Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

When script kiddies attack (or admins screw up)!

By Inoshiro in Meta
Wed Sep 20, 2000 at 04:37:54 AM EST
Tags: Kuro5hin.org (all tags)

Earlier today, someone posted a test story to K5 as Rusty. After about 50 people saw it, they deleted it and logged out. This happened because Rusty left a db dump out in a directory.

Sponsor: rusty
This space intentionally left blank
...because it's waiting for your ad. So why are you still reading this? Come on, get going. Read the story, and then get an ad. Alright stop it. I'm not going to say anything else. Now you're just being silly. STOP LOOKING AT ME! I'm done!
comments (24)
active | buy ad
"So why did rusty leave the dump out?"

It was an old dump from December, back in ye olde Slash days of Kuro5hin. Since Slash doesn't store the passwords encrypted (like Scoop does), the fellow who found the problem uncompressed the table and read it. Because of Rusty's policy of not really changing his passwords often, the person who found the problem could post it. Rusty was properly given a tongue lashing for this, of course :-)

The person who found the problem (and posted the test "hax0r" message) was mature enough to delete it and logout afterwards. Naturally, we went into fascistic-security mode anyway. I'd already port scanned the identified assailent, as well as blocked their access to kuro5hin (via ipchains) by the time the mail arrived explaining the situation :-)

This was a funny non-event for us, but it's just another reminder to not put files that contain sensitive information on a site in plain text. It's how those wacky colon cat makers, :Digital:Convergence.:Com, had their big "privacy expose." Many other sites have also had problems with this.

Drdink had a different view on the situation:

"MSN Kuro5hin Project
Day 1: Leaked all passwords. Will be attacked by skriptkiddie soon and all personal information will be stolen.
Day 2: Skript Kiddie found that rusty's k5 password was the root password for the machine. Kuro5hin will be back in a few months on a new server.

Well, shucks, there goes our next freebie from VA (and for being listed with fuckedcompany.com)!


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Related Links
o Scoop
o Kuro5hin
o Drdink
o fuckedcomp any.com
o Also by Inoshiro

Display: Sort:
When script kiddies attack (or admins screw up)! | 27 comments (26 topical, 1 editorial, 0 hidden)
Everyone... (3.00 / 19) (#1)
by GandalfGreyhame on Wed Sep 20, 2000 at 12:44:35 AM EST

Everyone makes mistakes. Don't worry bout it Rusty, we still love ya! :)


Re: Everyone... (3.66 / 3) (#18)
by Matrix on Wed Sep 20, 2000 at 03:52:54 PM EST

No, we don't! Editorial corruption blah blah blah corporate influence blah blah blah...

oh, wait. This isn't Slashdot. Its ok to like the editors. Never mind. ;-)

"...Pulling together is the aim of despotism and tyranny. Free men pull in all kinds of directions. It's the only way to make progress."
- Lord Vetinari, pg 312 of the Truth, a Discworld novel by Terry Pratchett
[ Parent ]

Good for him. (3.94 / 19) (#2)
by plastik55 on Wed Sep 20, 2000 at 12:56:54 AM EST

I have to say I like the "white-hat-cracker" ethic. It should be encouraged. We need to have people walking around slapping people upside the head saying, "see that? Don't do that!" Kinda like the instructor walking around in a karate dojo pushing his students off balance. You learn to steady yourself real fast.

And yes, I chose the word "cracker" appropriately.

Re: Good for him. (2.00 / 5) (#4)
by vsync on Wed Sep 20, 2000 at 04:34:44 AM EST

Snicker. Like that "boot to the head" audio clip. I have no idea where it came from, but a friend had me listen to it and I was laughing hysterically for hours. A search for "boot to the head" on Google should locate a transcript at least, but the audio is much funnier.

"I'm Randy Gruberman..." =)

"The problem I had with the story, before I even finished reading, was the copious attribution of thoughts and ideas to vsync. What made it worse was the ones attributed to him were the only ones that made any sense whatsoever."
[ Parent ]

Re: Good for him. (1.50 / 4) (#6)
by Enthrad on Wed Sep 20, 2000 at 06:33:09 AM EST

Ed Gruberman? I think that was The Frantics' "Tae Kwon Leap"

[ Parent ]
Boot to the head! Na na (2.00 / 3) (#8)
by Anonymous Hero on Wed Sep 20, 2000 at 08:19:49 AM EST

Here is a link to the transcript and the mp3.

This is familiar in the back of my mind somewhere. How did it get there?

[ Parent ]

Re: Boot to the head! Na na (1.33 / 3) (#10)
by alexm on Wed Sep 20, 2000 at 08:44:47 AM EST

i know this has nothing to do with anything, but i just wanted to say those are the damn funniest transcripts i've ever read :) i just wish my work connection was faster so i could get the mp3's.. grumble.. grumble..

