« Tech Tip: SQL Injection Attacks by Example | Main | Win32 CRITICAL_SECTION efficiency and overhead »

January 08, 2005

Comments

Mike Erskine

Hi Steve;

Nice BLOG. This triggered a memory that I thought you would find interesting. It will run long, sorry.

A few years ago (circa 1999) an ISP, who shall remain nameless, called me in because their news server was 'acting funny'.

Poking around in the machine (Linux box) turned up a root kit. I decided that I wanted a piece of the person who cracked that server so I plugged it into a hub next to another Linux box and sniffed about eight hours of traffic.

The machine was being used as an IRC server and there were a dozen or so script kiddies using it for warez and as a place to store their toolz.

I read the raw text being sent on the IRC channels and I discovered that there were two levels of conversation going on. One level was a bunch of script kiddies talking in the open on an IRC channel, but the IRC server had been modified to allow a 'subliminal' channel. The real cracker and a couple of other more skillful blackhats were communicating in the background. The purpose of letting all those kiddies use that IRC server? Yep, you got it in one. :)

I then killed their IRC server and managed to catch the cracker coming back to reinstall the root kit. It took his script less than fifteen seconds to make the transfer and replace the existing binaries.

I got the IP address and account information on the server whence he moved his toolz. 'Nuther linux box of course. I logged on and pulled the root kit and studied it a day or so but left that machine alone otherwise. After I studied the kit and the kiddies for a couple of days I rebuilt that news server, called Qwest (yep, QWest) and talked to their chief of security. I was telling him how I thought he should go about tracking the kiddie back one more hop when he told me his wife was an employee at a federal intelligence agency... ;) Small world.

They took the ball and I got as much revenge as you ever get when chasing crackers, I took one of his boxes from him.

Sam Hobbs

In reply to "Watching children at play" in:
http://www.unixwiz.net/archives/2005/01/malware_analysi.html
you say "Almost all residential cable services include terms of service that forbid running of servers (though I have never figured out why this is the case, because DSL providers generally allow it).".

I can only guess, but my guess is that cable providers are required to provide residential customers better (faster etc.) service, but the deal is limited to non-business use. That makes sense a little, but we both know that a server can be used for totally non-commercial use.

Another possibility might be security; an ISP might need to provide additional services to protect a customer with a server. Right? Or am I toatlly wrong that most ISPs don't care about protecting a customer's server?

The comments to this entry are closed.

ABOUT STEVE

  • Steve Friedl is a software and network security consultant in Southern California. He has been a C and UNIX developer since 1981 and has an exceptionally broad background in this area. Some areas of expertise include:

    • C and C++ systems software development on the UNIX and Win32 platforms
    • Communications, including serial and TCP/IP based controllers
    • Enterprise internet security administration and configuration
    • Penetration tests, audits, and network reviews
    • Security forensics, reverse engineering, and tools development
    • General UNIX and Windows system/network administration
    • The Windows Printing System
    • Database software development
    • Technology problem solving and research
    • Technical writing and standup training

Unix Wiz

Stephen J. FriedlSoftware ConsultantOrange County, CA USASteve@unixwiz.net