Common-lisp.net is down for maintenance due to an apparent break-in. No
real time-frame for the attack is known yet; details will be supplied in
time.
This downtime period will probably be utilized for moving hosting to
better premises where our sandboxing abilities should be better, even
though that may extend the downtime somewhat.
We apologise for the inconvenience,
-- Nikodemus Siivola, on behalf on Common-lisp.net
On Mon, 23 Aug 2004 23:36:59 +0000, nikodemus wrote:
> Common-lisp.net is down for maintenance due to an apparent break-in. No
> real time-frame for the attack is known yet; details will be supplied in
> time.
>
> This downtime period will probably be utilized for moving hosting to
> better premises where our sandboxing abilities should be better, even
> though that may extend the downtime somewhat.
>
> We apologise for the inconvenience,
>
> -- Nikodemus Siivola, on behalf on Common-lisp.net
Oh, for fsck's sake, what do people get out of doing this kind of thing?
Bloody idiots - it's a lot easier to destroy than it is to create.
Best wishes and good luck for a successful recovery of Common-lisp.net
Cheers,
Bill.
--
Dr. William Bland.
It would not be too unfair to any language to refer to Java as a
stripped down Lisp or Smalltalk with a C syntax. (Ken Anderson).
William Bland <·······@abstractnonsense.com> wrote:
> On Mon, 23 Aug 2004 23:36:59 +0000, nikodemus wrote:
>> Common-lisp.net is down for maintenance due to an apparent break-in. No
>> real time-frame for the attack is known yet; details will be supplied in
>> time.
>
> Oh, for fsck's sake, what do people get out of doing this kind of thing?
> Bloody idiots - it's a lot easier to destroy than it is to create.
Well, since you asked, and since system security is what I do ...
Seemingly random or purposeless break-ins seem to be done for a number
of purposes. One of the most widely reported -- "Web site vandalism",
or kids breaking in to Web sites only to put up rude messages -- was
pretty common a few years ago, but seems to be much less so now. Recent
attacks seem to be substantially more sinister in the large.
One of the most common types of "random" break-ins I see appears to be
done in order to use the target system as a staging area for other sorts
of attacks. Any system the attacker can gain a shell on can be used to
go break into other systems -- and the more hosts between the human
attacker and his ultimate target, the harder his trail is to follow.
A common method is to install backdoors on cracked systems, which can be
controlled by any number of means. One used on both Unix and Windows
systems is an IRC bot, which logs on to a designated IRC server and
accepts commands -- "scan this", "pingflood that", and so forth. I've
gone on IRC channels where *dozens* of these bots are logged in waiting
for directions from an attacker.
Google search: "IRC bot backdoor"
There is a black market in compromised systems, as well. Organized and
less-organized crime need them for several purposes. One is spamming.
Spammers use compromised hosts -- mostly, these days, home Windows
systems -- to send spam. A list of "fresh open proxies", or newly
cracked hosts with proxy software installed, can be sold to spammers.
The payoff can be in money diverted to a PayPal account, or in stolen
credit card numbers.
Google search: "fresh open proxies"
Another "mobster-ish" use of cracked systems is extortion. The criminal
threatens an online gambling or porn site as follows: "Send me a few
thousand dollars, or I'll flood your site off the Net." If the site
won't pay up (or so the threat goes) the crooks will use cracked systems
to bombard the site with junk traffic.
Google search: "online flood extortion"
Finally, another one I've seen is to use the cracked system as a file
server or Web site for illegal purposes. Some spammers use cracked
systems not only as proxies to send spam, but as Web and DNS hosting for
the sites advertised in the spam. Any sort of contraband data -- from
bootleg software and movies, to national secrets, to child pornography
-- is also a good candidate to be hosted on a cracked system, just as
abandoned warehouses get used in the illegal drug trade. One Windows
2000 FTP server at my workplace a couple of years ago got filled up by
an anonymous visitor with bootleg PlayStation games, porn movies, and
Star Trek episodes.
In some cases, it may be that the attacker doesn't have any *specific*
use in mind. Having a few cracked systems available is like having a
few fake IDs in different names. For the upwardly mobile online
criminal, it's an essential tool to hide what you're doing, to send
investigators through a few extra hoops to find you (and believe me,
tracing back logs across multiple systems is NO FUN, especially when the
systems' clocks are wrong), or possibly just to keep in practice.
--
Karl A. Krueger <········@example.edu>
Woods Hole Oceanographic Institution
Email address is spamtrapped. s/example/whoi/
"Outlook not so good." -- Magic 8-Ball Software Reviews
On Tue, 24 Aug 2004 03:02:35 +0000, Karl A. Krueger wrote:
> William Bland <·······@abstractnonsense.com> wrote:
>> On Mon, 23 Aug 2004 23:36:59 +0000, nikodemus wrote:
>>> Common-lisp.net is down for maintenance due to an apparent break-in. No
>>> real time-frame for the attack is known yet; details will be supplied in
>>> time.
