how-to block ads
|
|
Uniqs:
2061 |
Share Topic
 |
 |
|
|
|
| Black, White or Red Hat? And the moral of the story is...
The last 14 days I've seen port 53 scanned by 29 different machines. Since the 1i0n (lion) worm is running rampant I did a simple and fully legal "lynx -dump »scanningmachine:27374 >lionproof" (a -source would fetch the complete .tar achive), which revealed seven machines to be infected by the unmodified wriggler. Twentyfive %!
This is serious... Have a look at »www.whitehats.com/library/worms/···dex.html to find out why.
I was only able to find an external, and working, e-mail address for two of the systems - some pixelmanipulating company in Germany and a womens organization in the US. The rest received a telnet-based message to root.
Still keeping myself within the boundaries of... who's laws... common moral laws... I spent the next 48 hours in suspense. But very little happened... The women's machine WAS taken down (up today, hopefully totally cleaned) but the rest kept on truckin' in their infected state. And I got no return messages at all.
What to do? Just roll over and play dea... deaf? Not my problem?
Sorry, can't do. Not how my parents raised me. So I decided to cross some boundaries. One of the machines belonged to a Primary School in Korea and it sort of tore my heart to have their can opened up like this.
Did a "telnet koreamachine 1000", this being the backdoor installed by Lion.v3, replaced it with my own temporary backdoor and did a "kill -HUP" of the inetd. Logged out and in again. Killed the scanning scripts and the propagation server, deleted the hidden directory, the server and everything else belonging to the worm. Checked a couple of files for other manipulations and replaced the worm deleted ......... Wrote a /root/message.txt letter (signed with my e-mail address) and had it displayed through . Deleted my backdoor and "halt"-ed the machine.
Two down, five to go.
Next machine, also Korean, was rooted by the worm and someone else. Very shoddy work and some hidden root tools. Plus another backdoor. I cleaned up as best as I could, but left my own backdoor intact. Hunches...
Three down, four to go... no, wait... three to go. A Russian machine had cleaned itself...
Checked back on the suspicious Korean machine. I was unable to get in... A nmap scan of their ports showed a couple with funny names, "domination" etc. Telnetting there I was greeted by a smtp server. Obviously a thoroughly rooted playground. Not much to do.
Decided to create a better backdoor on the next systems and not leave any /root.message.txt... Surveillance technique. Did the next three systems. Cleaned the worm stuff and installed my improved backdoor. Have checked the systems the last three days. All seems well (as far as I can tell). No unregular changes of anything.
Let's see who's connected:
Ok, only I am. But who's logged in?:
Noone... 
My backdoor is controlled/created once a day:
That's me, the checkfilesystem:
My file is a simple bash script (using sed) which makes sure we have the uncommented ntalk entry,
I try to fool the eye with a topd "server". And the script also corrects the /etc/services file:
The /etc/hosts.deny and /etc/hosts.allow only control what /urs/sbin/tcpd manage, And yes, the moral of the story is:
If you've been rooted (manually or by a worm), wipe the whole system, and any system connected to your system! Don't think you can eradicate all hacking activity manually. You only waste time, and leave it an insecure system.
Many African cultures have a concept of RED, being placed between BLACK and WHITE. While my actions the previous days would be hard to place within the White Hat sphere, or the Black Hat sphere, how about a Red Hat...? Do I deserve to go to jail, as one of the regulars here suggested for _any_ hacking activity? Or do we have a RED area... Not sure myself. That's why I post this from an "anonymous" account.
PS. I've _never_ been an illegitimate root prior to this.
Text was edited to remove the instructions and to save you the embarrassment caused by your sloppy work. Wildcatboy.
[text was edited by moderator] | |
 2kmaroThinkPremium,ExMod 1 BC
join:2000-07-11
ColossalCave | said by somehat:
And the moral of the story is...
Do I deserve to go to jail, as one of the regulars here suggested for _any_ hacking activity? Or do we have a RED area... Not sure myself. That's why I post this from an "anonymous" account.
PS. I've _never_ been an illegitimate root prior to this.
First - I'd request that you edit your post to delete the specifics of HOW and explain more of WHAT you did.
The bottom line question is simply this: was what you did (intruding into someone else's system) legal and permitted by the terms of service or acceptable use policy of your provider? If not, then you should not have done it.
