Does anyone know if these China scares are for real? The probability
they are simply Pentagon/Administration propaganda seems too high
to discount. I ask because we've seen no increase in the (already
substantial) number of scans from CN/KR/HK/... netblocks. Does
any hard evidence exist?
Does anyone know if these China scares are for real? The probability
they are simply Pentagon/Administration propaganda seems too high
to discount. I ask because we've seen no increase in the (already
substantial) number of scans from CN/KR/HK/... netblocks. Does
any hard evidence exist?
in regards to the hacked websites; check out attrition's mirror page.
some examples of china vs usa:
http://www.attrition.org/mirror/attrition/2001/04/30/clerkweb.house.gov/
http://www.attrition.org/mirror/attrition/2001/04/30/www.energy.ca.gov/
http://www.attrition.org/mirror/attrition/2001/04/30/philadox.phila.gov/
some exmaples of usa vs china:
http://www.attrition.org/mirror/attrition/2001/04/30/www.chinashishi.com/
http://www.attrition.org/mirror/attrition/2001/04/30/www.sn.cninfo.net/
Roger Marquis
-ken harris.
�������!
Beat down Imperialism of American!
"all your base are belong to us" ?
I have seen this on one of my customers websites as well. This
was discovered yesterday. They have since taken their server
down. It was exactly like www.energy.ca.gov.
Jeffrey
�a� var M�nudagur � Apr�l �egar Roger Marquis sag�i:
> The folks in the US who counterattack might be well advised to
> reconsider doing so. I would imagine that traffic from the US would be
> closely monitored. Any new hacking tricks that these counterattacks
> might use would then be recorded and analyzed. These techniques could
> then be used by them to further attack the US.Does anyone know if these China scares are for real? The probability
they are simply Pentagon/Administration propaganda seems too high
to discount. I ask because we've seen no increase in the (already
substantial) number of scans from CN/KR/HK/... netblocks. Does
any hard evidence exist?
About six months ago, I was doing some forensics on a cracked Linux
system belonging to a friend of mine. It had a rootkit installed, and
a .history file showed that the rootkit had been transferred to the
machine with rcp from the lp account on a host in China.
I logged into the lp account with rlogin. It had ++ in .rhosts.
It was a SunOS 5.5 system with no patches installed. The lastlog
showed logins from dial-up and DSL or cable accounts from all
over England, The Netherlands and the USA. It was obviously being
used as a hacking base and a rootkit repository. There were several
backdoors installed in the system, several setuid root shells lying
around here and there, and a ++ .rhosts file for every system account.
I guess China is an easy target to exploit in this way. General
knowledge of systems security seems low, and most people, even
intellectuals, lack foreign language skills. A complaint will
get ignored because the responsible person doesn't understand
the language it is written in, or even doesn't understand the
technical and security implications of what is happening.
All this makes me suspect the Chinese are victims in this matter,
rather than perpetrators.
In short: never attribute to malice that which can adequately be
explained with stupidity.
This is exactly part of problem over this entire issue, the chinese
while some of the kids are more than likely for a few attacks,
but I am willing to bet that some US hackers and foreign hackers
are doing the attacks from .cn hacked accounts for entertainment
purposes and causing an international incident.
Over reaction does not resolve the problem. I would be more
worried about A missile defense system damaged by a Micro
meteor that could potentially kill a couple million Americans
in a fell swoop.
Elias Halldor Agustsson wrote:
For those looking for evidence of attacks, I personally know of 3 boxes that
were hit and rooted this morning. The three attacks happened between 6:20am
and 7:04am. One NT box, one Linux box, and one as of yet unknown OS
(haven't gotten ahold of the person yet, but his bandwidth's maxed out and
way over what it ever is by about 15x). They're hitting port 80 this
morning. One hit from a Mapquest IP, one from bucket.rutgers.edu
165.230.8.106, and one from an APNIC netblock 210.33.68.1 . The webpages
they left indicated "fuq you, Americans" and indicated that they were part
of the Chinese offensive. PAM session authentication on the linux box noted
that a session was opened by user htdig (uid 0) and closed 4ms later.
