For those looking for evidence of attacks, I personally know of 3 boxes that were hit and rooted this morning. The three attacks happened between 6:20am and 7:04am. One NT box, one Linux box, and one as of yet unknown OS (haven't gotten ahold of the person yet, but his bandwidth's maxed out and way over what it ever is by about 15x). They're hitting port 80 this morning. One hit from a Mapquest IP, one from bucket.rutgers.edu 165.230.8.106, and one from an APNIC netblock 210.33.68.1 . The webpages they left indicated "fuq you, Americans" and indicated that they were part of the Chinese offensive. PAM session authentication on the linux box noted that a session was opened by user htdig (uid 0) and closed 4ms later. Syslogs were wiped, so were last and lastlog output. The logs are available still despite their efforts since the precaution was taken to have them sent elsewhere and mailed immediately to boot. Other boxes may have been gotten to as well, still looking at them all and unplugging them as I go/advising suspected customers to unplug as well as I find them. Fuq U2, Chinese. Got plenty of evidence here, and there's a death sentence in China for doing this... provided it was really Chinese responsible. I'm happily contributing all info I have towards investigation and prosecution, and am going to get Mapquest and rutgers.edu to dig up all info they can to track this shit back to where they got hit from. Hey, just found another one. Note that all Linux boxes were locked pretty damned tight, and even blocked numerous connection attempts on port 80 with portsentry killing the connection and then dropping them to a null route. But all it took was 4ms to run that script. Apparently there's probably a hole in apache 1.3.14-2, as there were no world-writable files in the htp root structure... bugtraq should be interested in this. Have to see what I can dig up post mortem as far as what they used. "Time for a malenki lemtock of the ole ultraviolence, me droogs." Cheers.