Web attacks from internet attack sites. An oldie but goodie.

The Most interesting thing happened to me about five minutes ago. I was attacked by a web site. An intrusion attempt to be specific. The attack was unsuccessful because Norton (yes, I was using MS Vista instead of Ubuntu Linux, see confessional [1]) detected it and blocked the attempt. One of the interesting things about it is that it attempted to gain access to my laptop through high, non standard, TCP port numbers that my router’s firewall totally ignored. While I’m at it, it’s worth noting that network address translation (taking my modems IP address and changing it before it gets to my laptop) didn’t slow it down.

It happened when I logged into the administrators account for TeamTuxedo to do a little work. Akismet, the excellent free spam blocker for WordPress has been catching more and more really yukky garbage lately, and I take a look at it every now and again to see if any legitimate comments get caught in the net by accident.

There was the usual porn Pingbacks and Spambot/malicious web crawler garbage. It was all sitting in the Akismet cache waiting to die a horrible cyberdeath. But one piece of junk caught my eye and I gave it a second look.

It was a link to something or other that I can’t remember now, but I do remember thinking that I would take a look at it just for giggles, and see what the Bozo’s were trying to post. I clicked on the IP (bad idea, don’t fall for this kind of social engineering) and it took me to a web page that redirected Firefox to Antivirusfreescan2009.com . Don’t go there. Very bad Mojo. And for goodness sakes, replace IE with Firefox.

Anyway, my buddy Nort punched it in the nose, and the bad code went scampering away. Good Norton. Bad, Bad, Vista. Go sit in the corner and take a time out.

To quote myself in a previous article:

This is the reality; People become targets when they are unaware of their environment, and don’t take precautions to avoid being a victim. Never underestimate the potential of being senselessly harmed by a stranger.

If you don’t understand this, you are at best, naive. If you choose to ignore it, you do so at your own peril. This isn’t paranoia, it’s the world we live in. It’s why we have policemen.

Nice going Denigris. Physician heal thyself. But I believe it does serve to demonstrate the point I was making in that post.

Here is an excerpt from my router’s activity log after the attack:

(GMT-08:00)02:53:46 Mon Aug 25 2008 stunnel[14804]: remote connect #2 (IP ###.###.##.##:443): Connection timed out (145)
(GMT-08:00)02:53:46 Mon Aug 25 2008 stunnel[14804]: Failed to initialize remote connection

(blocked)

(GMT-08:00)02:54:16 Mon Aug 25 2008 stunnel[14831]: remote connect #2 (IP ###.###.##.##:443): Connection timed out (145)
(GMT-08:00)02:54:16 Mon Aug 25 2008 stunnel[14831]: Failed to initialize remote connection
(GMT-08:00)02:54:46 Mon Aug 25 2008 stunnel[14838]: remote connect #2 (IP ###.###.##.##:443): Connection timed out (145)

And so on.

An intrusion attack is an attempt by malicious code to access protected parts of your computer. The ideal for an attacker is to insert code that will take over a persons computer without them knowing it. They can then steal data, log your keystrokes, even use your computer to launch attacks on other computers.

A good example of the latter is Distributed Denial Of Service (DDoS) attacks. Successful intrusions are used to set up a personal computer connected to the internet as a “zombie”. This so called Zombie computer works as normal and the user is often unaware of the presence of the remote control program waiting to be activated. When an attacker has enough machines infected with the zombie Trojan code, he/she activates them all simultaneously with instructions to make a massive web page service request that slows the server to a grinding halt, preventing it from providing information to legitimate users.

Windows is the platform of choice for these kinds of Trojan attacks because Windows files have a poor sense of user account ownership. In essence, it lets code modify files with relative ease. File ownership in Unix like operating systems like Linux, BSD, and OSX have file permissions on each file including directories and system files that link them directly to a specific user, service, or OS function. This protection is built from the ground up and is coded in the structure of the kernel. In simple terms, Unix based systems are designed to function like this, and Windows systems are adding these features in a sort of “bolt on” fashion. to give credit where it is due, Microsoft has finally decided to lock down the kernel and put some security barriers in place.

I am pretty sure that this trojan wouldn’t have made it past the IP tables firewall in Linux. But if it had, I don’t see it doing any damage since it can’t store itself anywhere. Everything’s a file in Linux, the hard drive, the graphics card, it’s all accessed as a file. The files all have permissions. Malicious software has a tough time finding a place to connect to. The kernel denies it a chair.

The moral of the story is that you will be the victim (you probably already have been at some point) of malicious software and web attacks and the thing to do is simple. Keep a good firewall and spyware/virus cleaner on your windows machine running all the time. Get good ones.

[1] I confess oh great Tux, that I sin frequently, using Windows Vista on my laptop. I ask only for your understanding. My laptop came preinstalled with it, and my business needs it. I accept responsibility for my transgressions.

Denigris