It kind of falls into the double-standard category: is it correct and proper to break the law to catch a law breaker? According to the "ethics" of this country, no, that is not acceptable behavior. Yes, it gives the black-hats a leg up in the game - but nowhere is it written that "Life Shall Be Fair".
And as a bottom line - DSLR does not support or condone hacking in any form, under any guise. This thread may continue as a moral discussion of the issue raised, but without providing specific methodologies of "how to get back" at anyone. Why get down in the mud and crawl in the same slime with the jerks who attack us? | |
 TransitManPremium,MVM
join:2000-09-05
Dayton, OH
kudos:1
 ·RoadRunner Cable
| 2K, I believe he works in some type of IT area that controls a number of machines under his care. (29) Hence, I don't think he has violated TOS for any ISP.
From what I've read and interpreted, he was merely cleaning out a worm that had infected his machines of his organization. And he was writing code to keep it in check and from happening again.
Now, should he go to jail for this? No, I don't think so. If he was acting within the scope of his duties, he was perfectly legal to take whatever action needed to stop the worm cold And I don't think, IMHO, that he is trying to get back at anyone. Again, from what I've read and understood, he was protecting those systems under his care.
No different than an AV company doing reverse engineering on a virus to create a cure for said virus.
--
TODAY IS THE FIRST DAY OF THE REST OF YOUR LIFE. SO GET OVER IT. | |
| reply to 2kmaro
2kmaro: Sorry, there's no button to edit my post (probably should have created an account before posting). But at any rate, the HOW _is_ the WHAT. There's nothing secret or hard to find information in those lines. I chose to quote it like that to make the point: "rooted = reinstall".
Many people think that lesser means are enough. It is not.
TransitMan: Sorry, you read too fast...
I have broken the laws of many nations by unbiddingly entering the other systems. But the questions linger.
The lion worm has no master. It randomly scans and tries to infect other vulnerable systems each minute (or if it was 100 seconds). The infected machine is wide open to _anyone_.
If the owner of an infected machine choose not to act when given the information, or is unable to act, is *anybody* entitled to clean the system from the outside? Who...?
Imagine a house, where the owners are on vacation, and the door has been... how say you... jammied(?). Normally you call the police, but the internet is quite void of such an entity. You stand there, watching hoods move in and setting up shop (possibly machine guns aimed at other houses in the block). Do you turn your head, because it would be unlawful of you to shut the door closed?
In your country you have something called a "citizens arrest", and I believe it is against the law _not_ to act when a crime is commited.
The worm commits a crime, with a massive amount of casualties (open systems) which in turn can lead to even more severe casualties (the systems being used to hack in and shutdown hospital computers etc).
I am very torn... That's why I posted in the first place. I've done something illegal, but is is justified? I don't know. Though I'd do it again if I had to, no matter the fine (we don't get jailed for such a thing in my country  | |
 RocktagonSlightly BentPremium
join:2000-11-04
Chattaroy, WA | Are you seeking validation? If you are seeking validation for unlawful acts I would advise you to get it from within. What you have done, if true, is very noble. I sometimes wish I had the knowledge to do such a thing. I do however think posting the actual *nix commands in a public security forum serves no purpose other than to boost your ego.
The morality of the issue is debatable. Do two wrongs make a right? Do the uninformed warrant help to prevent further spread of the worm? These are tough questions and I have no answer only my own opinion.
I will choose not to make it public knowledge and suggest maybe you should keep your exploits to yourself however noble the cause is. I think one of the differences between "hackers" and "crackers" is the need to brag about their conquests.
--
nam et ipsa scientia potestas est
| |
| reply to somehat
Re: Black, White or Red Hat? Why Red? I understand the concept of black/white but most of the time we live in only 256 shades of gray depending on time and circumstance. You obviously possess the skills to be a real "Pain in the ass" if you chose to be, and gravitate towards the white side of gray. I say "ROCK ON". Ensure that you "cover your six", or in layman's terms, watch you ass. I wish I possessed the skills to help but I don't so I'll just sit here and hide behind my firewall.
--
Duct tape is like the force;it has a light side and a dark side,and it holds the universe together.
| |
TransitManPremium,MVM
join:2000-09-05
Dayton, OH
kudos:1 Reviews:
·RoadRunner Cable
| reply to somehat
Ok, now I see......... Ok, since I did a trace back on your ISP, I know where you come from, however, with respect to what you did, in one way I admire it, and in another I don't.
said by somehat:
In your country you have something called a "citizens arrest", and I believe it is against the law _not_ to act when a crime is commited.
