Avoiding Port Hacks and Amiga Nukes!
How to avoid Nukes and Port Hacks on your Amiga.
The following is new information delivered to StarDustr
This is likely to be the bug mentioned by Miami author.. to find it..
run Miami:MiamiNetStat -a
If you see a lovely *.1599 port you have been struck.
It allows a telnet session to connect on that port to your computer. This
means a few nasty things can be done. they have access to your systems
Storage devices..
Sounds like the Internet feature Of Microsoft?? Yep.. Microsoft made a
feature to check whats on ya HD. This one is worse thay can do more to
your storage systems :)
To block it...
those of you running Miami, do this:
go to 'Databases' menu
go to 'Services' sub menu
in that section 'Add' an entry
in this entry type the following:
for Name put in: 'DCHack'
for ID put in '1599'
for protocol type: 'tcp'
then go to the submenu called 'IP Filter'
click on Add'
in Protocol type '*'
in Service type 'DCHack'
in host type '*.*.*.*'
leave Mask blank
in Access type 'n'
in Log type 'y'
save settings
This will let you know if anyone attempts to use your HD's/storage mediums.
The following is new information delivered to StarDustr
I was recently informed that there are now amiga nukers that attack
the FTP port(21) and the AUTH/IDENT port(113).
There are basically 2 methods to protect yourself against these.
1: Deny and Log these services to all.
Make Allow and Log entries for specific IPs that you wish to allow to
use these services. (ie: port 113 allow for IRC servers)
2: Allow and Log port 113 and port 21(if you are running ftpd).
Make Deny and Log entries of IPs of users who attack you on these ports.
The methods to do theses are similiar to those changes documented below.
The following Miami information has been supplied by Jazzie
1: Do not accept executable or archived files from someone you don't know
on the internet.
They may claim to say it's a new virus checker, but how do YOU know
any different?
2: Miami users, run the "MIAMINETSTAT" utility periodically.
AmiTCP users can run the script "NetStat" for the same results.
Make a note of any suspicious connections. BEAR IN MIND: FTP access usually
starts at around Port 1024, but each command takes it one higher.
I don't know where it loops, but it eventually comes back down to 1024.
DCC Chats in IRC also cause ports to be open.
Example:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 your.domain.1026 fire1.gte.net.6667 ESTABLISHED
tcp 0 0 your.domain.1599 dev.hacker.com.1085 ESTABLISHED
The first line beginning with tcp is my IRC connection. The foreign
address is always the port number you joined the server with. The port
your end (1026) may be different each time you connect to a server.
Therefore, I KNOW I'm using IRC, so I should have the irc port open.
Looking at the second line however, I haven't a clue where
"dev.hacker.com" is, so this could be worrying.
If you are using IRC, try doing /who *dev.hacker.com in the command line.
That may return a nick. If you don't think that user should be
connected, time to reboot.
You may also want log the access, just in case any damage is made, you
can try and trace the users ISP.
There is a method of preventing unwanted access to your machine, which
I'll describe in a while.
3: If anyone wants a port checker, we have one available.
Usage is simple, but that will be contained in the archive anyway.
I don't really want to supply source, but it IS legitimate, and it
will tell you if you have any ports open which you should be wary of.
As I said, don't trust any files from people you don't know. So, only
accept this port checker from an OP on DALNET #AmIRC, or from this
link: TCP Port Checker ©1998 Plexus Digital Solutions
The port checker, should you wish to use it, is freeware, but NOT
distributable. It is ONLY to be distributed by #AmIRC admin.
4: How the TCP hack works:
(You don't really think I'm going to tell you this??)
Basically, after the trojan program opens up your port (which can
be quite some time after actually running the program, so don't expect
SNOOPDOS to say "Hey, whats this?!" right away, you can be quite
happy surfing the net.
You may not even be doing anything. you could just be connected, and
not have ANY net applications going... Just Miami or AmiTCP.
If you have a static account, you should be careful. If anyone
SENT you the 'trojan' carrier, they will know your IP address, as this
doesn't change. They can simply PING your IP address to see if you
are connected to the internet.
*Like I say, you don't have to be FTPing or IRCing, as long as those
*little modem lights are lit, you may be vulnerable.
As they will know the port which their program opens, they simply have
to connect to your machine, and voila, they have instant access to
EVERYTHING!
Don't think that they can't do anything but look once there...
Bear in mind, that when they gain access, they are presented with a
shell. This is on YOUR system, not theirs. Everything they do, such
as DIR, INFO, ASSIGN, or FORMAT is on YOUR system.
They can instantly find out if you use miami or Amitcp, and they can
even copy your keyfiles, and your config files.
Imagine, someone copying your mail reader config file. They can easily
read ALL your incoming mail, and worse, they can send offensive mail,
and it will appear from YOU. Now, this isn't just while they are
connected to you, as they can grab your config files, they can send or
read your mail whenever they want.
If they copy your keyfiles, they can then put them on the internet for
others to use. You may then update whatever program (not just internet
utilities) and find that your keyfile has been blacklisted.
It may be that you will only try their program once, so they can gain
access to your machine while you have just run their program... but
how will they get on in future???
Easy. While they connect to you for the first time, they may change
your startup-sequence.
They may add a simple command to it, or they could be REALLY crafty and
change some of the official workbench programs to open up the port EVERY
time you reboot your machine.
It's worth checking the dates on your S:STARTUP-SEQUENCE and
S:USER-STARTUP files every so often, and read them if you think they
may have changed without your knowing.
