[svlug] re: [defaced] sftrain.valinux.com by DownKaos

[Derek J. Balling]

At 11:46 AM -0800 1/27/01, Chris J. DiBona wrote:
>Certainly not a hard box to hack.

After the post-mortem, can you tell us how they got in (known exploit that
should have been patched ages ago and probably would have if the box hadn't
been forgotten about? etc.)

>Someone from work called me pretty excited and annoyed, and I was more
>like "is that thing still on the network?" It's probably getting more hits
>now than it ever did.

Heh... we had something similiar at Yahoo. There was a box that had a
message on its web server, something to the effect of "I'm not here, go
away" or something like that. Basically, it was using namevirtualhost and
if you queried it with its machine name instead of the "real" name, it fell
back to a default that a humorous engineer had put in.  Attrition noted it
as "hacked". ;-)

>So, just to yabber, did you guys know that something like half our netwrok
>is being portscanned, ddos'd dos'd or attacked at any one time? Between
>/. , the fsf , debian and other machines on our network, we've learned
>how to deal with this stuff.

*chuckle* Doesn't it suck being a visible target?

D
-- 
+---------------------+-----------------------------------------+
| dredd at megacity.org  | "Conan! What is best in life?"          |
|  Derek J. Balling   | "To crush your enemies, see them        |
|                     |    driven before you, and to hear the   |
|                     |    lamentation of their women!"         |
+---------------------+-----------------------------------------+