World of Feägurth (Amiga: Avoiding Port Hacks)

How to avoid Nukes and Port Hacks on your Amiga.

The following is new information delivered to StarDustr.

This is likely to be the bug mentioned by Miami author (Holger Kruse). To find it..

Run Miami:MiamiNetStat -a

If you see a lovely *.1599 port, you have been struck.

It allows a telnet session to connect on that port to your computer. This means a few nasty things can be done. The hacker has access to your systems storage devices.

Sounds like the Internet feature Of Microsoft?? Yep.. Microsoft made a feature to check whats on your hard drive. This one is worse, they can do more to your storage systems.

To block it, you must do the following:

For Miami, do the following:

Go to the Databases menu
Go to the Services sub-menu
Click Add an entry
In this entry type the following:
- Name: DCHack
- ID: 1599
- Protocol: tcp
Go to the IP Filter sub-menu
Click Add an entry
- Protocol: *
- Service: DCHack
- Host: *.*.*.*
- Leave Mask blank
- Access: N
- Log: Y
Save settings

This will let you know if anyone attempts to use your HD's/storage mediums.

The following is new information delivered to StarDustr

I was recently informed that there are now amiga nukers that attack the FTP port(21) and the AUTH/IDENT port(113).

There are basically 2 methods to protect yourself against these.

Deny and Log these services to all.
Make Allow and Log entries for specific IPs that you wish to allow to use these services. (ie: port 113 allow for IRC servers)
Allow and Log port 113 and port 21(if you are running ftpd).
Make Deny and Log entries of IPs of users who attack you on these ports.

The methods to do theses are similiar to those changes documented below.

The following Miami information has been supplied by Jazzie

Do not accept executable or archived files from someone you don't know on the internet.
They may claim to say it's a new virus checker, but how do YOU know any different?
Miami users, run the "MIAMINETSTAT" utility periodically.
AmiTCP users can run the script "NetStat" for the same results.
Make a note of any suspicious connections. BEAR IN MIND: FTP access usually starts at around Port 1024, but each command takes it one higher. I don't know where it loops, but it eventually comes back down to 1024.

DCC Chats in IRC also cause ports to be open.

Example:

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp 0 0 your.domain.1026 fire1.gte.net.6667 ESTABLISHED

tcp 0 0 your.domain.1599 dev.hacker.com.1085 ESTABLISHED

The first line beginning with tcp is my IRC connection. The foreign address is always the port number you joined the server with. The port your end (1026) may be different each time you connect to a server.

Therefore, I KNOW I'm using IRC, so I should have the irc port open.

Looking at the second line however, I haven't a clue where "dev.hacker.com" is, so this could be worrying.

If you are using IRC, try doing /who *dev.hacker.com in the command line. That may return a nick. If you don't think that user should be connected, time to reboot. You may also want log the access, just in case any damage is made, you can try and trace the users ISP.

There is a method of preventing unwanted access to your machine, which I'll describe in a while.
If anyone wants a port checker, we have one available. Usage is simple, but that will be contained in the archive anyway. I don't really want to supply source, but it IS legitimate, and it will tell you if you have any ports open which you should be wary of.

As I said, don't trust any files from people you don't know. So, only accept this port checker from an OP on DALNET #AmIRC, TCP Port Checker �1998 Plexus Digital Solutions

The port checker, should you wish to use it, is freeware, but NOT distributable. It is ONLY to be distributed by #AmIRC admin.
How the TCP hack works:

(You don't really think I'm going to tell you this??)

Basically, after the trojan program opens up your port (which can be quite some time after actually running the program, so don't expect SNOOPDOS to say "Hey, whats this?!" right away, you can be quite happy surfing the net. You may not even be doing anything. you could just be connected, and not have ANY net applications going... Just Miami or AmiTCP. If you have a static account, you should be careful. If anyone SENT you the 'trojan' carrier, they will know your IP address, as this doesn't change. They can simply PING your IP address to see if you are connected to the internet.

Like I say, you don't have to be FTPing or IRCing, as long as those little modem lights are lit, you may be vulnerable.

As they will know the port which their program opens, they simply have to connect to your machine, and voila, they have instant access to EVERYTHING!

Don't think that they can't do anything but look once there... Bear in mind, that when they gain access, they are presented with a shell. This is on YOUR system, not theirs. Everything they do, such as DIR, INFO, ASSIGN, or FORMAT is on YOUR system. They can instantly find out if you use miami or Amitcp, and they can even copy your keyfiles, and your config files. Imagine, someone copying your mail reader config file. They can easily read ALL your incoming mail, and worse, they can send offensive mail, and it will appear from YOU. Now, this isn't just while they are connected to you, as they can grab your config files, they can send or read your mail whenever they want. If they copy your keyfiles, they can then put them on the internet for others to use. You may then update whatever program (not just internet utilities) and find that your keyfile has been blacklisted.

