Penetration Testing mailing list archives

Re: [PEN-TEST] Looking for slides

From: "William D. Colburn (aka Schlake)" <wcolburn () NMT EDU>
Date: Tue, 31 Oct 2000 15:44:54 -0700

Hmmmm.  I found a stock redhat 5.2 box on my campus last week.  It seems
to have been up and running (and on the internet) since 1998.  It was
running a web server (and had web pages on it), DNS, news, printing, and
every other inane service that got installed by default.  I searched it
really hard for any evidence of a compromise, but as far as I can tell
it was a pure as freshly fallen snow.  I was, to say the least, suprised.

The juiciness of the target has a lot to do with the speed of its
demise.

The box I found was old outdated hardware when Redhat was first
installed on it.  The person who installed redhat skipped all the
development stuff (not sure why, the hard drive was big enough), so
there was no compiler.  The network it was on was a patched together
hunk of copper almost a hundred miles long between it and the router.

In short, it was a slow machine on a slow link, without any tools.  No
doubt that no one was interested in it.

PS: That machine isn't on our network anymore.  :)

On Tue, Oct 31, 2000 at 03:11:29PM -0500, Bennett Todd wrote:

2000-10-31-11:15:28 Ed Lamaster:

About 6 months ago I stumbled on a Powerpoint presentation that
had some interesting information about how long it took a stock
RedHat box (think it was 5.2, but I might be wrong) to be
discovered and completely compromised on a university network.
My recollection was that the total time elapsed was around 3 or
4 months.


Whew. I find that astonishing. I'd have put the expected time at a
few days, and I'd be completely unsurprised to see a stock Unix
system (any vendor, never seen one secure out of the box[*]) get
knocked flat even before the install finished. It all depends on the
current climate of folks running automated scanners in your part of
the net. I always and only install on secured private networks, and
don't expose servers to the internet until inetd is killed, sendmail
is killed, lpd is killed, BIND is killed, portmapper is killed, ....

-Bennett


--
William Colburn, "Sysprog" <wcolburn () nmt edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

Current thread:

[PEN-TEST] Looking for slides Ed Lamaster (Nov 01)
- Re: [PEN-TEST] Looking for slides van der Kooij, Hugo (Nov 01)
- Re: [PEN-TEST] Looking for slides Bennett Todd (Nov 01)
  - Re: [PEN-TEST] Looking for slides William D. Colburn (aka Schlake) (Nov 01)
- Re: [PEN-TEST] Looking for slides Gary Flynn (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] Looking for slides Haugsness, Kyle (Nov 01)
- Re: [PEN-TEST] Looking for slides Ed Lamaster (Nov 01)