det 1 0200 0:03:47.68 CMD.EXE
    845 0 012 Det 1 0300 1:46:54.25 CMD.EXE
    844 0 012 Det 6 0300 1:11:48.31 CHANGI.EXE
    843 0 012 Det 6 0300 0:01:00.68 MAJOR.EXE
    842 0 012 Det 3 0300 11:10:37.78 WEB.EXE
    841 0 012 Det 5 0300 0:00:17.59 FTPD.EXE
    37 0 000 Det 1 0200 0:00:00.18 EPWMUX.EXE
    29 0 000 Det 1 0200 0:00:00.18 EPWMUX.EXE
    28 0 000 Det 1 0200 0:00:00.15 EPWPSI.EXE
    27 0 000 Det 3 0200 1:33:10.81 EPWMP.EXE
    21 0 000 Det 2 0200 0:00:01.43 EPWROUT.EXE
    20 0 000 Det 1 021F 0:00:00.50 LOGDAEM.EXE
    19 0 000 Det 1 0200 0:00:00.09 LSDAEMON.EXE
    10 0 000 Det 5 0304 12:58:02.81 CNTRL.EXE
    9 0 000 Det 1 0200 0:00:00.65 LANMSGEX.EXE
    7 0 000 Det 1 031F 0:00:00.03 MIDIDMON.EXE
    5 0 000 Det 1 0200 0:00:06.87 LVMALERT.EXE
    1 0 000 Sys 6 0100 0:31:52.53 LVMALERT.EXE
    22 1 001 Sys 24 0200 8:05:22.56 PMSHELL.EXE
    2268 22 004 Sys 5 021F 0:01:09.81 TELNETDC.EXE
    2269 2268 004 Sys 1 0200 0:00:02.87 CMD.EXE
    2270 2269 004 Sys 2 0200 0:00:29.87 SLRN.EXE
    2271 2270 004 Sys 1 0200 0:00:02.06 CMD.EXE
    2272 2271 004 Sys 3 0200 0:04:04.75 VIM.EXE
    2276 2272 004 Sys 1 0200 0:00:00.28 CMD.EXE
    2277 2276 004 Sys 1 0200 0:00:00.03 GO.EXE
    835 22 015 VIO 1 0200 0:00:00.06 CMD.EXE
    839 835 015 VIO 1 0200 0:01:20.34 SYSLOGD.EXE
    833 22 011 VIO 1 0200 0:00:00.09 CMD.EXE
    834 833 011 VIO 1 0200 0:00:12.96 TELNETD.EXE
    32 22 012 VIO 1 0300 0:01:13.96 CMD.EXE
    30 22 010 PM 4 0200 0:00:00.12 PMSPOOL.EXE
    24 22 000 Sys 3 0300 0:00:00.03 HARDERR.EXE
    23 22 FF0 VDM 1 0300 0:00:00.00 VDM 2 1 000 VDM 1 031F
    0:00:00.00 VDM
    There are 36 Processes with 108 Threads.
    This machine's uptime is 3d 0h 14m 8s 54ms.
    -----------------------end

    See next message part #2 ..

    Mike @ 1:117/3001

    --- Maximus/2 3.01
    * Origin: Ziplog Public Port (1:117/3001)