[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "suspicious" apache log entries

On Fri, Sep 13, 2002 at 09:42:26AM +1000, Geoff Crompton wrote:
>   I can see that sending an email is an approriate legal, and
>   responsible course of action.
>   However to make his servers beep, you still need to perform an illegal
>   act of cracking into his box. Regardless of what you intend to do when
>   you get in there, it is still unauthorized access to the computer. If
>   it is legal to crack a box for 'good' reasons, what do you think the
>   real crackers will say there were doing if they get caught?

 Nobody's catching "real crackers".  As long as the Internet remains like
the wild west, following good moral, even if you are technically in
violation of the law, is ok.  Let me explain why I think this is morally OK:

 Cracking a machine in the first place is a Bad Thing.  Once the admin finds
out about it, they basically have no choice but to re-install everything
from trusted sources.  However, if a box has already been cracked, further
crackings don't increase the work of re-installing, or anything (assuming
the further crackings don't delete or damage other files).  Thus, I don't
see exploiting an already-cracked box to try to get someone to patch it, as
long as you don't actually do any damage.

 It's possible that you might mistakenly think a box was Nimdaing you when
it wasn't actually cracked.  It's not important what makes you think that:
The point is that if you exploit the standard hole that Nimda exploits, but
the machine had never actually been cracked, you are the first one to crack
the machine, and cause a headache for the admin.  But if the machine was
vulnerable to the Nimda exploit, and had been in this state for a while, the
admin should not trust the machine anyway.  It's probably already been
cracked.  Since cracking a machine without doing any damage or copying any
information just makes the admin worry, and the chance of actually causing
harm with this is extremely low (since you would have to mistakenly apply
this alert-of-cracking tool to a machine that had just been set up
(otherwise it would already be untrustworthy)).  Given the very small harm
of mistakenly applying this, combined with the very small probability of
mistakenly applying it, the total harm done is small enough that it is
acceptable in comparison with the benefits.  Besides, if the machine was
vulnerable to the exploit, it would be infected with a worm in the near
future anyway, so warning the admin and doing no harm is not very bad. (It
is important to remember that the harm is only wasted admin time.  Nobody
will be killed or permanently injured or anything seriously bad.  Even small
amounts of some kinds of harm should not be acceptable as side effects, but
this is not one of those kinds of harm.)

 Another important part of this is that you would only get into the machine
using the same exploit that the worm used in the first place.  (Most IIS
worms don't patch the hole they used, do they?)  I think trying other
exploits is a lot less morally acceptable, especially because if you use
newer ones that aren't flooded by worms.  If you used uncommon attacks, my
argument that mistakenly applying it to an uncracked machine was not too bad
wouldn't apply.  (The machine probably wasn't already cracked, and isn't
guaranteed to be cracked by a worm in the near future.)  If you were going
to respond to probes from worms by using different exploits, you would have
to be very certain that the machine was actually infected.  If people pooled
information on which machines were attacking them, you could see if a
machine was making lots of attacks, which would indicate a worm (or maybe a
cracker using the machine to launch attacks, in which case alerting the
admin is good too).

 That's another thing: what about attacks that look the same as those used
by a worm, but are due to people trying to crack boxes.  (They'd have to be
pretty dumb to try it against a web server whose server string said it was
non-IIS running on a non-MS OS, since it's safe to assume that people who
would change the server header would also keep up with security updates.)
If the attacks are coming from the crackers own computer, mailing them about
their cracked machine won't do much good.  If a cracker is using someone
else's computer to make attacks, warning the admins of the machine is a Good
Thing.  (Smart crackers usually secure the machine against holes they
exploited, at least on Unix, though.)  I don't think that anything in this
paragraph is a reason not to crack boxes that attack you and warn their

>   Unless we could popularise running a 'alert-me-if-my-box-is-screwy'
>   daemon [...]

 A standard way of finding the webmaster's email addr would serve the same
purpose.  Probably would collect a lot of spam, though.  Maybe if you only
accepted mails that mentioned a URL that you have responsibility for, that
would help.  That way, spammers would have to go to more trouble than they
want to bother with to mention the right URL in the subject of every email
they send to one of these addresses.

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BC

Reply to: