Yup. Good book. The ending is a bit "preachy", though. -- Barrett -----Original Message----- From: Ben Diss [mailto:[EMAIL PROTECTED]] Sent: Monday, April 23, 2001 12:08 PM To: [EMAIL PROTECTED] Cc: 'Steven Bixby'; 'Dave Seay'; Subject: Re: [RCSE] Anti-virus software - a "tale of woe" Have you read the book "The Cuckoos Egg"? Great story about tracking down hackers. http://www.amazon.com/exec/obidos/ASIN/0743411463/ -Ben Barrett Stridiron wrote: > > > What is really surprising is how often I am alerted that someone is trying > > to break in to my computer, even with a modem connection. Subseven Trojan > > is the usual warning. It seems there are a lot of junior hackers out > there... > > "Script Kiddies" is the technical term for these folks. > "Bastards" works, too. > > > The average internet user's setup does not run any servers, so there are > no > > real break-in points to exploit even. I suspect the gross majority of > > hackers don't even bother with sites that aren't known commercial or > > government entities. > > > We need to clear up a point. There is Anti-Virus software and Firewall > > software. Norton security 2001 has both (I believe). The attempts you > are > > talking about are being thwarted by the firewall. If anyone is running a > > cable modem or DSL modem and does not have a firewall, they are asking for > > trouble. > > Funny this subject should come up now... modem users can be at risk. > > The linux box in the basement at my home, which is a DHCP server, firewall > and gateway for my home network, got hacked recently. I'm running Red Hat > 6.2 on it. Since my internet connection is dialup (the local phone company > wants $1200/month for a 128K DSL connection! Pass.) with no fixed IP > address, I assumed there would be no major security problems, and didn't > lock it down. > > Saturday night, I was in the basement finishing a plane when I heard the > modem fire up. Not unusual, as windows machines on the LAN sometimes cause > the gateway to dial for their "who has" requests. These will normally time > out within two minutes. > > Twenty minutes later, I happened to glance at the modem. The "SD" (send) > light was on, steady. > > WTF? > > Something on the LAN is sending a lot of data, but what? All the Windows > machines were either switched off or asleep; the only machines active were > my Powermac G3 (playing MP3s), the Linux file server, and the Linux gateway. > > A check of the traffic out of the gateway revealed a perl script was > scanning external IP addresses, and logging the results to a hidden file. > > Shit! > > I killed the offending process, shut down the modem connection, and started > digging. > > Thanks to my hidden security logs (the standard system logs had all been > scrupulously cleaned by the invader), I discovered the following: > - In early March, someone polled my machine and discovered its security > holes. > - Shortly afterward, my (encrypted) password file was transferred out via > ftp. > - User OPERATOR logged in remotely, added two new user accounts ISHII and > OBREGON. > - ISHII and OBREGON each logged in and transferred a single file to their > account. > - Three rootkits were installed and activated. > > One ran the IP address scanner/logger. > > Another tracked how many users were logged in, relisted the password file > and all known internal LAN connections at regular intervals. The culled > information was (supposed) to be sent via email. (No working email on the > firewall box - this may have saved other machines on my LAN from discovery) > > The most insidious (and frankly, ingenious) one "sniffed" all IP traffic > passing through the firewall and logged the most interesting tidbits to a > hidden file. This script caught damn near every unencrypted > username/password combination that came by. This includes my ISP account > info, my multiple email accounts and my login info for *many* websites, > INCLUDING PAYPAL. =:^o > > I finished cleaning up the machine. For now, it is running a slightly > modified version of the firewall script I use on the servers here in the > office. Tonight, I plan to slay and rebuild the firewall at home, as I > can't be sure that I caught everything. > > In the meanwhile, I'm changing every current password I have. > > -- Barrett > > RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED] RCSE-List facilities provided by Model Airplane News. Send "subscribe" and "unsubscribe" requests to [EMAIL PROTECTED]