[ Parent ]
Re: .sig [OT] (2.42 / 7) (#5)
by driph on Wed Sep 20, 2000 at 04:46:28 AM EST

Hey plastik, fix that thar link in yer .sig ... add the "http://" and it should work fine...:]

Vegas isn't a liberal stronghold. It's the place where the rich and powerful gamble away their company's pension fund and strangle call girls in their hotel rooms. - Psycho Dave
[ Parent ]
Re: Good for him. (3.00 / 7) (#7)
by discreet on Wed Sep 20, 2000 at 06:46:51 AM EST

have to disagree I'm afraid. Sorry to use the tried and tested analogy of the burglar giving you the locks to your house, saying, hey, your security sucks, I just had a look around, didn't touch anything, hope this is okay.
and hey, do you really want someone telling you what to do ?

[ Parent ]
Re: Good for him. (3.66 / 3) (#12)
by El Volio on Wed Sep 20, 2000 at 11:00:38 AM EST

I don't think that's the point here. This isn't somebody's personal computer. To me, a better analogy is that you're in a public place and you notice the manager's office door is partially open. You push it, see that it is open and that it is in fact the manager's office. You then go off to find him and tell him to lock it up.

[ Parent ]
Re: Good for him. (3.00 / 3) (#14)
by kunsan on Wed Sep 20, 2000 at 12:06:03 PM EST

I agree with your comment completely, but (IMO) you stopped a little short...

"You push it, see that it is open and that it is in fact the manager's office. You then go off to find him and tell him to lock it up."

My version of the way it went down...

"You push it, see that it is open and that it is in fact the manager's office." You open all the drawers in his desk, slide over to the filing cabinet and scan the heading of each folder, and put everything back in its' place. "You then go off to find him and tell him to lock it up."

Maybe it is not a perfect analogy, but s/he certainly did not just peek in and then go report the insecurity.
With a gun in your mouth, you only speak in vowels -- Fight Club
[ Parent ]
Re: Good for him. (4.00 / 2) (#15)
by sporty on Wed Sep 20, 2000 at 02:01:53 PM EST

The basic concept is still there, except the insentives are different. The likliness of a burglar entering your house and saying "look what you did" is kinda silly. Checking a door for being locked is suspicion enough to lock someone up.

Since the net is so much more free, and people might be a little bit more friendly, white hats do exist. And besides, you are comparing the net to the real world. that's like comparing the cultures of the US and Japan. You can argue to no ends that we have some things in common because we are human, but that's so much of a basic concept, that you can't use it to argue it with.

[ Parent ]
Keys on the doorstep? (3.33 / 3) (#19)
by rusty on Wed Sep 20, 2000 at 04:21:32 PM EST

In this case, a better analogy would be, a neighbor walks by and notices you've left a key lying in plain view on your doorstep. He picks it up, tries it in the door, and wow!, it works. So he calls you up and says "Hey dude, you left your key on the doormat. I've got it, come by and pick it up when you get home." It's a neighborly thing to do, IMO, and I'm glad the person who discovered this had the maturity to alert us and not do any damage.

Not the real rusty
[ Parent ]
Re: Good for him & Lucky for US (3.00 / 1) (#13)
by kunsan on Wed Sep 20, 2000 at 11:55:58 AM EST

that this person chose to test, confirm, and report this incedent, rather than exploit it and plant a rootkit... or did he??? Time for a sum check??? Or do we trust people that much?

With a gun in your mouth, you only speak in vowels -- Fight Club
[ Parent ]
Re: Good for him & Lucky for US (3.00 / 1) (#16)
by sporty on Wed Sep 20, 2000 at 02:05:42 PM EST

Trust no one. Be happy for miracles =)

[ Parent ]
Re: Good for him & Lucky for US (3.00 / 1) (#24)
by Inoshiro on Thu Sep 21, 2000 at 11:45:10 AM EST

Clam down. Having the login for the web admin interface doesn't give you root access by a long shot :-P

[ イノシロ ]
[ Parent ]
Why the port scan? (2.57 / 14) (#9)
by El Volio on Wed Sep 20, 2000 at 08:37:12 AM EST

What did this accomplish? Given that this is borderline hostile activity (some people think it's no big deal, others look at it as a precursor to an attack), what was the point of this? All it does is make you feel like you've done something, when in reality you've accomplished basically nothing.

Re: Why the port scan? (4.40 / 5) (#17)
by leperjuice on Wed Sep 20, 2000 at 03:51:20 PM EST

A FOAF (Friend of A Friend) that did security admin work wrote a small script that when it detected a port scan would turn around a port scan the port scanner. The idea was to a) figure out as much as he could about the possible attacker and b) send a message that "I have a R00tkit and I portscan" to would be intruders.

The result? The host he put it on had been getting portscanned from Taiwan and China frequently (could it have been the fact that it was a .gov machine?) but once the script was installed, the portscans rapidly died off.

