LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-12-2007, 09:26 PM   #1
Yogstr
LQ Newbie
 
Registered: Dec 2005
Posts: 21

Rep: Reputation: 0
Java VM Firewall Exploit


I was hoping for some advice on a potential java exploit that i experienced.

I keep fairly close track on my current active internet connections through the use of the command netstat -tupan. Especially when anything odd seems to occur...after a while you get a feel for what is and isnt right.

anyway i was trying to register for a forum,

www.knowfirst.org

but experienced odd problems...such as the verification image being missing, the page intermittently not being available from the web site, it's there, then it isnt...etc. there was some other issues but you get the idea.

I issued netstat -tupan, and it showed a tcp6 java vm connection established to a site apparently in the states. The ip was 207.234.186.3.

Does anyone know what a tcp6 connection is as apposed to a standard tcp connection? Should i somehow disable tcp6 connections?

This is NOT normal, i keep a close eye on what connection are normally there.
I had previously not instigated this connection or executed any java app, or knowingly clicked on anything related to java. The forum had a link to send an icq message to one of the adminstrators, so i did use this to send a message to inform the admin that his web site had problems. I dont know how the connection got there or if my system was compramised in any way. I had not been surfing long, so i dont think there was alot of time to do anything.
chkrootkit did not find anything, and i NEVER run as root.

After googleing i found this explanation of proof of concept,

http://www.enyo.de/fw/security/java-firewall/

that the problem exists.

The scary thing is, that it sailed straight through a decent hardware firewall. I have since turned Java off (java script does not appear to be affected)

Has anyone heard of this? Are there any other steps i could take to prevent this sort of attack (without turning off java) . Are there any steps i should take to report the IP address? if so how? or is it even worth reporting it?

If nothing else people SHOULD be made aware of how easy this could happen to YOU!
There does not appear to be a bug-fix YET.
Any ideas?

Safe surfing to everyone!

Cheers Yogstr

Last edited by Yogstr; 08-12-2007 at 10:04 PM.
 
Old 08-13-2007, 04:18 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
With all due respect, but if you are stressed out over something you can't place, then please take a deep breath and present exact details instead of talking about it. The words "potential", "java" and "exploit" shouldn't be used in one sentence and in this context without presenting more and relevant technical details. Even without technical details being available I'd say the chance you'll encounter .gov documents on any P2P network will be way, way greater than the chance the exploit you refer to is what you actually are seeing.
 
Old 08-14-2007, 09:49 AM   #3
Yogstr
LQ Newbie
 
Registered: Dec 2005
Posts: 21

Original Poster
Rep: Reputation: 0
Thanks UnSpawn,

sorry for wasting your time
 
Old 08-14-2007, 12:00 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No, you're not wasting my time. What I meant to say is that if you don't know for sure it's a 'sploit, just *present* it as a problem. That said, any more details to share? Or was this a one chance only thing?
 
Old 08-14-2007, 07:37 PM   #5
Yogstr
LQ Newbie
 
Registered: Dec 2005
Posts: 21

Original Poster
Rep: Reputation: 0
UnSpawn, Thankyou for being understanding.

I do have an update.

I updated my virus checker, and it found several java trojan virus files related to JAVA coded version of "Phising.Heuristics.Email.SpoofedDomain"
these where likely dropped.

I could not find much info on the specific working of this, as the technology is relatively new. What i did find out is that web page embedded javascript is the propagation for the initial attack.

A site is hi-jacked, and the malicious javascript code is embedded in images, or other such objects. The code executes in your javascript enabled browser, without your knowledge. Fully compliant ftp server is opened up, and the rest is history. Your firewall has no defence, because the attack comes from within.

read more here.

http://news.com.com/JavaScript+opens...3-6099891.html

VERY difficult to prevent this sort of attack, unless you disable javascript/ java. Thats not very practical. Maybe a software firewall that warns of OUTBOUND connection attempts, something like zonealarm (in windows).

Anyway, i know i have now found the problem, and learnt a whole lot in the process.

This would probably be better in the security forum now, however i would really like to know basically in lamens terms more about the tcp6 network protocol, as this seems to be a significant part of it. I have tried to find out more, but what i found is quite complicated.

Perhaps disable tcp6 if possible? but it might not help prevent this in any case.
 
Old 08-15-2007, 04:38 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I updated my virus checker, and it found several java trojan virus files related to JAVA coded version of "Phising.Heuristics.Email.SpoofedDomain"
Hmm. I just wonder what kind of files these where...


VERY difficult to prevent this sort of attack, unless you disable javascript/ java. Thats not very practical.
I think that if you use Java, you'll use it on only a few sites. Most current browser versions have a way to disable it, so it wouldn't be hard to enable it when you go there. Same for Javascript, really. Of course that's easy for me to say since I use Opera (which allows you to disable both on a site by site basis) and Firefox (which does the same with the 'NoScript' plugin). The fact you have to be careful and can't trust a lot of sites is well, sad, but still workable IMHO. Doesn't mean I trust browsers one bit, so I filter a lot using Privoxy.


Maybe a software firewall that warns of OUTBOUND connection attempts, something like zonealarm (in windows).
I blogged about that a long time ago (not that I blog much of course): Constructing "ZoneAlarm for Linux"?


i would really like to know basically in lamens terms more about the tcp6 network protocol, as this seems to be a significant part of it. I have tried to find out more, but what i found is quite complicated. Perhaps disable tcp6 if possible? but it might not help prevent this in any case.
IPv6 is "just" the "new IPv4" ;-p
Maybe start at http://en.wikipedia.org/wiki/Ipv6?
And yes, you can configure your ethernet device to not do IPv6.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
exploit checker linuxtesting2 Linux - Security 3 07-05-2009 02:15 PM
Guarddog Firewall and java applets Xett Linux - Security 2 10-18-2004 05:13 PM
What exploit is this? Boss Hoss Linux - Security 6 06-11-2004 06:16 PM
EXPLOIT programmin darkseed2g3 Linux - Security 7 10-19-2003 09:31 AM
|more exploit Benamoz Linux - General 3 09-03-2003 04:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration