Security Incidents mailing list archives
Re: Crack attempt last weekend
From: spiff <spiff () BWAY NET>
Date: Wed, 29 Nov 2000 17:56:22 -0500
On Tue, 28 Nov 2000, Clayton Hoskinson wrote:
----- Original Message ----- From: "Bryan Smith" <bryan () THECLERK COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, November 27, 2000 3:17 PM Subject: Re: Crack attempt last weekend<SNIP> So I logged onto tripod with that username and password </SNIP>Hope no feds monitor this mailing list, if there was email or communication which gets compromised because of that, you could be looking at a Title 3 felony, in the US. The US Attorney takes a very dim view of that.
Well of course there are Feds monitoring this security list. And, we're not sure if there was 'unauthorized access' or 'back hacking' going on here, just 'time-shifting' and a need for more beta testing. You see, the original skriptkid had authorized the machine he tried to buffer overflow (machine 1) to access his tripod account (machine 2), it's just that his exploit failed to get to that instruction. Fortunately, the exploit was coded in such a way that the operator of machine 1 could complete the requested visit to machine 2 manually without consulting the online help system, because the exploit (clever exploit :) left the information to access the tripod account. Therefore when the operator of machine 1 accessed the tripod account he was doing so under the implied permission given in the exploit script, just later in time and slower. At this point though the exploit was not clear enough, though, because the operator of machine 1: A) apparently did not understand the instructions to root his own machine with the rootkit/backdor from tripod, or B) he chose not to follow the instructions. This is a serious flaw in the logic-flow of the exploit. We recommend falling back to a beta release of the exploit to further test this.
um...'back hacking' is not only unethical - but illegal. i question that action as well as the possible results of more entries through the release of user/pass. ----<SNIP>----P.S. I have already notified all service providers involved (Lycos, NameZero, Tripod, Anglefire) and they have not responded to me.----</SNIP>---- depending on your intended course of action: the isp should have received the account info; the list should have received an attack signature/log;andi would suggest not taking it upon oneself to gain access to an intruder's host. -b
Current thread:
- Re: Crack attempt last weekend spiff (Dec 01)