> > * could they be getting info on RaQ's from this email list? > > This list (and others like it, including support newsgroups) > must be a goldmine for hackers. > By monitoring this list, they get a target domain name they > can identify as very probably running a RAQ of some sort. > Even if you don't use a sig, the info is likely in the email > headers. If you're asking a question, you'll say what machine > you have - the standard version of all programs that comes on > those particular machines is public knowledge. All they need > to do is test those holes, and if you haven't been up-to-date > with the patches, they're in again. You might even say you're > having trouble with version x.x of a inet program. If that > program has a known exploit, their work is done. This sounds like a lot of work to me. Why read mails when you can play a game on your playstation? Usually the "script kiddies" work in a different way: - scan a block of IP addresses to find where hosts are running - use a tool like nmap to find out what OS is running on it - use a port scanner to find out what version of what services are running on what port - use a database of known exploits to try to get a way in - install a root kit for the OS - report back to a place where the script kiddie can update his/her list of 0wn3d boxes These steps can all be fully automated (and are!). Of course you run this from a host you hacked to begin with so it is harder to trace you back. After some time scanning you have a database of servers and services. Now when a new vulnerability comes out, you obtain a exploit (doesn't take long usually) and add it as a plugin to your tool. Then you give your tool a command like "run the new exploit on al known hosts that run Bin 8.0". Al you have to do then is wait a while (play a game on you playstation and drink a coke), and your list of owned boxes grows. Owning a lot of boxes servers a few basic purposes: - your status in the hacker scene might grow - you have a lot of boxes to start a DOS attack on people you don't like because they kicked you off an irc channel - you have a choice where you can host your tools when the original box is restored by the real owners Sounds like an easy game doesn't it? Well it really is these days! So what can we do to protect ourselves? Think like hackers, use their tools. Install a security scanner like Nessus (http://www.nessus.org/) and look what is vulnerable on your box. When you are vulnerable, either fix the hole, stop the service or put a firewall in front of it. Do not wait for Cobalt, because usually the script kiddies are faster in making their exploit then a company like Cobalt can release a tested fix that passes all quality procedures. Script kiddies do not work from 9 to 5. An exploit does not have to be perfect to release it... Security is not a status, it is a constant fight... Reinoud _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
