On Mon, 30 Apr 2001, ken harris. wrote:

http://www.attrition.org/mirror/attrition/2001/04/30/philadox.phila.gov/

ÎÒÊÇÖйúÈË! Beat down Imperialism of American! "all your base are belong to us" ? -- /* Sabri Berisha CCNA,BOFH,+iO O.O Business Internet Trends * Join HAL!!: www.HAL2001.org ____oOo_U_oOo____ http://www.bit.nl/~sabri * ____________________________________________, +31 318648688 318643334 * DDoS: http://misterpoll.com/3517731598.html L_______________________ */

For those looking for evidence of attacks, I personally know of 3 boxes that were hit and rooted this morning. The three attacks happened between 6:20am and 7:04am. One NT box, one Linux box, and one as of yet unknown OS (haven't gotten ahold of the person yet, but his bandwidth's maxed out and way over what it ever is by about 15x). They're hitting port 80 this morning. One hit from a Mapquest IP, one from bucket.rutgers.edu 165.230.8.106, and one from an APNIC netblock 210.33.68.1 . The webpages they left indicated "fuq you, Americans" and indicated that they were part of the Chinese offensive. PAM session authentication on the linux box noted that a session was opened by user htdig (uid 0) and closed 4ms later. Syslogs were wiped, so were last and lastlog output. The logs are available still despite their efforts since the precaution was taken to have them sent elsewhere and mailed immediately to boot. Other boxes may have been gotten to as well, still looking at them all and unplugging them as I go/advising suspected customers to unplug as well as I find them. Fuq U2, Chinese. Got plenty of evidence here, and there's a death sentence in China for doing this... provided it was really Chinese responsible. I'm happily contributing all info I have towards investigation and prosecution, and am going to get Mapquest and rutgers.edu to dig up all info they can to track this shit back to where they got hit from. Hey, just found another one. Note that all Linux boxes were locked pretty damned tight, and even blocked numerous connection attempts on port 80 with portsentry killing the connection and then dropping them to a null route. But all it took was 4ms to run that script. Apparently there's probably a hole in apache 1.3.14-2, as there were no world-writable files in the htp root structure... bugtraq should be interested in this. Have to see what I can dig up post mortem as far as what they used. "Time for a malenki lemtock of the ole ultraviolence, me droogs." Cheers.

The past week i've seen attacks increase 5-fold, mostly 111/udp attacks mixed with some lpr and ftp on the side. Also lots of http scanning, which I havent seen in quite a while.

Yep, I'd seen them try port 111 scans as well from different hosts, but since I never run RPC services, they didn't get anything off those. I usually don't run http services either, but in this case got caught with my pants down on a temporary exception. I was a few versions behind on apache, however, as I just found out, which I'm sure didn't help the situation. Well, back to the autopsy. Take care and be well. Justin

I found a myth on this list that hacking a computer system is a death sentence. I really don't know where and when this mythin is spreading on the Internet. I guess the myth came from a case that a hacker was executed, maybe two years ago, and he was the first hacker sent on trial. I read that news couple of years ago both in English and Chinese. The hacker actually was executed for stealing millions of dollars from a bank he used work for, NOT for HACKING. According to Chinese law, any criminal commited to crime that evolves more than $100,000 (the exact number might be wrong) can be sentenced to death. However, nobody noticed the crime behind of hacking but only hacking itself. As far as I know, again my information might be out-of-date, China does not have a law specifically for hacking a computer system if the hacking itself does not cause any "damage" (I cannot define the damage here however). Recently I read a news on the 'Net saying that the People's Daily, which is the official newspaper of China government, posted a message said, it was illegel to lauch attack to any computer system. I don't have more detailed information on this since I am not in Beijing at this moment. Justin Hinderliter wrote:

For those looking for evidence of attacks, I personally know of 3 boxes that were hit and rooted this morning. The three attacks happened between 6:20am and 7:04am. One NT box, one Linux box, and one as of yet unknown OS (haven't gotten ahold of the person yet, but his bandwidth's maxed out and way over what it ever is by about 15x). They're hitting port 80 this morning. One hit from a Mapquest IP, one from bucket.rutgers.edu 165.230.8.106, and one from an APNIC netblock 210.33.68.1 . The webpages they left indicated "fuq you, Americans" and indicated that they were part of the Chinese offensive. PAM session authentication on the linux box noted that a session was opened by user htdig (uid 0) and closed 4ms later. Syslogs were wiped, so were last and lastlog output. The logs are available still despite their efforts since the precaution was taken to have them sent elsewhere and mailed immediately to boot. Other boxes may have been gotten to as well, still looking at them all and unplugging them as I go/advising suspected customers to unplug as well as I find them.

Fuq U2, Chinese. Got plenty of evidence here, and there's a death sentence in China for doing this... provided it was really Chinese responsible. I'm happily contributing all info I have towards investigation and prosecution, and am going to get Mapquest and rutgers.edu to dig up all info they can to track this shit back to where they got hit from.

Hey, just found another one. Note that all Linux boxes were locked pretty damned tight, and even blocked numerous connection attempts on port 80 with portsentry killing the connection and then dropping them to a null route. But all it took was 4ms to run that script. Apparently there's probably a hole in apache 1.3.14-2, as there were no world-writable files in the htp root structure... bugtraq should be interested in this. Have to see what I can dig up post mortem as far as what they used.

