[X-Unix] Logging connect attempts

William H. Magill magill at mcgillsociety.org
Thu Feb 12 13:15:38 PST 2004 

On 12 Feb, 2004, at 11:17, peter boardman wrote:
> Last year I borrowed a Windoze laptop for a week and connected it to 
> the internet for
> about an hour. During that time unknown to me the machine was attacked 
> by a worm
> - no email attachments or anything, just being connected to the 
> internet was
> sufficient. When I returned the laptop to head office it caused 
> havoc...
>
> Is it fair to assume that this type of attack doesn’t occur on Macs? 
> (Assuming, say,
> that the firewall in Panther is enabled?) Is there a way to see or log 
> any attempts to
> infiltrate my machine while it’s connected?

Yes, more or less.

ANY machine connected to the Internet is susceptible to attack at any 
time.

Windows machines are particularly susceptible to attacks because they 
are inherently "wide open."

Consequently, especially at the present time, Windows machines are the 
most likely to be penetrated as the bulk of the current attacks are 
oriented to "well-known" Windows vulnerabilities. ("Well known" to the 
crackers ... sadly, not to the Windows users.)

Unix oriented attacks will effect Mac OS X, but, comparatively 
speaking, those are "less common."

It all depends upon who and what the "script kiddies" are up to at any 
give point in time. No Windows specific attack can work on a Unix 
oriented box, they are looking for different things. (And that ignores 
issues of different instruction sets necessary to implement the worm 
after an opening is found.)

By comparison, OSX is inherently secure "out of the box." You have to 
open up the ports by enabling things like web service and file sharing.

Even without the firewall enabled, depending upon which services you 
have enabled, most do significant logging themselves. For example look 
at /var/log/httpd/access_log or error_log. You will see things like:

GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 4652

This is an Windows exploit attempt via the Apache Server. It failed 
because it is after a windows specific directory. (404 = file not 
found).

Scan the contents of /var/log and its sub-directories.

One last point -- your "borrowed" machine is pretty typical of far too 
many "enterprise" based machines. It was probably not "up to rev" with 
the latest Microsoft patches. This is what took down a number of number 
enterprises recently (Philadelphia and Maryland come to mind) -- they 
believe that because their machines were used behind firewalls, they 
didn't need to be "current." While it is possible that a "new" worm 
attacked the laptop, the probability was that it was simply not current 
with Microsoft's patches. ... i.e. the Corporate IT department brought 
the problem on themselves.


T.T.F.N.
William H. Magill
# Beige G3 - Rev A motherboard - 768 Meg
# Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg
# PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a
# XP1000 - [Alpha EV6]
magill at mcgillsociety.org
magill at acm.org
magill at mac.com

More information about the X-Unix mailing list