There are some other files you should check for (These are known
port openers):
c: loadwb 29 bytes or thereabouts
l: wb.handler 382 bytes or thereabouts
devs: workbench.device 1136 bytes *
If you EVER find a file DEVS:WORKBENCH.DEVICE, do a version on it.
It will more than likely be LOADWB 38.9
If you DO find this, MOVE (Copy/delete) the DEVS:WORKBENCH.DEVICE to
C:LOADWB, and delete l:wb.handler.
This is the classic port opener.
Run a port checker every week !
5: Denial of Service attacks (Nukes):
There is a denial of service attack going around at the moment which
affects Amigas, so after nuking any PC owner you see, you can now wipe
the smug grin off your face....
There are a number of things to consider here, should you ever think
about 'nuking' a PC owner.
1: It's a known attack/bug
2: It's been fixed
3: There are programs which log the attacks, IP addresses, and Times
4: It's against IRC servers rules, and your ISP's rules to launch a
denial of service attack. If these guys log an attack from you,
and decide to complain to your ISP, start looking for another ISP.
5: It CAN cause damage. If the user is writing to his hard disk at
the time of your attack, you might want to find a good defence
lawyer.
Same goes for Amiga users!
While the Amiga nuke attacks a different port, it is possible that
this may cause damage too. While fairly remote, the chance is still
there.
How do you avoid the Amiga Nuke???
By preventing access to the CHARGEN service on your system.
(Who needs it anyway???)
I have the following setup in Miami:
(From the miami screen, select "Databases", and the "IP FILTER" tab)
TEMP Protocol Service Host Mask Allow Log
1 * 19 *.*.*.* N Y
2 * 139 *.*.*.* N Y
3 * * 127.0.0.1 Y N
4 TCP AUTH *.*.*.* Y N
5 * * *.*.*.* Y Y
6 * $ *.*.*.* Y N
Meaning:
Line 1:
This line prevents the Amiga nuke attack from locking your machine,
and generates a log so you can trace the individual.
Line 2:
This catches anyone who does a channel wide BREAK95 or Winnuke.
This is there for MY own use, you may leave this one out if you wish.
Line 3:
Allows you total access (YOU are 127.0.0.1) without logging.
Line 4:
allows TCP AUTH requests, without logging. These are ok, but you
wouldn't want a log of them all!
Line 5:
Log ALL other requests...
This has one sad side effect. If ever you use FTP, it will generate
a log for each ftp request you make. It's annoying I know,
but thats the price of safety.
Line 6:
Allow all remaining ports to be accessed but not to generate a log.
The following AmiTCP information has been supplied by StarDustr
Users with AmiTCP may wish to add the following to their
AmiTCP:db/inet-access files. (Requires a Registered version of AmiTCP)
1. Entries with 127.0.0.1 give you access thru your localhost IP.
2 Allow auth and * access to all users.
3. Deny finger and @ finger is a known problem area and
@ handles most low-numbered services ports.
If you DENY * this closes the ports you need for IRC DCC
connections and FTP connections. (and maybe others)
# Define the services and ports.
; Entries for amitcp:db/services used by inet.access blocking/logging
;
auth 113/tcp ; RFC ident
nuke01 137/tcp ; Win Nuke
nuke02 138/tcp ; Win Nuke
nuke03 139/tcp ; Win Nuke
nuke04 1599/tcp ; MS HD check
nuke05 12345/tcp ; NetBus
nuke06 12346/tcp ; NetBus
nuke07 40426/tcp ; Masters of Paradise98
nuke08 5000/tcp ; Troie
nuke09 50505/tcp ; Troie
;
# Define the function to be performed for each service.
; Entries for amitcp:db/inetd.conf
;
auth stream tcp nowait root AmiTCP:serv/identd identd click to download
nuke01 stream tcp dos bin - echo "This service is Not Installed!"
nuke02 stream tcp dos bin - echo "This service is Not Installed!"
nuke03 stream tcp dos bin - echo "This service is Not Installed!"
nuke04 stream tcp dos bin - echo "This service is Not Installed!"
nuke05 stream tcp dos bin - echo "This service is Not Installed!"
nuke06 stream tcp dos bin - echo "This service is Not Installed!"
nuke07 stream tcp dos bin - echo "This service is Not Installed!"
nuke08 stream tcp dos bin - echo "This service is Not Installed!"
nuke09 stream tcp dos bin - echo "This service is Not Installed!"
;
# Define Access/Logging permissions.
; Entries for amitcp:db/inet.access (requires registered version of AmiTCP)
;
;Service Host[/Mask] Access [LOG]
;
auth *.*.*.* allow LOG
finger 127.0.0.1 allow LOG
finger *.*.*.* deny LOG
@ 127.0.0.1 allow LOG
nuke01 *.*.*.* deny LOG
nuke02 *.*.*.* deny LOG
nuke03 *.*.*.* deny LOG
nuke04 *.*.*.* deny LOG
nuke05 *.*.*.* deny LOG
nuke06 *.*.*.* deny LOG
nuke07 *.*.*.* deny LOG
nuke08 *.*.*.* deny LOG
nuke09 *.*.*.* deny LOG
@ *.*.*.* deny LOG
* *.*.*.* allow LOG
;
; * is last entry, otherwise it seems to over-ride denys placed below it.
; this entry allows the extra ports needed for DCC and ftp type connections.
Back to #AmIRC Main Page.