[plug] Client listed on SORBS database

Daniel Pittman daniel at rimspace.net
Wed Sep 30 19:14:49 WST 2009


Jason Posavec <jasonposavec at iinet.net.au> writes:
> Jon Miller wrote:
>>
>> I have a client that has gotten itself listed on the sorbs database as a
>> vulnerable / hacked server.
>>
>> Is there any test I can run to see if this is true.
>>
>> How do I get them off the list?  Their server is a Debian v4 with postfix.
>> Is there anything I can look for with tshark or any other analyser?

[...]

> Did you want to test if it's true that you're on the database, or that your
> server is hacked, or that your server is hackABLE?
>
> Regarding the last one, something like running it through Shields Up at
> grc.com couldn't hurt to find out if you have any vulnerabilities. It's
> Windoze-centric, I know, but couldn't hurt.

Trying to test the last feature — "am I hackABLE" — is so much a waste of time
it isn't funny.  To explain why:

Assume that you run the system through "Shields Up" and it reports that you
are clean.  What do you know now?  Only that "Shields Up" can't detect
anything wrong with your system.[1]

Can you conclude anything else from this test?  Nope.  Not a thing.  You could
still have a million vulnerabilities that the software didn't detect, for any
number of reasons.


So, if you want what is going on you need to check if the system is behaving
as expected, or if there is anything untoward happening.

Sadly, that requires that you *don't* use untrusted software, which the kernel
on that machine presently is.  To be really safe[2] use a different kernel,
running different software, like a LiveCD.


Otherwise you have an anti-tiger rock:

    "Hey, wanna buy my anti-tiger rock?"
    "Why would I do that?  There are no tigers around here."
    "So, you can see how well it works.  Only $25, for you."

        Daniel

Footnotes: 
[1]  ...assuming it is a useful test in the first place, which it probably
     isn't even if it was targeting a completely different set of risks to the
     typical Linux system.

[2]  ...though you can test without this, if you want, to get a
     "probabilistic" safety test: are the easy things causing trouble?  If so,
     you can probably assume that the hard ones are not, unless you have a
     very clever attacker.[3]

[3]  Most attackers don't bother; they care more about quantity than quality,
     and one Linux box on ADSL is as good as the next.

-- 
✣ Daniel Pittman            ✉ daniel at rimspace.net            ☎ +61 401 155 707
               ♽ made with 100 percent post-consumer electrons
   Looking for work?  Love Perl?  In Melbourne, Australia?  We are hiring.



More information about the plug mailing list