It may be that you will only try their program once, so they can gain access to your machine while you have just run their program... but how will they get on in future???

Easy. While they connect to you for the first time, they may change your startup-sequence. They may add a simple command to it, or they could be REALLY crafty and change some of the official workbench programs to open up the port EVERY time you reboot your machine.

It's worth checking the dates on your S:STARTUP-SEQUENCE and S:USER-STARTUP files every so often, and read them if you think they may have changed without your knowing.

There are some other files you should check for (These are known port openers):
c:loadwb 29 bytes or thereabouts
l:wb.handler 382 bytes or thereabouts
devs:workbench.device 1136 bytes *

If you EVER find a file DEVS:WORKBENCH.DEVICE, do a version on it. It will more than likely be LOADWB 38.9

If you DO find this, MOVE (Copy/delete) the DEVS:WORKBENCH.DEVICE to C:LOADWB, and delete l:wb.handler.

This is the classic port opener.

Run a port checker every week!
Denial of Service attacks (Nukes):

There is a denial of service attack going around at the moment which affects Amigas, so after nuking any PC owner you see, you can now wipe the smug grin off your face....

There are a number of things to consider here, should you ever think about 'nuking' a PC owner.
1. It's a known attack/bug
2. It's been fixed
3. There are programs which log the attacks, IP addresses, and Times
4. It's against IRC servers rules, and your ISP's rules to launch a denial of service attack. If these guys log an attack from you, and decide to complain to your ISP, start looking for another ISP.
5. It CAN cause damage. If the user is writing to his hard disk at the time of your attack, you might want to find a good defence lawyer.

Proto	Recv-Q	Send-Q	Local Address	Foreign Address	(state)
tcp	0	0	your.domain.1026	fire1.gte.net.6667	ESTABLISHED
tcp	0	0	your.domain.1599	dev.hacker.com.1085	ESTABLISHED

Same goes for Amiga users!

While the Amiga nuke attacks a different port, it is possible that this may cause damage too. While fairly remote, the chance is still there.

How do you avoid the Amiga Nuke???

By preventing access to the CHARGEN service on your system. (Who needs it anyway???)

I have the following setup in Miami:
(From the miami screen, select "Databases", and the "IP FILTER" tab)

TEMP Protocol Service Host Mask Allow Log

1 * 19 *.*.*.* N Y

2 * 139 *.*.*.* N Y

3 * * 127.0.0.1 Y N

4 TCP AUTH *.*.*.* Y N

5 * * *.*.*.* Y Y

6 * $ *.*.*.* Y N

Meaning:

Line 1:
This line prevents the Amiga nuke attack from locking your machine, and generates a log so you can trace the individual.

Line 2:
This catches anyone who does a channel wide BREAK95 or Winnuke. This is there for MY own use, you may leave this one out if you wish.

Line 3:
Allows you total access (YOU are 127.0.0.1) without logging.

Line 4:
Allows TCP AUTH requests, without logging. These are ok, but you wouldn't want a log of them all!

Line 5:
Log ALL other requests...
This has one sad side effect. If ever you use FTP, it will generate a log for each ftp request you make. It's annoying I know, but thats the price of safety.

Line 6:
Allow all remaining ports to be accessed but not to generate a log.

TEMP	Protocol	Service	Host	Mask	Allow	Log
1	*	19	...	N	Y
2	*	139	...	N	Y
3	*	*	127.0.0.1	Y	N
4	TCP	AUTH	...	Y	N
5	*	*	...	Y	Y
6	*	$	...	Y	N

The following AmiTCP information has been supplied by StarDustr

Users with AmiTCP may wish to add the following to their AmiTCP:db/inet-access files. (Requires a Registered version of AmiTCP)

1. Entries with 127.0.0.1 give you access thru your localhost IP.
2 Allow auth and * access to all users.
3. Deny finger and @ finger is a known problem area and @ handles most low-numbered services ports.

auth	...	allow	LOG
finger	127.0.0.1	allow	LOG
finger	...	deny	LOG
@	127.0.0.1	allow	LOG
@	...	deny	LOG
*	...	allow	LOG

If you DENY * this closes the ports you need for IRC DCC connections and FTP connections. (and maybe others)