Subject: Re: down due to attack
From: (Rob Warnock)
Date: Tue, 24 Aug 2004 05:19:20 -0500
Newsgroups: comp.lang.lisp
Message-ID: <>
Karl A. Krueger <> wrote:
| William Bland <> wrote:
| > Oh, for fsck's sake, what do people get out of doing this kind of thing?
| > Bloody idiots - it's a lot easier to destroy than it is to create.
| Well, since you asked, and since system security is what I do ...
| Seemingly random or purposeless break-ins seem to be done for a number
| of purposes.  One of the most widely reported -- "Web site vandalism",
| or kids breaking in to Web sites only to put up rude messages -- was
| pretty common a few years ago, but seems to be much less so now.  Recent
| attacks seem to be substantially more sinister in the large.
| One of the most common types of "random" break-ins I see appears to be
| done in order to use the target system as a staging area for other sorts
| of attacks.        [...much other good stuff trimmed...]

Yup. One of the reasons I haven't been as active as usual here lately
is that I've been helping a non-profit I'm associated with respond to
a series of attacks on their mail web/mail server. First came the entry
(we're still not sure how, but it was an *old* version of Linux), then
a rather thorough "rootkitting" [including installing modifications to
system calls into the kernel!], then the IRC servers, and the spam bots,
and so on. It was clear that the first intruders were "just having fun",
while later ones (using backdoors the first set had left behind and had
advertised on chat boards) were much more serious. What few logs weren't
destroyed by the intruders showed that several different groups were

We had to move servers *twice* (with more up-to-date system software)
to get rid of it all [and we're still not 100% sure], due to Trojan
Horses that had been planted in PHP-driven parts of the site and in
CGI scripts/programs.

[Note: A lot of PHP coders don't seem to realize that PHP is potentially
*very* unsafe, due to the "exec" and "popen" operators, if you don't
*carefully* validate your HTML form data and watch out for how many
times you allow strings to be re-substituted. (Oops. CL's "#." anyone?)]

| 	Google search:  "IRC bot backdoor"
| 	Google search:  "fresh open proxies"
| 	Google search:  "online flood extortion"

Yup, yup, yup -- they did all of that, including installing a
PayPal-lookalike phishing site and then sending threatening mail
to the organization's officers claiming the latter were the phishers.

What a mess...  :-(


Rob Warnock			<>
627 26th Avenue			<URL:>
San Mateo, CA 94403		(650)572-2607