Subj : Xpost Jack Troughton Part 1
To   : All
From : Mike Luther
Date : Mon Jun 04 2001 07:12 pm

Cross posted message from comp.s.os2.misc

=========================================================================
From: jake@jakesplace.dhs.org (Jack Troughton)
Newsgroups: comp.os.os2.networking.misc,comp.os.os2.misc
Subject: Re: OT: Anatomy of a hacker attack
Reply-To: jake@jakesplace.dhs.org
Date: Sun, 03 Jun 2001 02:03:39 GMT

On 1 Jun 2001 19:29:14 GMT, Christian Hennecke scribbled:

> On Fri, 1 Jun 2001 13:34:32, jake@jakesplace.dhs.org (Jack Troughton) > 
wrote:
> 
>> I feel I should note that this capability has inherently been >> present in 
OS/2 for a long time now... however, nobody's been >> exploiting them.
> 
> Could you tell us a bit more about that?

Well, the stack in OS/2 since _at least_ 4.1 has been a full implementation of 
the BSD stack, as ported to OS/2 from AIX by IBM. I'm sure that some of these 
clowns would be able to build nasty packets using the warp stack. However, for 
a DDoS attack, an ability to have it on OS/2 doesn't buy you very much as there 
aren't a huge number of OS/2 systems out there. Also, we don't have a fully 
integrated mail client like Outlook... and you _can't_ depend on people not 
being able to see the extensions on an OS/2 system: as soon as you send a rexx 
script by email everyone's going to immediately see that it's a program. This 
makes distributing them by email to clueless newbies a lot less likely to get 
you very far.

I bet that OS/2 could be a good development platform for these guys,though. 
However, I'm sure they'll stick with their Windows
systems... trojans, DDoS attacks, and the like all depend on getting your bots 
on as many systems as possible. The internet is turning out to be like other 
monocultures (in biology, I mean); once something gets in that can attack the 
monoculture, it just spreads like crazy. Usually in orange groves and things 
like that, the farmers just burn the infected trees....
 
>> The risk is certainly present though; while the
>> OS/2 community is more savvy as a whole, there's certainly nothing >> 
preventing it from being done. I think I know the kind of app we >> need; a 
process lister/socket lister, which can show which app is >> using which 
socket, and permit the user to kill the apps. Of course,>> since the stack 
comes with nice tools included, you can do this >> pretty easily now... but 
that's not so easy for people who are >> afraid of the command line. A PM 
program that would let people do >> that would be a lot better for new/naive 
users.
> 
> I think that would make a really nice topic for a HowTo for the OS/2 > eZine 
or the VOICE Newsletter. What about taking us 
> non-networking-experts by the hand, Jack?

Get go.exe from hobbes:

http://hobbes.nmsu.edu/pub/os2/util/process/go_15.zip

This will list running programs on your computer.

The other command you need to know is already on your system; it's called 
netstat... and the switch that is key is -s.

Here's some sample output:

First, here's go.exe:

-----------------------begin
GO! v1.5 - (c) 1993-95 by Carsten Wimmer <cawim@train.oche.de>

List of Processes:

 P-ID PPID Session Thr Prio    CPU Time                    Name
 ---- ---- ------- --- ---- -------------- ---------------------------
 1272    0 005 Det  10 0200    0:05:17.34  WEASEL.EXE
 1078    0 013 Det   1 0200    0:03:47.68  CMD.EXE
  845    0 012 Det   1 0300    1:46:54.25  CMD.EXE
  844    0 012 Det   6 0300    1:11:48.31  CHANGI.EXE
  843    0 012 Det   6 0300    0:01:00.68  MAJOR.EXE
  842    0 012 Det   3 0300   11:10:37.78  WEB.EXE
  841    0 012 Det   5 0300    0:00:17.59  FTPD.EXE
   37    0 000 Det   1 0200    0:00:00.18  EPWMUX.EXE
   29    0 000 Det   1 0200    0:00:00.18  EPWMUX.EXE
   28    0 000 Det   1 0200    0:00:00.15  EPWPSI.EXE
   27    0 000 Det   3 0200    1:33:10.81  EPWMP.EXE
   21    0 000 Det   2 0200    0:00:01.43  EPWROUT.EXE
   20    0 000 Det   1 021F    0:00:00.50  LOGDAEM.EXE
   19    0 000 Det   1 0200    0:00:00.09  LSDAEMON.EXE
   10    0 000 Det   5 0304   12:58:02.81  CNTRL.EXE
    9    0 000 Det   1 0200    0:00:00.65  LANMSGEX.EXE
    7    0 000 Det   1 031F    0:00:00.03  MIDIDMON.EXE
    5    0 000 Det   1 0200    0:00:06.87  LVMALERT.EXE
    1    0 000 Sys   6 0100    0:31:52.53  LVMALERT.EXE
   22    1 001 Sys  24 0200    8:05:22.56    PMSHELL.EXE
 2268   22 004 Sys   5 021F    0:01:09.81      TELNETDC.EXE
 2269 2268 004 Sys   1 0200    0:00:02.87        CMD.EXE
 2270 2269 004 Sys   2 0200    0:00:29.87          SLRN.EXE
 2271 2270 004 Sys   1 0200    0:00:02.06            CMD.EXE
 2272 2271 004 Sys   3 0200    0:04:04.75              VIM.EXE
 2276 2272 004 Sys   1 0200    0:00:00.28                CMD.EXE
 2277 2276 004 Sys   1 0200    0:00:00.03                  GO.EXE
  835   22 015 VIO   1 0200    0:00:00.06      CMD.EXE
  839  835 015 VIO   1 0200    0:01:20.34        SYSLOGD.EXE
  833   22 011 VIO   1 0200    0:00:00.09      CMD.EXE
  834  833 011 VIO   1 0200    0:00:12.96        TELNETD.EXE
   32   22 012 VIO   1 0300    0:01:13.96      CMD.EXE
   30   22 010 PM    4 0200    0:00:00.12      PMSPOOL.EXE
   24   22 000 Sys   3 0300    0:00:00.03      HARDERR.EXE
   23   22 FF0 VDM   1 0300    0:00:00.00      VDM     2    1 000 VDM   1 031F
   0:00:00.00    VDM 
There are 36 Processes with 108 Threads.
This machine's uptime is 3d 0h 14m 8s 54ms.
  -----------------------end

See next message part #2 ..

Mike @ 1:117/3001

--- Maximus/2 3.01
 * Origin: Ziplog Public Port (1:117/3001)

.