[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Recent Hacks - Why?

On Tue, 27 Feb 2001 gery.jansen@xxxxxxxxxxxxx wrote:

> Hi,
> 
> This is a really cool bit of information. I thank you for that.
> My only question is .... are only Cobalt RAQ's and Cube's involved in this
> resent swap of attacks? or are also other systems involved? when only Cobalt
> there are 2 questions.
> Why are only Cobalt systems involved and when only Cobalt, why the other
> systems not?

Don't be silly, *thousands* of redhat machines have been hacked as well,
due to shipping with rpc.statd enabled when it'a not even used, same
versions of bind, unupgraded ftp's etc, it really truly has little to do
with the machines being raq's/qubes/etc

I've been told by a security fellow that 7 out of every 1000 machines
scanned were susceptable to being broken into...(estimate) and that's just
the 4 most recent issues, rpc, bind, qpopper, and proftp...

It has *a lot* to do with users failing to keep software up to date, and a
little to do with the fact large numbers of people are using the same
exact versions of software which makes it easier to hit a random machine
and be successfull...

Another factor that seems to be involved lately is that the way cable
modems and adsl connections work on many ISP's makes it trivial for
someone to change their IP address on the fly, by just asking the server
for a new ip address, making it remarkably easy to hide....you could of
course do this via dialup , but it takes quite a lot longer for someone to
disconnect and redial, making them reluctant to do it unless forced to...

> > 2. A new crop of 'pups' is cutting their hacking teeth at the same time.

> > and Kiddie Scripters.  The real hackers have a kind of honor (if you can

and they also hide on irc telling the kiddies what to do, so the kiddies
get caught and they don't -/

> > call it that) and they purposely leave errors in the hacking scripts they

some of these kids can't even spell, much less write a working program...

one fellow that tried a password attack on my pop server took 3 tries to
spell 'mail'...

> > These Real Hackers have probably already had access to our systems for
> > months...we probably never would have known... but now all the Kiddie

This is why folks like BugTraq insist that information should be made
public quickly instead of burying it for months waiting around in the hope
a vendor will release a patch, the 'in the know' folks already know, and
they are by far the most dangerous...the kiddies won't do anything until
someone else writes a script for them...

> > are a lot more kiddie scripters than real hackers, I would guess...just

s/hackers/crackers/g

> > there are more RaQ newbies than old salts. :)

It's not just the Raq's there are a *lot* of people administering machines
on the network that have little or no experience at all, and they are
making predictable mistakes...

> > There seems to be some kind of 'cache' in having a list of compromised IPs
> > of boxes you've hacked. Also, hackers try to pre-prime machines for Denial
> > of Service attacks. They try to sneak onto as many machines as they can to

I have already seen 2 DOS attacks based on recently compromised
machines...get ready for the next wave folks...

> > So, the kiddies are probably doing it to 'collect' a bunch of hosts they

Your anonymous ftp server makes a nice warez site ;)

gsh