Syslogs were wiped, so were last and lastlog output. The logs are available
still despite their efforts since the precaution was taken to have them sent
elsewhere and mailed immediately to boot. Other boxes may have been gotten
to as well, still looking at them all and unplugging them as I go/advising
suspected customers to unplug as well as I find them.
Fuq U2, Chinese. Got plenty of evidence here, and there's a death sentence
in China for doing this... provided it was really Chinese responsible. I'm
happily contributing all info I have towards investigation and prosecution,
and am going to get Mapquest and rutgers.edu to dig up all info they can to
track this shit back to where they got hit from.
Hey, just found another one. Note that all Linux boxes were locked pretty
damned tight, and even blocked numerous connection attempts on port 80 with
portsentry killing the connection and then dropping them to a null route.
But all it took was 4ms to run that script. Apparently there's probably a
hole in apache 1.3.14-2, as there were no world-writable files in the htp
root structure... bugtraq should be interested in this. Have to see what I
can dig up post mortem as far as what they used.
"Time for a malenki lemtock of the ole ultraviolence, me droogs."
Cheers.
The past week i've seen attacks increase 5-fold, mostly 111/udp attacks
mixed with some lpr and ftp on the side. Also lots of http scanning, which
I havent seen in quite a while.
-Dan
The past week i've seen attacks increase 5-fold, mostly 111/udp attacks
mixed with some lpr and ftp on the side. Also lots of http scanning, which
I havent seen in quite a while.
Yep, I'd seen them try port 111 scans as well from different hosts, but
since I never run RPC services, they didn't get anything off those. I
usually don't run http services either, but in this case got caught with my
pants down on a temporary exception. I was a few versions behind on apache,
however, as I just found out, which I'm sure didn't help the situation.
Well, back to the autopsy.
Take care and be well.
Justin
there's a death sentence in China for doing this...
I'm happily contributing all info I have towards investigation and
prosecution,
When the rhetoric reaches "string 'em up, string 'em all up, it's the
only language they understand" levels, I fear the hope of finding any
signal in this noise is all but gone.
"Time for a malenki lemtock of the ole ultraviolence, me droogs."
Hrm. Yes, indeed.
Don't you all have work to do?
I found a myth on this list that hacking a computer system is a
death sentence. I really don't know where and when this mythin is
spreading on the Internet.
I guess the myth came from a case that a hacker was executed, maybe
two years ago, and he was the first hacker sent on trial. I read
that news couple of years ago both in English and Chinese. The
hacker actually was executed for stealing millions of dollars from
a bank he used work for, NOT for HACKING. According to Chinese law,
any criminal commited to crime that evolves more than $100,000
(the exact number might be wrong) can be sentenced to death.
However, nobody noticed the crime behind of hacking but only hacking
itself.
As far as I know, again my information might be out-of-date, China
does not have a law specifically for hacking a computer system if
the hacking itself does not cause any "damage" (I cannot define the
damage here however).
Recently I read a news on the 'Net saying that the People's Daily,
which is the official newspaper of China government, posted a message
said, it was illegel to lauch attack to any computer system. I don't
have more detailed information on this since I am not in Beijing at
this moment.
Justin Hinderliter wrote:
The story I read had it as two individuals. The not-so-bright one who had
access to the bank and the bright one who designed and built a device to
put inline at the bank. The device diverted the equiv of pennies per
transaction that passed through it to a bank account that the two had set
up somewhere. It was a brilliant scheme. They screwed up by trying to
withdrawl huge amounts of money at a time. THAT's what got them caught.
The point the person was trying to make is still valid though. It would
not take long to come up with $100,000 worth of damages.
