[svlug] worms -n stuffy - vague - done

Alvin Oga alvin at planet.fef.com
Mon Jun 4 17:43:02 PDT 2001


hi ya dagmar...

this is the last of my emails to you on this issue....

<rant>
a. the issue of worm, script kiddie, hacker, cracker etc
	has already been addressed...
	- i still consider them a beginner script kiddie
	till they prove otherwise by coming back in
	with other doors that closed but not locked

	- i wanna know who they are... etc...

b.  the issue of the files the cracker used/change/modified
    is also been discussed here and elsewhere  where there
    is "experts" in whatever it is they do... 
	- which is also posted in the security mailing list

c.  start looking for maniac-rk in the search engines
    and you should pick up other people comments in the 
    archives

</rant>
have fun
alvin

- need to get back to more productive things to do...


> Dagmar d'Surreal wrote:
> 
> On Mon, 4 Jun 2001, Alvin Oga wrote:
> 
> > 
> > > Dagmar d'Surreal wrote:
> > 
> > move to top...
> > 
> > > You're being fairly vague here, Alan.  Was it a worm that got into your
> > > system or a script kiddie?
> > 
> > what difference does that make... seems you've nto been following
> > the thread ...as that question/issues been addressed ... numberous times ...
> 
> No, it's not.  The buzzwords "hacker", "worm" and "trojan" have all been
> rolled out and paraded around, but thus far you've not managed to make a
> clear claim as to whether or not your machine was compromised by a worm or
> a script kiddie.  You've made vague references to "rootkit analysis folks"
> but I've never seen that on anyone's buisness cards, oddly enough.
> 
> It makes a difference in that if your machine was compromised by a worm,
> then there's a very specific number of things that worm could have done
> and those tasks can be readily enumerated.  If it was an actual script
> kiddie, then the number and type of tasks they could have been about is
> different and more varied.  If it was a script kiddie, you also have the
> small concern that clearly they know you're a sucker, and may try to
> regain control of the equipment.  Worms don't exhibit such vindictive
> behaviour.  In either case, what you've been describing as a means to
> recover from the compromise (rebuilding and cleaning a few things) is a
> very bad example to be setting.  Unless you had a fairly thorough IDS in
> place, and a recent set of signatures for the filesystem that were stored
> *elsewhere*, the safe and sensible way to be sure you'll have gotten all
> the trojaned binaries out is by wiping the filesystem and starting over
> from known clean media.
> 
> There's also the small matter of if it was a worm, then the filename
> "maniac" could be significant in naming it.  If it was a script kiddie,
> then it's likely a rootkit that they got from someone who goes by that
> name.  In any case, the other filenames you listed were rather common
> fare.  In none of these contexts are the phrases 'worm', 'hacker/cracker',
> 'trojan' interchangeable with each other.
> 
> Computer Forensics is a science, and for this reason isn't typically part
> of the literary arts programs--being vague isn't useful.
> 
> In either case, you should be ashamed that you had binaries that stale
> lying around exposed.  This is the internet, and while I am quite sure
> people would like to take the attitude that it's only their system that
> gets compromised, their system is quite often used to do harm to others,
> so it's more like leaving weapons of mass-destruction poorly secured in
> the back-yard, i.e., not a very responsible thing to do.
> 





More information about the svlug mailing list