Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 08 Jun 2001 23:00:02 +0200
From:      Cynic <cynic@mail.cz>
To:        Bill Moran <wmoran@iowna.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: IPFW rules and outward connections
Message-ID:  <5.1.0.14.2.20010608225129.033afd70@mail.cz>
In-Reply-To: <3B213407.D5A6E547@iowna.com>
References:  <3B200EEF.86F950D1@iowna.com> <5.1.0.14.0.20010608082306.024808d0@mail.enterit.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Well, yes. Crackers seem to be mostly 15 years old kids.
Skim this article: http://grc.com/dos/grcdos.htm (and get 
ready to skip some whining about MS including fullblown 
sockets implementation in NT 5 and up). Other than that, it's 
a pretty good probe into the 133t h4x0rz' pseudoculture --
teenage script kiddies who aren't even script kiddies, they're
actually button kiddies, since they don't know any scripting,
just push buttons.

At 22:22 8.6. 2001, Bill Moran wrote the following:
-------------------------------------------------------------- 
>Lots of good conversation on this topic yesterday and today.
>My $.02:
>I agree 100% with Ted on the point of the media pretending that all
>crackers are super computer geniouses. It's bullshit. Every incident of
>a breakin that I've seen over the last few years has been the result of
>VERY sloppy security. I think most of the REAL super experts are
>creating the secure systems, not cracking them.
>To counter that, there are an unbelievable number of servers on the `net
>in a terrible state of insecurity. This makes the risk of DoS attacks
>VERY high.
>Also to counter that ... if you secure your system tightly enough that
>you can't conceive of any possible breakin, then nobody dumber than you
>will get through ... and most crackers are dumber than you! That's my
>(overall) approach to security.
>So ... I've already been planning a sales pitch entitled "You are at
>risk" where I'll be finding servers hosted locally with lousy security
>and going in with a sales pitch where I scare them silly! Then I sell
>them a firewall and monitoring services.
>Wish me luck,
>Bill
>
>Jim Conner wrote:
>> 
>> I like your comments, I agree with your comments...I warn against some
>> comments made...
>> 
>> Beware the lamers...even a blind squirrel finds a nut now and then.  Don't
>> underestimate the power of the darkside.
>> 
>> - Jim
>> 
>> ph34r th3 ll4mA5 =P
>> I can talk the talk...but I am nowhere near walking the walk.  I always
>> thought "hacker jargon" was strangely interesting anyway.
>> 
>> At 10:18 PM 6/7/2001 -0700, Ted Mittelstaedt wrote:
>> >I'll relate a recent story security and access lists that may
>> >interest some folks.
>> >
>> >We have a customer who one day discovered some changes in some
>> >logfiles in a Linux 2.2 webserver system they had.  After investigating
>> >they determined that their server had been cracked into.  They
>> >called us for help.  We arrainged a site survey the following day
>> >and a meeting to talk about how to secure their connection.
>> >
>> >The next morning before the meeting we noticed that their connection
>> >to us (a full T1) had gone into saturation on the outbound channel
>> >at 4:00am.  This was atypical behavior of course.  I called them and
>> >told them what was going on but not to do anything as I wanted to
>> >see the server myself.  When I got there after about 15 minutes I
>> >determined that someone had uploaded a IRC proxy (GNU source) to
>> >their server, obviously their server was participating in a DoS attack
>> >against some target.  I also determined that the system was so old
>> >and the probability of inserted trojans so high that it wasn't worth
>> >attempting to secure, I just told them to get their data off it and
>> >reformat it and reinstall a current version of Linux and this time
>> >to install the appropriate security patches.  Needless to say they
>> >didn't have the time immediately to do this but they planned to do it
>> >the following week.  (this customer is a distributor and the info on
>> >the webserver was basically public data anyway, and they didn't care
>> >that someone had access to it)  But they did ask if there was anything
>> >I could do about the DoS hijack.
>> >
>> >Since it would have been pointless to delete the IRC proxy off their
>> >webserver (since the cracker could just upload it again through the
>> >same hole) I decided to insert a block of port 6667 in their border
>> >router.  This of course disabled the control channel for the IRC proxy
>> >and stopped the hijack.
>> >
>> >Now, in my humble opinion, it would have been child's play for the
>> >cracker to simply access the system again, and modify the IRC proxy to
>> >use a different port for the IRC control channel.  After all I didn't
>> >block any other ports, all the holes were there.  This WAS a DoS attack
>> >and thus it didn't matter one whit what port was in use in the attack,
>> >any would have worked.  So I didn't expect my block to last any length of
>> >time.
>> >
>> >But, guess what, it was completely effective for over a week before they
>> >finally redid their server.
>> >
>> >This is the kind of mentality that your dealing with, with most crackers.
>> >Sure, there's some really good (or warped) crackers out there who would
>> >have reactivated their little toy in seconds.  But these people aren't
>> >going to waste their time on something like this site.  The real mentality
>> >that your dealing with, with 99% of these crackers out there are people
>> >so dumb that they cannot even make a simple port number modification in
>> >their code.  They barely have any understanding of networking technology and
>> >even crude and simple access lists are beyond their comprehension.  All
>> >they do is to follow some recipies that their betters have put together
>> >for them, and if something goes wrong and the recipie doesen't work, they
>> >have no idea how to go about fixing it (or breaking the system, depending
>> >on your viewpoint) and so they just move on to the next easy-to-compromise
>> >system.
>> >
>> >This is really the situation of the street where half the homes lock their
>> >doors and the other half don't.  There are so very many ancient Linux or
>> >unsecured Windows systems out there that if you make even a modicum of
>> >effort
>> >to lock your door, since most crackers are basically morons, they are
>> >unable to deal with the situation and just move on to the next house/system.
>> >
>> >Of course, if you do have something of real value there, like a database of
>> >thousands of valid credit card numbers, then this doesen't apply.  But,
>> >the point is that Hollywood makes it out that all crackers are
>> >super-sophisticated
>> >technologists that know computer systems back, forth and upside down, and
>> >that to block them you have to have super-sophisticated methods yourself.
>> >But, the reality is that most crackers are morons and even simple
>> >filters and blocks that aren't themselves that good, present enough of an
>> >obstacle
>> >to these people that they won't be able to figure out a way around them.
>> >
>> >Ted Mittelstaedt                      tedm@toybox.placo.com
>> >Author of:          The FreeBSD Corporate Networker's Guide
>> >Book website:         http://www.freebsd-corp-net-guide.com
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message 
------end of quote------ 


cynic@mail.cz
-------------
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
    - Book of Installation chapt 3 sec 7 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.2.20010608225129.033afd70>