I don't want to debate this here, because it's really far from topic,
but understand that the reason why American hackers portray that as
death for hacking is because it's so very easy to make nearly any
hacking fit that criterion. Kevin Mitnick caused very limited physical
damages, but the courts accept that it was many millions of dollars in
intellectual property damages. Leaving aside all questions of what
happened and how much the realistic amount is, the fact is that someone
facing a Chinese court for hacking can go in not knowing if they're
facing trial for a non-crime, or for a capital crime, with the final
decision on that being basically up to the informed whim of a judge.
That's scary. Whether it's wrong or right (and I have a very strong
opinion on that, but it's not on topic here), it is scary.
So from a certain point of view, it's not a myth.
On Tue, May 08, 2001 at 02:51:49PM -0400, John Fraizer mailed:
> that news couple of years ago both in English and Chinese. The
> hacker actually was executed for stealing millions of dollars from
> a bank he used work for, NOT for HACKING. According to Chinese law,
> any criminal commited to crime that evolves more than $100,000
> (the exact number might be wrong) can be sentenced to death.The story I read had it as two individuals. The not-so-bright one who had
access to the bank and the bright one who designed and built a device to
put inline at the bank. The device diverted the equiv of pennies per
transaction that passed through it to a bank account that the two had set
up somewhere. It was a brilliant scheme. They screwed up by trying to
withdrawl huge amounts of money at a time. THAT's what got them caught.
Isn't that the plot to Superman III?
You actually are quite correct, I was basing that statement on past
convictions, not on a comprehensive understanding of codified law in China.
That initial posting was also quite angst-ridden in reaction to my box being
compromised. Interpret it with those rose colored glasses in place. The
amount of money involved may have well played a role in the death sentences.
For some recent information pertaining to Chinese rules that are being
developed regarding Internet-related cases, check this link. There are also
links further down on the page dealing with issues like the spam email
issue.
http://latelinenews.com/ll/english/1011982.shtml
Also, since I made responses off-list to try to cut down on potentially
off-topic noise, I'll take a quick moment to reiterate to the rest of the
folks on the list that I suspected initially that the attack was Chinese in
origin based upon the index and material that was placed on a defaced
website. In actuality, the attacks are coming from hosts ranging from
Czechoslovakian hosts, Canadian hosts, American educational hosts, APNIC
(Asian Pacific NIC) hosts, etc. And due to the nature of the beast, one
rarely attacks a host directly from one's terminal that one's clacking away
at... you crack one host, use that to crack another host, use that one in
turn to crack into another, etc. etc, etc. So the burden of *proof* is
something that the FBI might be more suited to task than myself, who hasn't
the significant DBs and resources to tie investigations of this nature up.
I'm not a cop, I'm a SpecOps vet and Network Analyst. I'll leave the
policework of where it came from before it got to me to the police/FBI, but
I'm doing my homework on what clues are there on my box to give them leads
as to where to look next: the hosts that these scans and attacks came from.
And on the issue of blackholing China, I doubt that we'll do it on our core
network, but you can count on me blackholing all hosts that these scans and
attacks originated from on my internal network and on all hosts and networks
that I manage. To not do so is stupid, but that's your choice and your
prerogative.
23 Skiddoo
Justin Hinderliter
I found a myth on this list that hacking a computer system is a
death sentence. I really don't know where and when this mythin is
spreading on the Internet.
[snippage]
"Bryan C. Andregg" wrote:
John Fraizer wrote:
The story I read had it as two individuals. The not-so-bright one
who had access to the bank and the bright one who designed and
built a device to put inline at the bank. The device diverted the
equiv of pennies per transaction that passed through it to a bank
account that the two had set up somewhere. It was a brilliant
scheme. They screwed up by trying to withdrawl huge amounts of
money at a time. THAT's what got them caught.Isn't that the plot to Superman III?
Yes. There are allegedly several instances of this happening. It is
unknown which (if any) of these are actually true:
The Salami Embezzlement Technique | Snopes.com
-- David
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
More recently, it's the plot to office space.