How to avoid Nukes and Port Hacks on your Amiga.
The following is new information delivered to
StarDustr.
This is likely to be the bug mentioned by
Miami author
(Holger Kruse). To find it..
Run Miami:MiamiNetStat -a
If you see a lovely *.1599 port, you have
been struck.
It allows a telnet session to connect on
that port to your computer. This means a few nasty things can be done. The
hacker has access to your systems storage devices.
Sounds like the Internet feature Of Microsoft??
Yep.. Microsoft made a feature to check whats on your hard drive. This one is worse,
they can do more to your storage systems.
To block it, you must do the following:
For Miami, do the following:
- Go to the Databases menu
- Go to the Services sub-menu
- Click Add an entry
- In this entry type the following:
- Name: DCHack
- ID: 1599
- Protocol: tcp
- Go to the IP Filter sub-menu
- Click Add an entry
- Protocol: *
- Service: DCHack
- Host: *.*.*.*
- Leave Mask blank
- Access: N
- Log: Y
- Save settings
This will let you know if anyone attempts to use your HD's/storage mediums.
The following is new information delivered to StarDustr
I was recently informed that there are now amiga nukers that attack
the FTP port(21) and the AUTH/IDENT port(113).
There are basically 2 methods to protect yourself against these.
- Deny and Log these services to all.
Make Allow and Log entries for specific IPs that you wish to allow to
use these services. (ie: port 113 allow for IRC servers)
- Allow and Log port 113 and port 21(if you are running ftpd).
Make Deny and Log entries of IPs of users who attack you on these ports.
The methods to do theses are similiar to those changes documented below.
The following Miami information has been supplied by Jazzie
- Do not accept executable or archived files from someone you don't know
on the internet.
They may claim to say it's a new virus checker, but how do YOU know any different?
- Miami users, run the "MIAMINETSTAT" utility periodically.
AmiTCP users can run the script "NetStat" for the same results.
Make a note of any suspicious connections. BEAR IN MIND: FTP access usually starts at
around Port 1024, but each command takes it one higher. I don't know where it loops,
but it eventually comes back down to 1024.
DCC Chats in IRC also cause ports to be open.
Example:
Proto | Recv-Q | Send-Q | Local Address | Foreign Address | (state) |
tcp | 0 | 0 | your.domain.1026 | fire1.gte.net.6667 | ESTABLISHED |
tcp | 0 | 0 | your.domain.1599 | dev.hacker.com.1085 | ESTABLISHED |
The first line beginning with tcp is my IRC connection. The foreign address is
always the port number you joined the server with. The port your end (1026) may
be different each time you connect to a server.
Therefore, I KNOW I'm using IRC, so I should have the irc port open.
Looking at the second line however, I haven't a clue where "dev.hacker.com" is,
so this could be worrying.
If you are using IRC, try doing /who *dev.hacker.com in the command line. That
may return a nick. If you don't think that user should be connected, time to
reboot. You may also want log the access, just in case any damage is made, you
can try and trace the users ISP.
There is a method of preventing unwanted access to your machine, which I'll
describe in a while.
- If anyone wants a port checker, we have one available. Usage is simple,
but that will be contained in the archive anyway. I don't really want to supply
source, but it IS legitimate, and it will tell you if you have any ports open
which you should be wary of.
As I said, don't trust any files from people you don't know. So, only accept
this port checker from an OP on DALNET #AmIRC, TCP Port Checker �1998 Plexus
Digital Solutions
The port checker, should you wish to use it, is freeware, but NOT distributable.
It is ONLY to be distributed by #AmIRC admin.
- How the TCP hack works:
(You don't really think I'm going to tell you this??)
Basically, after the trojan program opens up your port (which can be quite some
time after actually running the program, so don't expect SNOOPDOS to say "Hey,
whats this?!" right away, you can be quite happy surfing the net. You may
not even be doing anything. you could just be connected, and not have ANY net
applications going... Just Miami or AmiTCP. If you have a static account, you
should be careful. If anyone SENT you the 'trojan' carrier, they will know your
IP address, as this doesn't change. They can simply PING your IP address to see
if you are connected to the internet.
Like I say, you don't have to be FTPing or IRCing, as long as those little
modem lights are lit, you may be vulnerable.
As they will know the port which their program opens, they simply have to connect
to your machine, and voila, they have instant access to EVERYTHING!
