Monthly Archives:July 2007

it’s called the storm worm. It is meant to take over your machine and add it to a network of attack computers for criminals to control. It slipped by one client’s defenses and got into one machine. Luckily it was caught and eliminated quickly. the variant i saw was easily manually dispatched. Update your anti-virus and do a scan. If any ECC clients are unsure about things call me up..:)

I give credit to my wife finding this. The piano, tesla coils, flute and handfarts are the best to me..

unfortunately Astaro has their forums set too restrictively for me to post there..:(

I have ips off, web security off, i only use a/v and anti-spam for pop3.

I’ll post links to the posts on the astaro.org forums as i find them.

i have 5 rules:

New rule …

Open live log
All1Internal (Network)
AnyNone

Any
2Any
enochNone

SSH
3Any
joshuaNone

joshua source
4Any
joshuaNone

joshua ssh
5Any
joshuaNone

joshua 1.6
I have one masq rule:
Internal (Network)DSL

I can easily exhaust the cpu by firing up azureus(which is set to max 250 connections globally) and start a torrent. ALL traffic stops as the cpu is maxed out by pfilter-reporte. The first 3 minutes i let the torrent go there is a total DOS incoming and outgoing. The webadmin is only partially responsive. SHH is slow but responsive. All other fucntions(web, mail any other traffic) stop. Once i kill the torrent within seconds cpu is still pegged but traffic begins flowing once again.

Here is my top 5 minutes after i have stopped the torrent:
top – 13:56:43 up 3 days, 17:42, 1 user, load average: 4.81, 4.20, 2.61
Tasks: 88 total, 5 running, 82 sleeping, 0 stopped, 1 zombie
Cpu(s): 76.6%us, 20.6%sy, 0.0%ni, 0.0%id, 1.9%wa, 0.5%hi, 0.5%si, 0.0%st
Mem: 515392k total, 490176k used, 25216k free, 27784k buffers
Swap: 1050832k total, 115480k used, 935352k free, 122988k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
7800 root 21 0 32428 13m 3016 R 15.3 2.6 14:49.97 pfilter-reporte
17633 root 16 0 30464 9m 1692 D 4.8 2.0 0:00.10 confd.plx
17634 root 17 0 30312 9812 1644 S 4.3 1.9 0:00.09 confd.plx
7807 root 15 0 13292 8040 2468 S 3.4 1.6 0:10.29 notifier.plx
3078 root 16 0 15108 6860 1664 S 1.4 1.3 29:57.32 selfmonng.plx
1478 root 15 0 0 0 0 D 0.5 0.0 0:03.43 kjournald
2755 root 15 0 29704 7268 1092 S 0.5 1.4 0:06.55 confd.plx
5311 root 15 0 1560 156 132 S 0.5 0.0 13:29.44 pppoe
16094 wwwrun 16 0 32676 26m 2840 S 0.5 5.3 0:08.16 index.plx
16628 root 15 0 19220 13m 3656 S 0.5 2.7 0:01.98 audld.plx
1 root 16 0 716 176 132 S 0.0 0.0 0:01.38 init
2 root 34 19 0 0 0 R 0.0 0.0 0:19.05 ksoftirqd/0
3 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 events/0
4 root 14 -5 0 0 0 S 0.0 0.0 0:00.01 khelper
5 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread
7 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kblockd/0
8 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 kacpid

This is totally unacceptable for a security product.

*edit* The load is now up to 6 but the system is slowwwwwly becoming useable again. The torrent is now going and of course the amount of packets being blocked isn’t that high but the pfilter is still pegging the cpu.

This is still a DOS but a short term DOS. I’ll post updates as to when pfilter calms down and see if i can duplicate the results in a couple of days. I’ve brought astaro to a halt twice today already doing this.

*update* as of 4pm EDT pfilter-repote finally released the cpu.

*update2* i’m late to the party many have reported it. However I have so far isolated it to only pfilter-repote. Something with the packet filtering chokes when it gets more than a few packets a second in dropped packets.

*update three: Here are some threads talking about this issue:
HERE
HERE
HERE
Here
HERE
Here
Astaro has privately acknowledged the issue.

*UPDATE* The new version 7.006 right now doesn’t appear to have fixed this exploit.

*UPDATE* There’s a workaround by killing the packet filter reporter…which it turns out is a .pl(perl) script. This may go a long way to explaining the root of the problem.

*UPDATE killing pfilter doesn’t work. Another solution may be a fresh install with the latest version instead of an upgrade. I will try that one.

*UPDATE* In this thread on astaro’s forums, another user suggested reloading from scratch with the latest 7.006 iso. So far this has solved hte pfilter DOS issue so appreantly upgrading is a problem?? The pop3 a/v issue still remins though.

Be Kind to Your Web Footed Friends

Be kind to your web-footed friends
‘cuz a duck may be somebody’s brother
they live in the pond or the brook
by the mud and the gunk and the gook

You may think that this is the end,
oh no, there is yet another
be kind to your web-footed friend
because a duck may be somebody’s brother

Sung to the tune of “Stars and Stripes Forever”
(thank you Sousa for some great patriotic marches)

I hope everyone has a great 4th. While celebrating this awesome day, please remember to thank Him who made this country great. Praise be to God!

Gen

I have found a very practical Microsoft product that’s not expensive. Small Business Server 2003. What a great idea Microsoft had. You get server 2003(along with IIS), exchange, sharepoint, and outlook 2k3 all for $499 at retail for the standard edition. The premium edition has the same with sql server and ISA server for $699. Both of these come with 5 cals out of the box. For SMB’s this is perfect and honestly i have not found any open source suite that can match this in terms of ease of use and ease of install and configuration. With one suite you have AD, exchange, intranets,(sharepoint) database. I have deployed 4 of these and once you learn the quirks of hte suite it’s quite well put together. To give you an idea I’m going to be changing out my current Linux file server to an SBS 2k3 standard machine.

I’m not a Microsoft fan at all..but when something works and works well and my clients like it…I have to use it.

Of course there’s the hardware. The Linux file server is a celey 1.1 ghz with 256 megs of ram. It’s going to be replaced with a athlon xp 2000+ with 1 gig of ram.

The reviews are overwhelming positive. I would love to get one..the big thing however is cingular only. Sprint/nextel has been good to us for over 8 years and they are making it easy for me to take our sprint account over to the nextel plans(we want the PTT for the business). I’m not willing to move to Cingular and loose the easy upgrade path..also it’s going to cost me nearly 2 grand to move to cingular vs only about 500 to change to nextel once i decide to move my companies cell service to nextel. Can’t justify that one.