The moral? Loser script kiddies expect that what they do is without consequence, yet when someone starts looking them over, the fear of "I may have woken the sleeping dragon" comes in and they move on to richer pastures (like cable modem users).

So while it may not do too much, at the same time portscanning your foe may provide good info and make them think twice about their actions.

[ Parent ]

Portscanning the portscanner is NOT a good idea. (4.00 / 3) (#21)
by szap on Wed Sep 20, 2000 at 10:56:39 PM EST

Sure it sounds like a good idea. It even scares and stops _some_ script kiddies.

But what if the portscanning machine is actually a compromised machine? What if the attacker sets up a similar reverse-portscan service on the compromised machine?

What you will get is a seriously DoS'ed machine and a semiclueful (oxymoron?) laughing his ass off.

Moral of the story? Don't do it, unless you _know_ what you are doing. Even then, be careful.

[ Parent ]
Re: Portscanning the portscanner is NOT a good ide (3.00 / 1) (#23)
by Inoshiro on Thu Sep 21, 2000 at 11:43:58 AM EST

if it is a compromised machine, I can identify it from the portscan. A portscan is nothing more than shining a light around to see what's going on. Since in most cases, the next logical step is to try to break in, I don't do it without reason. In this case, I was trying to determine if our old friend was trying to abuse K5, or if this was some 31337er who had compromised a machine, etc.

Wether this is a machine that is compromised (which would lead me to attempt to shut down the machine and notify the owner to prevent further abuse), an open proxy (which leads to the ipchains deny), or some other machine (probably ipchains deny + nastrygram mailing) is an important thing to know when dealing with such situations.

[ イノシロ ]
[ Parent ]
Clarification: _Automated_ PS-ing the PScanner (3.00 / 1) (#26)
by szap on Thu Sep 21, 2000 at 11:13:27 PM EST

My bad, didn't make it clear: I was commenting about the automated "postscanning the portscanner" in the previous post, which could DoS both sides, if both sides used it. Mmmm... much like how a laser works.

Manually portscanning a portscanner is different, as you pointed out, and which would be a step I'd do in your place. nslookup and traceroute before that would throw up some interesting facts as well (dialup? fast connection? campus network?).

[ Parent ]

Re: Portscanning the portscanner is NOT a good ide (3.00 / 1) (#27)
by stompro on Fri Sep 22, 2000 at 01:23:50 AM EST

I would just like to note that usually an auto portscanner would be coupled with an auto blocker(IMHO).
1. detect portscan.
2. scan back.
3. block any more packets from that machine.

So I don't think a pure bandwidth intensive dos would take place. But it still would be quite efective to spoof scans so that the defending machine would block sites that were not intended. But I think that would would not be too much of a problem if the software was monitored. Oh look, today 5000 of my favorite sites portscanned me. Joshy

[ Parent ]
Re: Why the port scan? (4.00 / 1) (#25)
by Broco on Thu Sep 21, 2000 at 05:10:15 PM EST

Hm, not a good idea imho. I considered auto-portscanning attackers myself, but the problem is that portscans are easy to spoof. A malicious individual could pretend his syn packets are coming from, say, www.kuro5hin.org, and you would then appear to be trying to crack kuro5hin.

Even worse would be if the attacker found another computer that also auto-portscans. He could then spoof the address of that host, and you might end up in an infinite portscanning loop.

Finally, you might auto-portscan some non-malicious portscanners. IIRC some IRC servers auto-scan some ports on their users (not sure if they still do), to stop some sort of proxy-related attack.

Klingon function calls do not have "parameters" - they have "arguments" - and they ALWAYS WIN THEM.
[ Parent ]

portscan? (3.16 / 12) (#11)
by Trracer on Wed Sep 20, 2000 at 09:24:58 AM EST

Why the portscan?
Trying to counterattack?

As long as you have identified the attacking/abusing host and notify the admin/isp of that net...that should do.

Oh-well, that's my 2 cents.

-- Inoshiro är en räksmugglare!
Re: portscan? (3.50 / 2) (#20)
by Dolgan on Wed Sep 20, 2000 at 05:56:59 PM EST

I know my ISP (@Home) sure doesn't care about this kind of thing, despite the EULA. From what I have gathered over time, the only punishment its user receive is a warning email claiming to deactivate their account on second offense, but this email just gets sent out again. My theory is that they don't keep records at all.

[ Parent ]
Re: portscan? (4.00 / 2) (#22)
by Inoshiro on Thu Sep 21, 2000 at 11:40:15 AM EST

No, I was trying to determine what this was (end user, open proxy, compromised machine, etc). That would dictate my next course of action.

[ イノシロ ]
[ Parent ]
When script kiddies attack (or admins screw up)! | 27 comments (26 topical, 1 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!