>>
>> Oh, for fsck's sake, what do people get out of doing this kind of thing?
>> Bloody idiots - it's a lot easier to destroy than it is to create.
>
> Well, since you asked, and since system security is what I do ...
Hmm, interesting stuff. I did know about (most of) these uses for cracked
boxes, but had assumed they would be limited to Windows machines since
those are more numerous and easier to break into. On the other hand I
suppose one might expect to find more bandwidth and other resources
available to typical Linux/BSD boxen which might make them worth the
extra work?
Cheers,
Bill.
--
Dr. William Bland.
It would not be too unfair to any language to refer to Java as a
stripped down Lisp or Smalltalk with a C syntax. (Ken Anderson).
William Bland <·······@abstractnonsense.com> wrote:
> On Tue, 24 Aug 2004 03:02:35 +0000, Karl A. Krueger wrote:
>>
>> Well, since you asked, and since system security is what I do ...
>
> Hmm, interesting stuff. I did know about (most of) these uses for cracked
> boxes, but had assumed they would be limited to Windows machines since
> those are more numerous and easier to break into. On the other hand I
> suppose one might expect to find more bandwidth and other resources
> available to typical Linux/BSD boxen which might make them worth the
> extra work?
You might be surprised. A majority of home Internet users in the U.S.
have broadband access these days, and most retain their IP address most
of the time. Breaking into a home Windows system therefore does deliver
the attacker a pretty reliable connection with substantial bandwidth.
Most home users and their ISPs also have zero (or very little) intrusion
detection, so they are less likely than a Unix operator to detect and
usefully respond to attack.
Recall, many home users today are largely incapable of responding even
to application-level threats like spyware. A system with dozens of
malicious processes running on it is considered by many users to simply
be "slow" -- a performance problem rather than a security problem.
Users often lack either the knowledge or the will to patch their
systems, avoid insecure software, detect compromises, or respond
usefully to them.
(If end users were capable of making good security choices, the current
Internet Explorer spyware problem would not exist. Either the users
would choose not to use Internet Explorer, or they would reliably use
anti-spyware software in the same way that some of them use anti-virus
software.)
End-user ISPs are likewise frequently incapable of dealing with attacks
being perpetrated from their network -- take for instance the cable-
modem provider Comcast, whose network has been described as the world's
biggest source of spam (sent through infected systems). The end-user
ISP has to deal with unprotectable users who nonetheless demand service.
If they allow infected hosts to stay on the network, they are doing
wrong to the rest of the Internet; if they cut off infected hosts, they
get a black eye with their unknowing customers. The ISPs have -- at no
fault but their own, collectively -- placed themselves in a situation
where all options are bad.
--
Karl A. Krueger <········@example.edu>
Woods Hole Oceanographic Institution
Email address is spamtrapped. s/example/whoi/
"Outlook not so good." -- Magic 8-Ball Software Reviews
Karl A. Krueger <········@example.edu> wrote:
+---------------
| William Bland <·······@abstractnonsense.com> wrote:
| > Oh, for fsck's sake, what do people get out of doing this kind of thing?
| > Bloody idiots - it's a lot easier to destroy than it is to create.
|
| Well, since you asked, and since system security is what I do ...
|
| Seemingly random or purposeless break-ins seem to be done for a number
| of purposes. One of the most widely reported -- "Web site vandalism",
| or kids breaking in to Web sites only to put up rude messages -- was
| pretty common a few years ago, but seems to be much less so now. Recent
| attacks seem to be substantially more sinister in the large.
|
| One of the most common types of "random" break-ins I see appears to be
| done in order to use the target system as a staging area for other sorts
| of attacks. [...much other good stuff trimmed...]
+---------------
Yup. One of the reasons I haven't been as active as usual here lately
is that I've been helping a non-profit I'm associated with respond to
a series of attacks on their mail web/mail server. First came the entry
(we're still not sure how, but it was an *old* version of Linux), then
a rather thorough "rootkitting" [including installing modifications to
system calls into the kernel!], then the IRC servers, and the spam bots,
and so on. It was clear that the first intruders were "just having fun",
while later ones (using backdoors the first set had left behind and had
advertised on chat boards) were much more serious. What few logs weren't
destroyed by the intruders showed that several different groups were
involved.
We had to move servers *twice* (with more up-to-date system software)
to get rid of it all [and we're still not 100% sure], due to Trojan
Horses that had been planted in PHP-driven parts of the site and in
CGI scripts/programs.
[Note: A lot of PHP coders don't seem to realize that PHP is potentially
*very* unsafe, due to the "exec" and "popen" operators, if you don't
*carefully* validate your HTML form data and watch out for how many
times you allow strings to be re-substituted. (Oops. CL's "#." anyone?)]