You are correct in that above assumption, however, you must realize that to take things into your own hands is not right. Probably the most correct thing to have done was to notify your ISP of the infringements to those systems, and to let them take matters in their hands. Just as those hoods would attempt to set up shop, some diligent person would notify the authorities about it and then the matter would be in the hands of law enforcement.
2K is correct to say that we at DSLR do not condone any acts of hacking, no matter how rightous it may seem. You simply have opened the door for others to do what you have done, and by posting the first post as to how you solved the problem, you have invited those people to created a work-around for it. Your best option, again, was to notify the authorities. Yes, it may be that you might have gotten into trouble, but you might have saved face to those whose systems you invaded.
I do not suggest or recommend that you do it again, as someone may try to bait you. I do suggest and recommend that you police you own system, and as a matter of courtesy, do not invade other systems again. You will surely invite trouble where none was before.
said by somehat:
If the owner of an infected machine choose not to act when given the information, or is unable to act, is *anybody* entitled to clean the system from the outside? Who...?
The answer to this above question is simply, no. Although some people have been warned about an infection on their machine, some do not want to take the time to correct it. And it is not up to us to correct it for them. When Anti-Virus software makers put out the warnings about infections, itr is up to each individual owner or owners to take corrective action. It is not up to "vigilanties" to do it for them. Again, if they do not want to act, you must leave well enough alone, for all concerned.
said by somehat:
The lion worm has no master. It randomly scans and tries to infect other vulnerable systems each minute (or if it was 100 seconds). The infected machine is wide open to _anyone_.
The above statement about the worm may be accurate, however, I am not well versed in Linux/Unix code. And since I believe it also is intended for Windows systems as well, my 2 AV programs as well as my trojan scanner have me pretty well covered. But I do take diligence in my system, and I always check to see what comes and goes by way of Zone Alarm. So if a worm/trojan wanted to phone home, it has to go through ZA first.
It is best if you leave well enough alone. Do not attempt to correct your "good" deed. You may well get caught accessing those machines again if you do.
--
TODAY IS THE FIRST DAY OF THE REST OF YOUR LIFE. SO GET OVER IT.
[text was edited by author 2001-04-14 21:22:50] | | |
|
 HallPremium,MVM
join:2000-04-28
Dayton, OH
kudos:1 | reply to TransitMan
Re: Black, White or Red Hat? said by TransitMan:
From what I've read and interpreted, he was merely cleaning out a worm that had infected his machines of his organization. And he was writing code to keep it in check and from happening again.
Now, should he go to jail for this? No, I don't think so. If he was acting within the scope of his duties, he was perfectly legal to take whatever action needed to stop the worm cold...
I interpreted this differently. He mentions being scanned by (29) different machines, possibly all directed at his (1) machine. Of those (29), he found that (7) had been infected by the 1i0n "worm". He then set about "cleaning" them up. Even though his intentions were good, they weren't his machines. He should have e-mailed the admins as he did and left it at that. If *your* machine scanned his, would you appreciate it if he "fixed" it for you, w/o your permission ?? I'd bet not !!
The simplest fact is, being scanned by other machines on port 53 (DNS) is usually considered pretty harmless. I'm not familiar with the "lion" worm though... let me finish reading the "whitehat" link he posted...
Okay, it's quite a long article and I'm not interested in reading it all. But, what I saw so far is that yes, (7) of the machines that scanned him certainly appear to be affected by this lion worm. What it does is take advantage of a security flaw in BIND (this was a rather well-publicized exploit a few months ago). Now, if his machine isn't running BIND, I'm not sure that there's any risk to him.
Back to my original thought though. The machines he accessed weren't his, so by him accessing them, he's in the wrong.
--
-= Mindspring Max via Covad 1500/384 TeleSurfer Pro =- | |
HallPremium,MVM
join:2000-04-28
Dayton, OH
kudos:1 | reply to Rocktagon
Re: Are you seeking validation? said by Rocktagon:
...I do however think posting the actual *nix commands in a public security forum serves no purpose other than to boost your ego...
Don't worry, the commands he posted are all pretty basic. There's nothing high-level or advanced there at all.
