|
Java VM Firewall Exploit
I was hoping for some advice on a potential java exploit that i experienced.
I keep fairly close track on my current active internet connections through the use of the command netstat -tupan. Especially when anything odd seems to occur...after a while you get a feel for what is and isnt right. anyway i was trying to register for a forum, www.knowfirst.org but experienced odd problems...such as the verification image being missing, the page intermittently not being available from the web site, it's there, then it isnt...etc. there was some other issues but you get the idea. I issued netstat -tupan, and it showed a tcp6 java vm connection established to a site apparently in the states. The ip was 207.234.186.3. Does anyone know what a tcp6 connection is as apposed to a standard tcp connection? Should i somehow disable tcp6 connections? This is NOT normal, i keep a close eye on what connection are normally there. I had previously not instigated this connection or executed any java app, or knowingly clicked on anything related to java. The forum had a link to send an icq message to one of the adminstrators, so i did use this to send a message to inform the admin that his web site had problems. I dont know how the connection got there or if my system was compramised in any way. I had not been surfing long, so i dont think there was alot of time to do anything. chkrootkit did not find anything, and i NEVER run as root. After googleing i found this explanation of proof of concept, http://www.enyo.de/fw/security/java-firewall/ that the problem exists. The scary thing is, that it sailed straight through a decent hardware firewall. I have since turned Java off (java script does not appear to be affected) Has anyone heard of this? Are there any other steps i could take to prevent this sort of attack (without turning off java) . Are there any steps i should take to report the IP address? if so how? or is it even worth reporting it? If nothing else people SHOULD be made aware of how easy this could happen to YOU! There does not appear to be a bug-fix YET. Any ideas? Safe surfing to everyone! Cheers Yogstr |
With all due respect, but if you are stressed out over something you can't place, then please take a deep breath and present exact details instead of talking about it. The words "potential", "java" and "exploit" shouldn't be used in one sentence and in this context without presenting more and relevant technical details. Even without technical details being available I'd say the chance you'll encounter .gov documents on any P2P network will be way, way greater than the chance the exploit you refer to is what you actually are seeing.
|
Thanks UnSpawn,
sorry for wasting your time |
No, you're not wasting my time. What I meant to say is that if you don't know for sure it's a 'sploit, just *present* it as a problem. That said, any more details to share? Or was this a one chance only thing?
|
UnSpawn, Thankyou for being understanding.
I do have an update. I updated my virus checker, and it found several java trojan virus files related to JAVA coded version of "Phising.Heuristics.Email.SpoofedDomain" these where likely dropped. I could not find much info on the specific working of this, as the technology is relatively new. What i did find out is that web page embedded javascript is the propagation for the initial attack. A site is hi-jacked, and the malicious javascript code is embedded in images, or other such objects. The code executes in your javascript enabled browser, without your knowledge. Fully compliant ftp server is opened up, and the rest is history. Your firewall has no defence, because the attack comes from within. read more here. http://news.com.com/JavaScript+opens...3-6099891.html VERY difficult to prevent this sort of attack, unless you disable javascript/ java. Thats not very practical. Maybe a software firewall that warns of OUTBOUND connection attempts, something like zonealarm (in windows). Anyway, i know i have now found the problem, and learnt a whole lot in the process. This would probably be better in the security forum now, however i would really like to know basically in lamens terms more about the tcp6 network protocol, as this seems to be a significant part of it. I have tried to find out more, but what i found is quite complicated. Perhaps disable tcp6 if possible? but it might not help prevent this in any case. |
I updated my virus checker, and it found several java trojan virus files related to JAVA coded version of "Phising.Heuristics.Email.SpoofedDomain"
Hmm. I just wonder what kind of files these where... VERY difficult to prevent this sort of attack, unless you disable javascript/ java. Thats not very practical. I think that if you use Java, you'll use it on only a few sites. Most current browser versions have a way to disable it, so it wouldn't be hard to enable it when you go there. Same for Javascript, really. Of course that's easy for me to say since I use Opera (which allows you to disable both on a site by site basis) and Firefox (which does the same with the 'NoScript' plugin). The fact you have to be careful and can't trust a lot of sites is well, sad, but still workable IMHO. Doesn't mean I trust browsers one bit, so I filter a lot using Privoxy. Maybe a software firewall that warns of OUTBOUND connection attempts, something like zonealarm (in windows). I blogged about that a long time ago (not that I blog much of course): Constructing "ZoneAlarm for Linux"? i would really like to know basically in lamens terms more about the tcp6 network protocol, as this seems to be a significant part of it. I have tried to find out more, but what i found is quite complicated. Perhaps disable tcp6 if possible? but it might not help prevent this in any case. IPv6 is "just" the "new IPv4" ;-p Maybe start at http://en.wikipedia.org/wiki/Ipv6? And yes, you can configure your ethernet device to not do IPv6. |
| All times are GMT -5. The time now is 05:46 AM. |