Don't think that they can't do anything but look once there... Bear in mind, that
when they gain access, they are presented with a shell. This is on YOUR system,
not theirs. Everything they do, such as DIR, INFO, ASSIGN, or FORMAT is on YOUR
system. They can instantly find out if you use miami or Amitcp, and they can even
copy your keyfiles, and your config files. Imagine, someone copying your mail
reader config file. They can easily read ALL your incoming mail, and worse, they
can send offensive mail, and it will appear from YOU. Now, this isn't just while
they are connected to you, as they can grab your config files, they can send or
read your mail whenever they want. If they copy your keyfiles, they can then put
them on the internet for others to use. You may then update whatever program (not
just internet utilities) and find that your keyfile has been blacklisted.
It may be that you will only try their program once, so they can gain access to
your machine while you have just run their program... but how will they get on in
future???
Easy. While they connect to you for the first time, they may change your
startup-sequence. They may add a simple command to it, or they could be REALLY
crafty and change some of the official workbench programs to open up the port
EVERY time you reboot your machine.
It's worth checking the dates on your S:STARTUP-SEQUENCE and S:USER-STARTUP files
every so often, and read them if you think they may have changed without your
knowing.
There are some other files you should check for (These are known port openers):
c:loadwb 29 bytes or thereabouts
l:wb.handler 382 bytes or thereabouts
devs:workbench.device 1136 bytes *
If you EVER find a file DEVS:WORKBENCH.DEVICE, do a version on it. It will more
than likely be LOADWB 38.9
If you DO find this, MOVE (Copy/delete) the DEVS:WORKBENCH.DEVICE to C:LOADWB, and
delete l:wb.handler.
This is the classic port opener.
Run a port checker every week!
- Denial of Service attacks (Nukes):
There is a denial of service attack going around at the moment which affects Amigas,
so after nuking any PC owner you see, you can now wipe the smug grin off your face....
There are a number of things to consider here, should you ever think about 'nuking'
a PC owner.
- It's a known attack/bug
- It's been fixed
- There are programs which log the attacks, IP addresses, and Times
- It's against IRC servers rules, and your ISP's rules to launch a denial of
service attack. If these guys log an attack from you, and decide to complain to
your ISP, start looking for another ISP.
- It CAN cause damage. If the user is writing to his hard disk at the time of
your attack, you might want to find a good defence lawyer.
Same goes for Amiga users!
While the Amiga nuke attacks a different port, it is possible that this may cause
damage too. While fairly remote, the chance is still there.
How do you avoid the Amiga Nuke???
By preventing access to the CHARGEN service on your system. (Who needs
it anyway???)
I have the following setup in Miami:
(From the miami screen, select "Databases", and the "IP FILTER" tab)
TEMP | Protocol | Service | Host | Mask | Allow | Log |
1 | * | 19 | *.*.*.* | N | Y |
2 | * | 139 | *.*.*.* | N | Y |
3 | * | * | 127.0.0.1 | Y | N |
4 | TCP | AUTH | *.*.*.* | Y | N |
5 | * | * | *.*.*.* | Y | Y |
6 | * | $ | *.*.*.* | Y | N |
Meaning:
Line 1:
This line prevents the Amiga nuke attack from locking your machine, and
generates a log so you can trace the individual.
Line 2:
This catches anyone who does a channel wide BREAK95 or Winnuke. This is there
for MY own use, you may leave this one out if you wish.
Line 3:
Allows you total access (YOU are 127.0.0.1) without logging.
Line 4:
Allows TCP AUTH requests, without logging. These are ok, but you wouldn't want
a log of them all!
Line 5:
Log ALL other requests...
This has one sad side effect. If ever you use FTP, it will generate a log for
each ftp request you make. It's annoying I know, but thats the price of safety.
Line 6:
Allow all remaining ports to be accessed but not to generate a log.
The following AmiTCP information has been supplied by StarDustr
Users with AmiTCP may wish to add the following to their AmiTCP:db/inet-access
files. (Requires a Registered version of AmiTCP)
1. Entries with 127.0.0.1 give you access thru your localhost IP.
2 Allow auth and * access to all users.
3. Deny finger and @ finger is a known problem area and @ handles most low-numbered
services ports.
auth | *.*.*.* | allow | LOG |
finger | 127.0.0.1 | allow | LOG |
finger | *.*.*.* | deny | LOG |
@ | 127.0.0.1 | allow | LOG |
@ | *.*.*.* | deny | LOG |
* | *.*.*.* | allow | LOG |
If you DENY * this closes the ports you need for IRC DCC connections and FTP
connections. (and maybe others)