"Time for a malenki lemtock of the ole ultraviolence, me droogs."

Cheers.

-- --------------------------------------------------------------- Franklin Lian (Lian Zidan) Global One Principal Engineer Mailstop: VAOAKM0201 Email: Franklin.Lian@Globalone.net 13775 McLearen Road Tel: (703)375-7893 Oak Hill, VA 20171 Fax: (703)471-3380 U.S.A. ---------------------------------------------------------------

On Tue, May 08, 2001 at 02:51:49PM -0400, John Fraizer mailed:

On Tue, 8 May 2001, Franklin Lian wrote:

...

that news couple of years ago both in English and Chinese. The hacker actually was executed for stealing millions of dollars from a bank he used work for, NOT for HACKING. According to Chinese law, any criminal commited to crime that evolves more than $100,000 (the exact number might be wrong) can be sentenced to death.

The story I read had it as two individuals. The not-so-bright one who had access to the bank and the bright one who designed and built a device to put inline at the bank. The device diverted the equiv of pennies per transaction that passed through it to a bank account that the two had set up somewhere. It was a brilliant scheme. They screwed up by trying to withdrawl huge amounts of money at a time. THAT's what got them caught.

Isn't that the plot to Superman III? -- Bryan C. Andregg Smoke Jumper "As Slow as Possible, <bandregg@redhat.com> Red Hat, Inc. As Fast as Necessary." gpg 1024D/19893A19 A8DA 869A 037A C6B5 BF07 AB61 E406 414B 1989 3A19

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 More recently, it's the plot to office space. __ Matt Levine <matt@deliver3.com> "I used to think that the brain was the most wonderful organ in my body. Then I realized who was telling me this." -- Emo Phillips - -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Bryan C. Andregg Sent: Tuesday, May 08, 2001 3:24 PM To: John Fraizer Cc: Franklin Lian; nanog@merit.edu Subject: Re: black hat .cn networks On Tue, May 08, 2001 at 02:51:49PM -0400, John Fraizer mailed:

On Tue, 8 May 2001, Franklin Lian wrote:

...

that news couple of years ago both in English and Chinese. The hacker actually was executed for stealing millions of dollars from a bank he used work for, NOT for HACKING. According to Chinese law, any criminal commited to crime that evolves more than $100,000 (the exact number might be wrong) can be sentenced to death.

The story I read had it as two individuals. The not-so-bright one who had access to the bank and the bright one who designed and built a device to put inline at the bank. The device diverted the equiv of pennies per transaction that passed through it to a bank account that the two had set up somewhere. It was a brilliant scheme. They screwed up by trying to withdrawl huge amounts of money at a time. THAT's what got them caught.

Isn't that the plot to Superman III? - -- Bryan C. Andregg Smoke Jumper "As Slow as Possible, <bandregg@redhat.com> Red Hat, Inc. As Fast as Necessary." gpg 1024D/19893A19 A8DA 869A 037A C6B5 BF07 AB61 E406 414B 1989 3A19 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOvhv08p0j1NsDQTPEQKAFgCfa8ttGwp4HCI0pyLk2/cYHeBONJkAoKTK RzuQmABGvDx3PCqbdpmwEs2K =GX/6 -----END PGP SIGNATURE-----

You actually are quite correct, I was basing that statement on past convictions, not on a comprehensive understanding of codified law in China. That initial posting was also quite angst-ridden in reaction to my box being compromised. Interpret it with those rose colored glasses in place. The amount of money involved may have well played a role in the death sentences. For some recent information pertaining to Chinese rules that are being developed regarding Internet-related cases, check this link. There are also links further down on the page dealing with issues like the spam email issue. http://latelinenews.com/ll/english/1011982.shtml Also, since I made responses off-list to try to cut down on potentially off-topic noise, I'll take a quick moment to reiterate to the rest of the folks on the list that I suspected initially that the attack was Chinese in origin based upon the index and material that was placed on a defaced website. In actuality, the attacks are coming from hosts ranging from Czechoslovakian hosts, Canadian hosts, American educational hosts, APNIC (Asian Pacific NIC) hosts, etc. And due to the nature of the beast, one rarely attacks a host directly from one's terminal that one's clacking away at... you crack one host, use that to crack another host, use that one in turn to crack into another, etc. etc, etc. So the burden of *proof* is something that the FBI might be more suited to task than myself, who hasn't the significant DBs and resources to tie investigations of this nature up. I'm not a cop, I'm a SpecOps vet and Network Analyst. I'll leave the policework of where it came from before it got to me to the police/FBI, but I'm doing my homework on what clues are there on my box to give them leads as to where to look next: the hosts that these scans and attacks came from. And on the issue of blackholing China, I doubt that we'll do it on our core network, but you can count on me blackholing all hosts that these scans and attacks originated from on my internal network and on all hosts and networks that I manage. To not do so is stupid, but that's your choice and your prerogative. 23 Skiddoo Justin Hinderliter

I found a myth on this list that hacking a computer system is a death sentence. I really don't know where and when this mythin is spreading on the Internet.

[snippage]