--
-= Mindspring Max via Covad 1500/384 TeleSurfer Pro =- | |
 WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2
Security Product V..
Security
| reply to somehat
Re: Black, White or Red Hat?
Black,white or Red? Well, the fact that you feel a need to brag about it tells me which side you belong to. You're definitely not red though. If you have proper protection your system was never in danger therefore whatever you did is unjustified. The claim of self defense only holds water in courts if you are actually in danger.
As for what you did, yes you broke the law and you didn't do it simply because you wanted to clean up their system out of the goodness of your heart. You did it so you can brag about it. But I'm sorry to tell you that no one here really cares.
As for the commands on somehat's post, well there's nothing genius there. If you don't know much about *NIX they are just Chinese to you and if you do know *NIX you'll realize that there's nothing there that you already don't know and there's certainly nothing much to brag about. I'll leave them be.
[text was edited by author 2001-04-15 08:03:18] | |
| reply to somehat
Please, try to understand that the *nix "commands" in my first post was intended as a wakeup call for those of us (yes, I too) who mostly pay lip service to the call for security. We all too commonly think: "Ahhh yes... but It wouldn't fool me. I _know_ my system. What my firewall, tripwire won't catch, I will". Feeling snug - comfy.
While the truth is: *nix systems contain too many executable files, symbolic links, convoluted directories (that's why I don't use Red Hat myself) and configuration files for any human to keep tabs on. If you're rooted, do the right thing!
I don't have any ego to boost. Cultural thing...
But I do have a conscience. Tonight I'll remove the backdoors on those seemingly stable systems. Problem is that they still run the vulnerable BIND DNS server through which the worm entered. Security alerts was issued in February so it will take quite a loooong while before the critter can be considered clinically dead.
And in the mean time... (on _this_ planet).
Well, thanks for your input. We all need the opinions of our neighbours to stay reasonably sane. And my post WAS a security alert of its own kind. The lion/ramen/red worms should be treated with... not respect... but a sharp knife. | |
 shortcktWatchen Das Blinken LightsPremium
join:2000-12-05
Tenant Hell | reply to somehat
Re: Black, White or Red Hat? said by somehat:
Decided to create a better backdoor on the next systems and not leave any /root.message.txt... Surveillance technique. Did the next three systems. Cleaned the worm stuff and installed my improved backdoor.
This action on your part shows your intent to cross the line. Who appointed you to be the stealth security officer of those machines owned by other people?
I understand you have only good intentions but I would be angry if you did that to my machine without even attempt to notify me about the problem first.
said by somehat:
What to do? Just roll over and play dea... deaf? Not my problem?
Lets see, you could 1) filter those machines IP at your router and never hear from them again. 2) notify their ISP and let them do whatever they will do about their own customer. | |
 Bobb5Premium
join:2001-02-16
Kent, WA | This guy needs to seek professional help and not the attention of others because of being dissatisfied with his own life, Also, I thought this type of junk was not allowed on DSLR?
--
Have you hugged your Glock today? | |
 GomezExile in waitingPremium,Ex-Mod 06-11
join:2001-02-21
Atlanta, GA | reply to somehat
You can look here for justification, but you won't get it from me. Telneting to sendmail and manually sending email to root, fine. But, entering the system goes far beyond an acceptable reaction.
There is not a single security consultant that would enter a customer's site without request to do so, unless they are on contract, even then, they might do an inspection, but through normal means. You weren't the position to even think about entering those systems. Your action, while making a bandaid solution to the problem, destroyed the data needed to finger print the attack, and the tools used. Additionally, in doing that, you put YOUR fingerprints on top of it.
The analogy of the open door looks nice at first read, but a second read shows you opened the door, rearrange some furniture, close the door, and checked back. Sorry, It doesn't work for me, although, I honestly DO see good intentions.
I do have a problem with the detail being posted. Yes I know it's all over the net, but the average script kiddy can't figure out google (unless they are 31e7), but with a few modifications, your post could be easily turned into a how-to, (not a good one mind you).
I'm really confused on the mixed messages. One machine, you write a message to root, and halt the machine. Next one, you decide that you want to be sneaky and turn of shell history (sneaky you). So why do you need to hide yourself on this second go? (I'll be stuck on that question for a while).
So, if you want my opinion, you did a not so smart thing, and did it in a very sloppy way.
