Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Crack attempt last weekend

From: spiff <spiff () BWAY NET>
Date: Wed, 29 Nov 2000 17:56:22 -0500
On Tue, 28 Nov 2000, Clayton Hoskinson wrote:


----- Original Message -----
From: "Bryan Smith" <bryan () THECLERK COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, November 27, 2000 3:17 PM
Subject: Re: Crack attempt last weekend



<SNIP> So I logged onto tripod with that username and password </SNIP>


Hope no feds monitor this mailing list, if there was email or communication
which gets compromised because of that, you could be looking at a Title 3
felony, in the US. The US Attorney takes a very dim view of that.


Well of course there are Feds monitoring this security list.

And, we're not sure if there was 'unauthorized access' or 'back hacking'
going on here, just 'time-shifting' and a need for more beta testing.

You see, the original skriptkid had authorized the machine he tried to
buffer overflow (machine 1) to access his tripod account (machine 2), it's
just that his exploit failed to get to that instruction.

Fortunately, the exploit was coded in such a way that the operator of
machine 1 could complete the requested visit to machine 2 manually without
consulting the online help system, because the exploit (clever exploit :)
left the information to access the tripod account. Therefore when the
operator of machine 1 accessed the tripod account he was doing so under
the implied permission given in the exploit script, just later in time and
slower.

At this point though the exploit was not clear enough, though, because the
operator of machine 1:

A) apparently did not understand the instructions to root his own machine
with the rootkit/backdor from tripod,

or

B) he chose not to follow the instructions.

This is a serious flaw in the logic-flow of the exploit. We recommend
falling back to a beta release of the exploit to further test this.










um...'back hacking' is not only unethical - but illegal.  i question that
action as well as the possible results of more entries through the release
of user/pass.

----<SNIP>----

P.S. I have already notified all service providers involved (Lycos,
NameZero, Tripod, Anglefire) and they have not responded to me.

----</SNIP>----

depending on your intended course of action:  the isp should have received
the account info; the list should have received an attack signature/log;

and

i would suggest not taking it upon oneself to gain access to an intruder's
host.

-b
Previous By Date Next
Previous By Thread Next

Current thread: