[NTLUG:Discuss] SRJ servers hacked and destroyed!

MadHat madhat at unspecific.com
Mon Jul 10 07:22:46 CDT 2000 

I am sorry you were broken into and defaced, I have been there on more
than one occation.  Computer security, Linux or not, is not a part time
job, the battlefield is changing on a daily basis.  I have noticed that
you have gotten some very good information from some of the people here
(I recomend SecurityFocus and BugTraq), even though you have come out
attacking what appears to be just about everyone.  Attrition is not a
business, they are a simple repository of security information and they
happen to host defaced web pages.  This is actually quite helpfull, as
it keeps track of what systems get hacked more often, by who, etc...

It is a touchy subject of "hackers v. crackers".  But know this, that
quite a few people on this list (and many other Linux mailing lists)
concider themselves "hackers" in the origional sense.  Unfortunatly the
media has branded the term hacker to a negitive persona and negitive
actions.  I do recomend looking at the Jargon file or picking up the New
Hacker's Dictionary (printed version of the Jargon file).  They both
have some great info and can shed light on where some expressions came
from and their origional meaning.

We understand your frustration and will help if we can, but accusing
people on this list of illeagle actions is not going to help anyone.

"Daniel L. Shipman" wrote:
> 
> SRJ servers hacked and destroyed!
> 
> For the past 3 days I have been defending the SRJ servers from hacking
> invaders from Kuwait, Brazil, Plano, Sherman, and somewhere in WY.
> 
> The hackers scanned ports, entered in with FTP and telnet by utilizing
> AdmRocks to overflow the Named buffer. I was running Bind 8.2.1 - I strongly
> encourage anyone who is running bind to upgrade to bind 8.2.2 Patch 5
> 
> The folks who hacked me are called the "Shitkingz" they replaced the
> index.html file for each users public_html directory with their own which
> included child pornography images pulled from  a geocities account
> 
> I was first informed of the attack by attrition.org - the most disgusting
> business organization in the world - I contacted the FBI ASAP and have been
> working with them non stop.
> 
> Thus far I have incurred in excess of $14,500 in lost time, billing, and
> revenue
> 
> Prior to format on July 5th I ran dd on the HD followed by strings and saved
> the image of the hacked drive to seperate files on the same HD. The parsed
> date I was able to recover and save before the format, partitioning, and
> re-install of the HD have been forwarded to the FBI. I have access to copies
> of /etc /var /bru /root that were made on July 5. I know they used the
> AdmRocks kit because I found a folder in /var/named called "Admrocks". A
> searched of the file system for "\.\.\." found nothing. All logs were rm'd
> and many files, including wtmp were linked to /dev/null. The only reason I
> was able to get the logs I did was because they didn't zero out the files
> prior to rming them.
> 
> Just though you all would like to know whats been going on around my place

-- 
MadHat at unspecific.com
                                   "The 3 great virtues of a programmer:
                                      Laziness, Impatience, and Hubris."
                                                 --Larry Wall

More information about the Discuss mailing list