Subj : Xpost Jack Troughton Part 1
To   : All
From : Mike Luther
Date : Mon Jun 04 2001 07:12 pm

Cross posted message from comp.s.os2.misc

=========================================================================
From: [email protected] (Jack Troughton)
Newsgroups: comp.os.os2.networking.misc,comp.os.os2.misc
Subject: Re: OT: Anatomy of a hacker attack
Reply-To: [email protected]
Date: Sun, 03 Jun 2001 02:03:39 GMT

On 1 Jun 2001 19:29:14 GMT, Christian Hennecke scribbled:

> On Fri, 1 Jun 2001 13:34:32, [email protected] (Jack Troughton) >
wrote:
>
>> I feel I should note that this capability has inherently been >> present in
OS/2 for a long time now... however, nobody's been >> exploiting them.
>
> Could you tell us a bit more about that?

Well, the stack in OS/2 since _at least_ 4.1 has been a full implementation of
the BSD stack, as ported to OS/2 from AIX by IBM. I'm sure that some of these
clowns would be able to build nasty packets using the warp stack. However, for
a DDoS attack, an ability to have it on OS/2 doesn't buy you very much as there
aren't a huge number of OS/2 systems out there. Also, we don't have a fully
integrated mail client like Outlook... and you _can't_ depend on people not
being able to see the extensions on an OS/2 system: as soon as you send a rexx
script by email everyone's going to immediately see that it's a program. This
makes distributing them by email to clueless newbies a lot less likely to get
you very far.

I bet that OS/2 could be a good development platform for these guys,though.
However, I'm sure they'll stick with their Windows
systems... trojans, DDoS attacks, and the like all depend on getting your bots
on as many systems as possible. The internet is turning out to be like other
monocultures (in biology, I mean); once something gets in that can attack the
monoculture, it just spreads like crazy. Usually in orange groves and things
like that, the farmers just burn the infected trees....

>> The risk is certainly present though; while the
>> OS/2 community is more savvy as a whole, there's certainly nothing >>
preventing it from being done. I think I know the kind of app we >> need; a
process lister/socket lister, which can show which app is >> using which
socket, and permit the user to kill the apps. Of course,>> since the stack
comes with nice tools included, you can do this >> pretty easily now... but
that's not so easy for people who are >> afraid of the command line. A PM
program that would let people do >> that would be a lot better for new/naive
users.
>
> I think that would make a really nice topic for a HowTo for the OS/2 > eZine
or the VOICE Newsletter. What about taking us
> non-networking-experts by the hand, Jack?

Get go.exe from hobbes:

http://hobbes.nmsu.edu/pub/os2/util/process/go_15.zip

This will list running programs on your computer.

The other command you need to know is already on your system; it's called
netstat... and the switch that is key is -s.

Here's some sample output:

First, here's go.exe:

-----------------------begin
GO! v1.5 - (c) 1993-95 by Carsten Wimmer <[email protected]>

List of Processes:

P-ID PPID Session Thr Prio    CPU Time                    Name
---- ---- ------- --- ---- -------------- ---------------------------
1272    0 005 Det  10 0200    0:05:17.34  WEASEL.EXE
1078    0 013 Det   1 0200    0:03:47.68  CMD.EXE
 845    0 012 Det   1 0300    1:46:54.25  CMD.EXE
 844    0 012 Det   6 0300    1:11:48.31  CHANGI.EXE
 843    0 012 Det   6 0300    0:01:00.68  MAJOR.EXE
 842    0 012 Det   3 0300   11:10:37.78  WEB.EXE
 841    0 012 Det   5 0300    0:00:17.59  FTPD.EXE
  37    0 000 Det   1 0200    0:00:00.18  EPWMUX.EXE
  29    0 000 Det   1 0200    0:00:00.18  EPWMUX.EXE
  28    0 000 Det   1 0200    0:00:00.15  EPWPSI.EXE
  27    0 000 Det   3 0200    1:33:10.81  EPWMP.EXE
  21    0 000 Det   2 0200    0:00:01.43  EPWROUT.EXE
  20    0 000 Det   1 021F    0:00:00.50  LOGDAEM.EXE
  19    0 000 Det   1 0200    0:00:00.09  LSDAEMON.EXE
  10    0 000 Det   5 0304   12:58:02.81  CNTRL.EXE
   9    0 000 Det   1 0200    0:00:00.65  LANMSGEX.EXE
   7    0 000 Det   1 031F    0:00:00.03  MIDIDMON.EXE
   5    0 000 Det   1 0200    0:00:06.87  LVMALERT.EXE
   1    0 000 Sys   6 0100    0:31:52.53  LVMALERT.EXE
  22    1 001 Sys  24 0200    8:05:22.56    PMSHELL.EXE
2268   22 004 Sys   5 021F    0:01:09.81      TELNETDC.EXE
2269 2268 004 Sys   1 0200    0:00:02.87        CMD.EXE
2270 2269 004 Sys   2 0200    0:00:29.87          SLRN.EXE
2271 2270 004 Sys   1 0200    0:00:02.06            CMD.EXE
2272 2271 004 Sys   3 0200    0:04:04.75              VIM.EXE
2276 2272 004 Sys   1 0200    0:00:00.28                CMD.EXE
2277 2276 004 Sys   1 0200    0:00:00.03                  GO.EXE
 835   22 015 VIO   1 0200    0:00:00.06      CMD.EXE
 839  835 015 VIO   1 0200    0:01:20.34        SYSLOGD.EXE
 833   22 011 VIO   1 0200    0:00:00.09      CMD.EXE
 834  833 011 VIO   1 0200    0:00:12.96        TELNETD.EXE
  32   22 012 VIO   1 0300    0:01:13.96      CMD.EXE
  30   22 010 PM    4 0200    0:00:00.12      PMSPOOL.EXE
  24   22 000 Sys   3 0300    0:00:00.03      HARDERR.EXE
  23   22 FF0 VDM   1 0300    0:00:00.00      VDM     2    1 000 VDM   1 031F
  0:00:00.00    VDM
There are 36 Processes with 108 Threads.
This machine's uptime is 3d 0h 14m 8s 54ms.
 -----------------------end

See next message part #2 ..

Mike @ 1:117/3001

--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.