[X-Unix] Logging connect attempts

Michael Wheeler MWheeler at tntech.edu
Thu Feb 12 13:42:40 PST 2004 

Don't forget that any buffer overflow attack directed towards a Unix not running on the PowerPC platform will fail on the Mac even if the Mac has the same vulnerability because the architecture of the machine is different.

This is one reason that I'm not in favor of Apple ever adopting an Intel processor.

Michael W. Wheeler, OpenVMS, Windows, and Macintosh
Systems Support, Tennessee Technological University


-----Original Message-----
From: Mac OS X Unix [mailto:X-Unix at lists.themacintoshguy.com]On Behalf
Of William H. Magill
Sent: Thursday, February 12, 2004 3:16 PM
To: Mac OS X Unix
Subject: Re: [X-Unix] Logging connect attempts


On 12 Feb, 2004, at 11:17, peter boardman wrote:
> Last year I borrowed a Windoze laptop for a week and connected it to 
> the internet for
> about an hour. During that time unknown to me the machine was attacked 
> by a worm
> - no email attachments or anything, just being connected to the 
> internet was
> sufficient. When I returned the laptop to head office it caused 
> havoc...
>
> Is it fair to assume that this type of attack doesn’t occur on Macs? 
> (Assuming, say,
> that the firewall in Panther is enabled?) Is there a way to see or log 
> any attempts to
> infiltrate my machine while it’s connected?

Yes, more or less.

ANY machine connected to the Internet is susceptible to attack at any 
time.

Windows machines are particularly susceptible to attacks because they 
are inherently "wide open."

Consequently, especially at the present time, Windows machines are the 
most likely to be penetrated as the bulk of the current attacks are 
oriented to "well-known" Windows vulnerabilities. ("Well known" to the 
crackers ... sadly, not to the Windows users.)

Unix oriented attacks will effect Mac OS X, but, comparatively 
speaking, those are "less common."

It all depends upon who and what the "script kiddies" are up to at any 
give point in time. No Windows specific attack can work on a Unix 
oriented box, they are looking for different things. (And that ignores 
issues of different instruction sets necessary to implement the worm 
after an opening is found.)

By comparison, OSX is inherently secure "out of the box." You have to 
open up the ports by enabling things like web service and file sharing.

Even without the firewall enabled, depending upon which services you 
have enabled, most do significant logging themselves. For example look 
at /var/log/httpd/access_log or error_log. You will see things like:

GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 4652

This is an Windows exploit attempt via the Apache Server. It failed 
because it is after a windows specific directory. (404 = file not 
found).

Scan the contents of /var/log and its sub-directories.

One last point -- your "borrowed" machine is pretty typical of far too 
many "enterprise" based machines. It was probably not "up to rev" with 
the latest Microsoft patches. This is what took down a number of number 
enterprises recently (Philadelphia and Maryland come to mind) -- they 
believe that because their machines were used behind firewalls, they 
didn't need to be "current." While it is possible that a "new" worm 
attacked the laptop, the probability was that it was simply not current 
with Microsoft's patches. ... i.e. the Corporate IT department brought 
the problem on themselves.


T.T.F.N.
William H. Magill
# Beige G3 - Rev A motherboard - 768 Meg
# Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg
# PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a
# XP1000 - [Alpha EV6]
magill at mcgillsociety.org
magill at acm.org
magill at mac.com


----------
Check out the Mac OS X email list FAQ
http://www.themacintoshguy.com/lists/X.html

To unsubscribe, E-mail to: <X-Unix-off at lists.themacintoshguy.com>
To switch to the DIGEST mode, E-mail to <X-Unix-digest at lists.themacintoshguy.com>
Need help from a real person? Try.  <X-Unix-request at lists.themacintoshguy.com>

----------
$14.99 Unlimited Nationwide Mac Dialup and Mac Web Hosting from your Mac ISP 
Serious Mac Internet Solutions From NineWire!   http://macinternetaccess.com

DVIator   | Run Dual ADC displays on your G4 or just one on an older Mac! 
Dr. Bott  | <http://www.drbott.com/prod/DVIator.html>

   Support   | Support this list by clicking here before you buy!
  this List  |  http://www.themacintoshguy.com/support.html

OS X News, Dr.Mac, Forums, Tutorials, Tips, Hints, FAQ?s - http://www.osxfaq.com

More information about the X-Unix mailing list