From: "A. L. Meyers" <a.l.meyers@consult-meyers.com>
To: Steve Rudd <srudd@bible.ca>
CC: debian-security@lists.debian.org
Subject: Benign crackers?
Date: Wed, 21 Feb 2001 08:21:02 +0100 (CET)
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 20 Feb 2001, Steve Rudd wrote:
> Daniel Stark asked:
>
> At 01:53 PM 2/20/01 -0800, you wrote:
> >How exactly did you get hacked? Did you leave security wholes large
> >enough for a bus to drive through open? Open your inetd.conf file and
#
> >out everything! The only thing you need open is port 22. Others will
> >disagree, but depending on what you server is used for, this should be
> >your first step for security.
>
> Steve here,
>
> Several have voiced an interest in the hack. Well here is a guess and
some
> facts:
>
> THE HACK:
> For those interested in the hack, I think it was the "Dameon worm" but
> could not find any evidence of the trace files on my system. Here is
what
> happened:
>
> 1. I get a letter from "hacked@attrition.org" saying: "Urgent! Security
> incident on your machine! Attrition.org is a non-profit, hobby web site
> that monitors
> computer crime on the internet. In the past few minutes, we
> have been notified that your domain was hacked, and your web
> page defaced. This means that the intruder has edited your
> web page in some way. Due to this, it is quite likely that
> one or all of the machines on your network are compromised.
> You may wish to take immediate action to correct this problem
> and respond to the intrusion."
>
> 2, I noticed my clock went forward maybe a day and had to reset it via
> "date" command.
>
> 3. I notice a single page was changed: "index.html"
>
> Here is the code from that page:
>
>
> <!-- BEGIN Naviscope Javascript -->
> <script language='javascript'>
> NS_ActualOpen=window.open;
> function NS_NullWindow(){this.window;}
> function NS_NewOpen(url,nam,atr){return(new
NS_NullWindow());}
> window.open=NS_NewOpen;
> </script>
> <!-- END Naviscope Javascript -->
>
> <html>
> <head>
> <title>..:: Quit Crew ::..</title>
> </head>
> <body bgcolor="#FFFFFF">
> <center>
> <OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
>
codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=4,0,0,0";
> ID=devil WIDTH=731 HEIGHT=562>
> <PARAM NAME=movie VALUE="qc.swf">
> <PARAM NAME=loop VALUE=false>
> <PARAM NAME=quality VALUE=high>
> <PARAM NAME=bgcolor VALUE=#FFFFFF>
>
>
> </OBJECT>
> </center>
> </body>
> </html>
>
> =========
> end code
>
> 4. I have noticed nothing other than these changes.
>
> So there you have it. I didn't even ever get to see what the flash was
all
> about it just loaded forever without anything. You know for all my
trouble,
> I should have at least got some free artwork!
>
> Steve
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Dear fellow debianites,
To dispel any doubts, I would not even know how to start a crack
attempt.
There seem to be more and more "benign" hackers and crackers on the web
who might even be a "blessing in disguise". If all they do it crack
sites without damaging anything and afterwards inform the sites, they
might just be performing a very valuable service.
My own experience is that no one believes he is vulnerable until he has
experienced a real security breach or worse. People in general seem to
prefer to remain blissfully unaware of internet security risks. Even
pursuading clients to download pgp and use it to transfer confidential
information encrypted is not easy.
Best regards,
Lucien Meyers
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOpNsZYsavovzoIkNAQGLbAQAgjvixxb5CZuEQaso96iNTJCne9t3rVkN
52r7aHqfvGSzHcA64KDWBMv/59aNLDa/OqggJrTdPVIwXAyXTjFbc2jpPEmLD3fk
bsChFH3Zb0xAz537BBbpMRLeCcdvCHqQEyEDQB+WJz4mFt+8ET9N9xqnMIFCJ3Xn
TsLjeB2SlhM=
=XOB8
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org