Re: Botnets, sinkholes, darknets, honeypots, etc...

That's some massive document!

I only skimmed it, but it seemed to have no mention of the inherent security of Linux vs M$. Why wasn't that mentioned? What did I miss.

Re: Botnets, sinkholes, darknets, honeypots, etc...

It's a European document, and corporations aren't as successful tilting the playing field in Europe. The Netherlands, for example, does NOT allow corporations to contribute to or have a say in any political campaigns or government actions.

Far and away the biggest source of attack vectors are Windows boxes. But, the bad guys use one hijacked Linux box as a "C&C" -- Command and Control box, to control about 50,000 to 100,000 Windows bots. Linux boxes are hard to hijack and once captured have their security upgraded to the highest possible level by the bad guys, to keep other bad guys out. Last year it took a team of bad guys 6 months to hijack 700 Linux boxes! That's how valuable a Linux box is. IF Linux were so easy to hijack one would have to ask why the hijackers just didn't simply send out an email with a viral payload, instead of manually cracking into computers using "DearJohn", the brute force password cracker, which they upload to some Linux user's poorly or unsecured system. (Did you leave your firewall untouched, or take it down? Are you running as root? Are your password trival? Naughty, naughty, naughty!)

The only thing that matters is the IP packet and network behavior and response time. It does not matter what computer the bad guy is using if a she is able to hack into a Tier III DNS server and replace your IP address with hers for the several hours that elapse between refreshment from a higher level DNS server. Thus, you put "http://somebank.com" into your URL to do some online banking and get misdirected to the bad gals server, where you input your name and security tokens, only to be told that the server is "under going maintenance" and to log in latter. Later you do, and everything is OK, except that there is no message on the bank server that they had just performed maintenance. You'll never know until a few days later you discover than a large amount of your money has been transferred to another account. The bank checks it out and finds that the account was opened a few days before and closed right after it was emptied out, in cash. Sure, you run Linux, and the bank ran Windows, but it was the vulnerability of the DNS servers that got you. That's why more and more of the Internet is moving off of Windows and to Linux and other secure OSs as servders.

Currently, FOSS controls [urlhttp://www.securityspace.com/s_survey/data/201105/index.html]71% of the Internet server market[/url], and is climbing, while Windows servers run 15% and are dropping. About 99.9999% of the malware is launched off of that 15%., or roughly 30 million servers.

Re: Botnets, sinkholes, darknets, honeypots, etc...

Thanks for that info GG. Here we have : Router, Firewall, closed Ports and Passwords - no root user!

It's interesting if you look deeper at the data in that link ( https://www.securityspace.com/s_surv...1105/index.htm) and look at the usage in different countries over the last few years (use the "Look at Other Domains" button). You see a significant decline in MS servers - and, perhaps not surprisingly, some European counties have very low M$ server numbers (see France, for example). I found it amazing, though, to see that China has a massively high percentage of M$ servers. I wonder why that is?

Re: Botnets, sinkholes, darknets, honeypots, etc...

Easy to understand. Governments and people are worried about the security of the operating system running on their computers and servers. Back doors and such.

About a decade ago, because of Windows lack of security and the high number of government PCs running Windows, there was a cry on Capital Hill for Microsoft to release its source code so that people who really knew about security could improve upon it. Microsoft testified before Congress that the Windows source code was a "National Treasure" and opening it up to inspection would allow foreign government to find weak spots enabling them to invade US gov computers much faster than improvements in the source could come out.

A couple years later, to allow Microsoft to do business in China, their government demanded that Microsoft give it the source to Windows. Gates agreed to give it. Some say ALL of it. It really didn't matter because the year before that someone broke into the Redmond campus network and over the six months they spent wondering around in it they were able to download all of the source code for all version of Windows up to NT 3, which was yet to be released. IIRC, the recovered logs showed that the hack was carried out from sites inside China.

Around 2005, when a Windows update pack failed to cloak the identity of a couple of cryptographic keys, researchers realized what those keys were for: NSA access.
Microsoft denied any NSA involvement at all. But, on November 17, 2009, during testimony in Congress, Microsoft admitted that the NSA helped Microsoft "with security" of Windows 7. But not only that::
So, just who would NSA (and China!) be spying on? Those who ran copies of Win7 and previous versions of Windows that still had the NSA keys active. Just about every American and Western corporation and the Chinese and American Joe Sixpacks. It's easy to keep people under your thumb if you can break into their computer via a back door and watch what they do while they do it. Their governments and officials? China could easily create copies of Windows with the NSA keys disabled for its government and military computers, since it has had access to the FULL windows source code as a condition for Microsoft doing business in China. But, while China may be using the NSA keys to keeps its citizens from expressing anti-Communist party or pro Democracy opinions, or pay the penalty if they do, China would find richer targets breaking into computers of foreign businesses competing against Chinese business, or US military or businesses like Boeing, for example, a recent break in victim.


Want to see what you computer is connecting to, and which ports are setting at the back door, listening?
That "208.78.69.70" IP is my DNS link...

Re: Botnets, sinkholes, darknets, honeypots, etc...

So, the Chinese have a working, secure M$ system then?

What a tale of intrigue and disinformation. I wonder how many M$ users have any idea what's going on "under their noses"? I had no idea about the extent.

GG, I ran that code as you suggested, to see the various Ports. I got the following readout? It does not mean a lot to me! Any cause for alarm? (By the way what were all the "unix 3" entries all about? They looked like internal connection.

philip@Philip-Desktop:~$ sudo netstat -nalp
[sudo] password for philip:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 989/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1019/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1417/exim4
tcp 0 0 0.0.0.0:19150 0.0.0.0:* LISTEN 1561/gkrellmd
tcp6 0 0 :::22 :::* LISTEN 989/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1019/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 1417/exim4
tcp6 0 0 :::445 :::* LISTEN 985/smbd
tcp6 0 0 :::139 :::* LISTEN 985/smbd
tcp6 0 0 :::19150 :::* LISTEN 1561/gkrellmd
udp 0 0 0.0.0.0:631 0.0.0.0:* 1019/cupsd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1010/avahi-daemon:
udp 0 0 0.0.0.0:34669 0.0.0.0:* 1010/avahi-daemon:
udp 0 0 0.0.0.0:68 0.0.0.0:* 1036/dhclient
udp 0 0 192.168.1.255:137 0.0.0.0:* 1584/nmbd
udp 0 0 192.168.1.14:137 0.0.0.0:* 1584/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 1584/nmbd
udp 0 0 192.168.1.255:138 0.0.0.0:* 1584/nmbd
udp 0 0 192.168.1.14:138 0.0.0.0:* 1584/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 1584/nmbd
udp6 0 0 :::5353 :::* 1010/avahi-daemon:
udp6 0 0 :::51388 :::* 1010/avahi-daemon:
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 12434 2134/mysqld /home/philip/.local/share/akonadi/socket-Philip-Desktop/mysql.socket
unix 2 [ ACC ] STREAM LISTENING 10772 1135/kdm /var/run/xdmctl/dmctl-:0/socket
unix 2 [ ACC ] STREAM LISTENING 86305 6088/kio_http_cache /tmp/ksocket-philip/kio_http_cache_cleaner
unix 2 [ ACC ] STREAM LISTENING 11867 2132/akonadiserver /home/philip/.local/share/akonadi/socket-Philip-Desktop/akonadiserver.socket
unix 2 [ ACC ] STREAM LISTENING 12999 2205/nepomukservice /tmp/ksocket-philip/nepomuk-socket
unix 2 [ ACC ] STREAM LISTENING 10296 1135/kdm /var/run/xdmctl/dmctl/socket
unix 2 [ ACC ] STREAM LISTENING 6738 1/init @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 9283 1000/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 9544 1130/acpid /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 12216 2224/virtuoso-t /tmp/virt_1111
unix 2 [ ACC ] STREAM LISTENING 16868 2842/gconfd-2 /tmp/orbit-philip/linc-b1a-0-1e0199926c57e
unix 2 [ ACC ] STREAM LISTENING 15904 2832/firefox-bin /tmp/orbit-philip/linc-b10-0-7452ca8a97e51
unix 2 [ ACC ] STREAM LISTENING 9570 1149/X @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 10088 1535/winbindd /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 9325 1010/avahi-daemon: /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 9583 1151/python /var/run/autokey-daemon
unix 2 [ ] DGRAM 6804 443/udevd @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 11253 2097/kdeinit4: ksms @/tmp/.ICE-unix/2097
unix 12 [ ] DGRAM 9101 994/rsyslogd /dev/log
unix 2 [ ACC ] STREAM LISTENING 9122 1019/cupsd /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 76928 4182/npviewer.bin @/org/wrapper/NSPlugins/libflashplayer.so/4167-1
unix 2 [ ACC ] STREAM LISTENING 10937 1910/dbus-daemon @/tmp/dbus-jJJdQ9Hfae
unix 2 [ ACC ] STREAM LISTENING 10460 1594/perl /var/run/gdm_socket
unix 2 [ ACC ] STREAM LISTENING 9571 1149/X /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 10087 1535/winbindd /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 11283 1905/ssh-agent /tmp/ssh-JiLPgdlt1854/agent.1854
unix 2 [ ACC ] STREAM LISTENING 11285 1906/gpg-agent /tmp/gpg-DGCl6C/S.gpg-agent
unix 2 [ ACC ] STREAM LISTENING 11014 1970/kdeinit4: kdei /tmp/ksocket-philip/kdeinit4__0
unix 2 [ ACC ] STREAM LISTENING 11027 1972/kdeinit4: klau /tmp/ksocket-philip/klauncherMT1972.slave-socket
unix 2 [ ACC ] STREAM LISTENING 11254 2097/kdeinit4: ksms /tmp/.ICE-unix/2097
unix 2 [ ] DGRAM 106067 10893/sudo

Re: Botnets, sinkholes, darknets, honeypots, etc...

Well, for government and military PCs running Windows they are secure from NSA key intrusions, but their version of Windows isn't any more secure from hackers than what is sold to the rest of the world. IIRC, their sensitive computers are running RedFlag Linux but with their OWN back door keys.

Everything looks typical.

That display is divided, as you noticed, into two kinds of display: those with outbound ports to other computers via tcp and udb Internet connections, and the internal communication. I didn't see an Protocol/Reference Counts of "unix 3" in your listings, only "unix 2", which is typical for communication between two processes or daemons. That's how your services and other processes talk to each other and to you via your console or GUI interface.

If you want to see all the processes that are running on your system you can run
ps aux
in a Konsole. IF you want a limited, formatted version of ps you can run
top

Their man pages describe what they do and how to use them:
man ps
man top

Re: Botnets, sinkholes, darknets, honeypots, etc...

Thank you for the comments and the "Heads Up" on the different commands. Very grateful for your input - and for all the input from more learned folks. .