Site defaced - what next?

Fred puissante at lrc.puissante.com
Fri Aug 6 23:01:01 EDT 2004 

On Fri, 2004-08-06 at 11:52, Jeff Kinz wrote:
...
> That said, however, definitely file a report with the Police or FBI.
> Adding more numbers to that category of crime will raises the budgetary
> value of enforcing those laws at all levels and so eventually law
> enforcement will get more resources to follow up, but only if we report
> the crimes.

The last thing I would want to see is the FBI or the Police grow
*stronger* from stuff like this. They are bad enough as it is.

I had a server compromised by the Cinik Slapper worm once. This happened
to be one of my overnight number-crunching batch servers back when I was
a day trader. The worm so overloaded my server that it did not get a
chance to complete its intended purpose and thus f**ked up my trading
day the following day with a big enough loss to bump me out of the
market, just when the system was beginning to work. :-( Honest, the
system was beginning to work, being the results of 3 years of hard
research.

The worm was quite sophisticated, to my surprise -- a combination of
shell scripting and compiled code -- yes, it actually ran the C compiler
as a part of the compromise. And yes, I actually learned a few cool
shell programming techniques from it.

But at the same time, the cost was too great, and if I ever come across
said person he will swing by the ____s -- and that if he's lucky.

As far as I could tell, it was someone from Slovakia or Russia. And my
server was one of many used to launch a DoS attack on some firm in
Norway. 

All in all, I wonder if there is anything meaningful to do to stop such
attacks, other than securing the system. If the script kiddie lives
across the street, maybe. If he lives on the other side of this planet,
probably not.

Just use this as a lesson in security and find a way to prevent it from
happening again. And I think I'll do my own "Wiki" software when the
time comes. I can trust my own code to be secure. ;-)

> As for finding the SOB, if the guilty party can be positively identified 
> it would be helpful to everyone to know who it is.  If they are local
> I would certainly want to be aware of their activities. 

The chances said attacker is local is quite remote. Probably some bored
person in Russia or South Africa or Taiwan or who knows where.

> If they are not local, the community which they live in is probably
> interested in knowing who they are and what they do as well.

Maybe. Then again, maybe they have too much "real crime" to deal with.
Or perhaps they will not be able to understand the issue. Perhaps the
person was smart enough to not do it from some personally identifiable
location. Perhaps he did it anonymously at an Internet Cafe somewhere --
tons of them in Europe and other parts of the world, and *no security*
on most of those systems whatsoever. A attacker could very easily stick
in a floppy or cdrom and upload his attack not leaving a trace.

Most of these idiots who are caught are caught not because it was traced
back to them, but because they were silly enough to boast about their
exploits in an open forum. Chat rooms and such.

> Did the server get rooted as well? or just defaced ?  If its not rooted,
> then you may have some log file information that may be useful.  (of
> course even if its there, it may not help, depends on the sophistication
> of the attacker.)
> 
> Also - would you consider putting up a honeypot?  If they attacked once,
> they may try again and it would be much easier to find out who it is 
> if a honeypot is active.

Maybe, but why waste the effort? Just secure the system so it can't be
compromised again.

It's a Wild, Wild, Wild Internet. Despite the problems with viruses,
worms, DoS attacks and spam, I like the fact that it is still free and
wild, despite the best efforts of governments and corporations. Let's
seek technological solutions to protect ourselves, not legalistic or
bureaucratic ones. After all, we are in our element here. No need to run
to mommy government -- she can't help us anyway.

-- 
Fred -- fred at lrc.puissante.com -- place "[hey]" in your subject.
There are inflows and outflows -- and you're just a little node.
Know then, what transcendental sets have you.

More information about the gnhlug-discuss mailing list