Bugtraq mailing list archives
WIngate: the sequel
From: alanb () MANAWATU GEN NZ (Alans other account)
Date: Wed, 11 Feb 1998 15:14:02 +1300
I've had a fair amount of mail following my posting about this to the list. What follows is a very brief summary. 1: Confirmation that a large number of sites have already experienced spammers smtp relaying via insecure wingates. Numbers relayed have ranged from "a couple of thousand" to "over 20,000" messages. 2: Ditto on nntp. This seems to be a favourite method for porn spammers in particular. 3: Ditto on IRC. I have a mirc IRC abuse script onhand which quite happily searches for wingates and attaches one floodbot per gateway. Tests have shown that upwards of 100 wingates can quite easily be used by a single attacker. 4: Open wingates are also wide open for any savvy attacker to attach to machines behind the wingate "firewall". 5: Although the primary attack method is to use socks port 1080, the same techniques are easily used on port 23, so firewalling socks is a temporary solution at best. All of these are worrying, given the number of people who attack sites perceived as participating in spam. There's a fairly good set of web pages on securing wingate at http://www.deerfield.com/wingate/secure-wingate.htm - this appears to be the Wingate home site. The Undernet IRC network has had to temporarily lock out users from 2 large cable networks in Canada and the USA due to attacks against network admins. Those attacks were at one point coming from upwards of 200 different IPs and seemed to be driven by one individual. Given Wingate's lack of logging facilities, there is almost no hope of tracing attackers who initiate denial of service actions like this, so ISPs may well face having this kind of action taken against them by IRC (or other) networks in order to maintain usability of their systems. The end result is chaos on helpdesks. Wingate's authors apparently are continuing to ignore the abuse issues associated with default settings. How long before they get the message? AB
Current thread:
- AIX/Gradient iFOR/LS bug: follows symlinks, (continued)
- AIX/Gradient iFOR/LS bug: follows symlinks Joerg Schumacher (Feb 09)
- Re: AIX/Gradient iFOR/LS bug: follows symlinks Troy A. Bollinger (Feb 09)
- CFP - Recent Advances in Intrusion Detection (RAID'98) Marc Dacier (Feb 10)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Insecure temporary ibm-ers () ERS IBM COM (Feb 10)
- Re: Another ld-linux.so problem Roman Drahtmueller (Feb 08)
- ld confusion Aleph One (Feb 10)
- Re: ld confusion Cristian Gafton (Feb 11)
- Sun Security Bulletin #00162 Howie (Feb 10)
- SMB redirect program for NT Weld Pond (Feb 10)
- Re: SMB redirect program for NT David LeBlanc (Feb 10)
- WIngate: the sequel Alans other account (Feb 10)
- [Workaround]The third SunOS4.1.4 tmpfs bug YAMAMORI Takenori (Feb 10)
- Re: SMB redirect program for NT Theo de Raadt (Feb 10)
- IBM-ERS Security Vulnerability Alert: IBM AIX: Telnet denial of ibm-ers () ERS IBM COM (Feb 11)