--
Before you criticize a man, walk a mile in his shoes. Then criticize, you're a mile away, and you have his shoes.
Do you moo? | |
WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2 Host:
Security Product V..
Security
| reply to somehat
Boy you guys are tougher than I am. On the second thought and as per members' requests I edited the instructions. Too bad somehat, you're not getting your fix here. The masses have spoken.
--
You can catch the Devil, but you can't hold him long. | |
 KalfordSeems To Be An Rtfm Problem.Premium,MVM
join:2001-03-20
Ontario
kudos:1 | reply to somehat
I was walking by a house the other day I noticed a window that was strangely left open. Being raised properly by my parents, I did the only moral thing that could be done and, pulling out my cat burglary equipment, (which I have never used for immoral purposes), I opened up their doors to investigate...
I then proceeded to enter the premises and after looking around, found that it had indeed been broken into and it's security system compromised.
Naturally, I then continued with what all responsible citizens would do and fixed the security system to my own satisfaction, made my own set of keys to the the back door and left.
I would have notified the true authorities, but they aren't really needed here, for I know much more about cat burglary than they do. (but I'm not a bad cat burglar . . . .honest)
I then proceeded to look at the next few houses on the block to make sure they weren't in any danger from cat burglars.
Now then. . . Please give me a pat on the back for my good deeds OK?
--
There are many beautiful things you will find when you shut your mouth and open up your mind | |
GomezExile in waitingPremium,Ex-Mod 06-11
join:2001-02-21
Atlanta, GA | Kalford,
I had another post on this, I took me 45 minutes to write.
I'll be more than happy to delete it and hit the vote button.
Perfect analogy. | |
 WxmanPremium
join:2000-09-02
Caledonia, MI | reply to somehat
This bothers me a lot. I also had a big reply set up, But Kalford said it all. You had no right going into those boxes. PERIOD.
Kalford, you get all my votes today.
Wx | |
| reply to somehat
I do not agree with the actions of somehat and I would hate to have someone enter my system and secure it for me . But..... I also hate admins who do not pay attention to security and leave there systems open for any worm that happens to float by. These admins are responsible for many of the denial of service attacks which threaten us all. They are the "carriers" for these worms and are almost as responsible for there spreading as the creator...well,that maybe a little strong but they do make the creators job a lot easier.
What is the solution? By the time an isp reacts the offenders machine could have spread the worm to hundreds of systems. Maybe a counter worm that uses the same exploits, roots the system and removes or notifies the admin?
The example of an open window is a good one, but an open window does not threaten the rest of the community. Yes, I know, if I secure my machines I do not have to worry about it. | |
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Kalford
This is a positively lousy analogy, and I'm disappointed that everybody is so enamored with it.
The original poster did not go wandering around the internet looking for machines to fool with: these machines came looking for him. Furthermore, he did not secure these errant machines for the benefit of the machine owners: he did it as a public service for the rest of the internet. These machines were performing hostile acts, and at some point the notion of "self defense" is appropriate.
As for "I would have notified the true authorities", this is ridiculous. I don't know if any of you have ever tried to report cracked servers in Korea or China: I have and have not received a response on a single one. Now I don't bother, nor do any of my security consultant friends.
Now maybe you don't like this guy's style, and I'm not so sure I do either. Looking for a pat on the back always comes across as juvenile or worse, and maybe he made a fool of himself here. But it is not clear to me that his acts with these remote machines were so morally outrageous.
I have done similar in the past. The NETWORK.VBS virus is one that infects Windows machines that have shared C drives, and its job is to search out other open shares of random IP address ranges. I have seen these scans in the logfiles of my or my customer routers, and when I find an attacker that is clearly NETWORK.VBS, I have connected to the share, disabled the virus (and usually Windows Scripting Host), and dropped a note on the desktop suggesting how to fix the problems more generally (turn off sharing, install a personal firewall, etc.) I didn't do this as a favor to the hacked boxes: I did it as a favor to you.
The propriety of this behavior is an absolutely legitimate discussion for this forum, and reasonable minds will differ. Even if one broadly approves of this behavior (as I do), one is free to oppose publicly discussion the details or deride somebody looking for a pat on the back.
But this analogy confuses - who started it
- who is the beneficiary
and I simply could not leave this without commenting.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / steve@unixwiz.net | |
|