+---------------
| Google search: "IRC bot backdoor"
| Google search: "fresh open proxies"
| Google search: "online flood extortion"
+---------------
Yup, yup, yup -- they did all of that, including installing a
PayPal-lookalike phishing site and then sending threatening mail
to the organization's officers claiming the latter were the phishers.
What a mess... :-(
-Rob
-----
Rob Warnock <····@rpw3.org>
627 26th Avenue <URL:http://rpw3.org/>
San Mateo, CA 94403 (650)572-2607
"Karl A. Krueger" <········@example.edu> writes:
> Finally, another one I've seen is to use the cracked system as a file
> server or Web site for illegal purposes.
A compromised system I am vaguely connected with appeared to be being
used to distributes files via a specialized IRC bot. The files:
Redhat ISOs. The world is a strange place, and some of the people in
it are pretty dumb.
Cheers,
mwh
--
I never disputed the Perl hacking skill of the Slashdot creators.
My objections are to the editors' taste, the site's ugly visual
design, and the Slashdot community's raging stupidity.
-- http://www.cs.washington.edu/homes/klee/misc/slashdot.html#faq
Michael Hudson wrote:
> A compromised system I am vaguely connected with appeared to be being
> used to distributes files via a specialized IRC bot. The files:
> Redhat ISOs. The world is a strange place, and some of the people in
> it are pretty dumb.
I could see blackhats distributing modified ISOs in this way (with backdoors
already installed.)
Paul
Michael Hudson <···@python.net> wrote:
> "Karl A. Krueger" <········@example.edu> writes:
>> Finally, another one I've seen is to use the cracked system as a file
>> server or Web site for illegal purposes.
>
> A compromised system I am vaguely connected with appeared to be being
> used to distributes files via a specialized IRC bot. The files:
> Redhat ISOs. The world is a strange place, and some of the people in
> it are pretty dumb.
It isn't the guy who hosts freely redistributable software on a cracked
system who's being dumb. It's the guy who trusts an ISO downloaded from
the cracked system. :)
--
Karl A. Krueger <········@example.edu>
Woods Hole Oceanographic Institution
Email address is spamtrapped. s/example/whoi/
"Outlook not so good." -- Magic 8-Ball Software Reviews
·········@random-state.net wrote:
> Common-lisp.net is down for maintenance due to an apparent break-in. No
Good news is that we _may_ have been too deep into paranoid mode after the
real break-in couple of months back, and that what we tooks as a sign of
intrusion was just a misconfiguration. Trigger happy, and so forth. We're
not yet sure about this, though.
> This downtime period will probably be utilized for moving hosting to
> better premises where our sandboxing abilities should be better, even
> though that may extend the downtime somewhat.
The "bad news" is that this still holds true, so the downtime may last
anything from a day or two to over a week, depending on how smooth things
go.
Still sorry for the inconvenience,
-- Nikodemus Siivola, on behalf of Common-lisp.net
·········@random-state.net wrote:
> Common-lisp.net is down for maintenance due to an apparent break-in. No
> real time-frame for the attack is known yet; details will be supplied in
> time.
It has been verified that there was no real attack. We were spooked by a
misconfiguration that caused software that wasn't supposed to be installed
(specifically Samba) to run. Embarrassing but true. In retrospect we do
still feel that the decision to take Common-lisp.net down was a reasonable
one, given the amount of information he had at hand at the moment.
The move to new hosting is now well in progress. We hope to be back up and
running soon -- maybe even today, but within a couple of days on the
outside.
Embarrassed,
-- Nikodemus Siivola, on behalf of Common-lisp.net
·········@random-state.net writes:
> Embarrassed,
Anyone who is voluntarily providing such an incredibly
useful service should not feel embarrassed in the _slightest_.
Thanks for all the great work. Common-lisp.net is turning
out to be one of most useful lisp resources around.
--ap
--
It would be difficult to construe Larry Wall, in article
this as a feature. <·····················@netlabs.com>
Alain Picard wrote:
> ·········@random-state.net writes:
>
>>Embarrassed,
>
> Anyone who is voluntarily providing such an incredibly
> useful service should not feel embarrassed in the _slightest_.
I second this!
Pascal
--
Tyler: "How's that working out for you?"
Jack: "Great."
Tyler: "Keep it up, then."
Pascal Costanza <········@web.de> wrote:
> Alain Picard wrote:
>> ·········@random-state.net writes:
>>
>>>Embarrassed,
>> Anyone who is voluntarily providing such an incredibly
>> useful service should not feel embarrassed in the _slightest_.
>
> I second this!
me too!
And the best thing is, common-lisp.net is up again. I just got the
latest cvs version of slime...
happy hacking
--
Sascha Wilde
We're Germans and we use Unix. That's a combination of two
demographic groups known to have no sense of humour whatsoever.
-- Hanno Mueller in de.comp.os.unix.programming