[svlug] worms -n stuffy - vague - done
alvin at planet.fef.com
Mon Jun 4 17:43:02 PDT 2001
hi ya dagmar...
this is the last of my emails to you on this issue....
a. the issue of worm, script kiddie, hacker, cracker etc
has already been addressed...
- i still consider them a beginner script kiddie
till they prove otherwise by coming back in
with other doors that closed but not locked
- i wanna know who they are... etc...
b. the issue of the files the cracker used/change/modified
is also been discussed here and elsewhere where there
is "experts" in whatever it is they do...
- which is also posted in the security mailing list
c. start looking for maniac-rk in the search engines
and you should pick up other people comments in the
- need to get back to more productive things to do...
> Dagmar d'Surreal wrote:
> On Mon, 4 Jun 2001, Alvin Oga wrote:
> > > Dagmar d'Surreal wrote:
> > move to top...
> > > You're being fairly vague here, Alan. Was it a worm that got into your
> > > system or a script kiddie?
> > what difference does that make... seems you've nto been following
> > the thread ...as that question/issues been addressed ... numberous times ...
> No, it's not. The buzzwords "hacker", "worm" and "trojan" have all been
> rolled out and paraded around, but thus far you've not managed to make a
> clear claim as to whether or not your machine was compromised by a worm or
> a script kiddie. You've made vague references to "rootkit analysis folks"
> but I've never seen that on anyone's buisness cards, oddly enough.
> It makes a difference in that if your machine was compromised by a worm,
> then there's a very specific number of things that worm could have done
> and those tasks can be readily enumerated. If it was an actual script
> kiddie, then the number and type of tasks they could have been about is
> different and more varied. If it was a script kiddie, you also have the
> small concern that clearly they know you're a sucker, and may try to
> regain control of the equipment. Worms don't exhibit such vindictive
> behaviour. In either case, what you've been describing as a means to
> recover from the compromise (rebuilding and cleaning a few things) is a
> very bad example to be setting. Unless you had a fairly thorough IDS in
> place, and a recent set of signatures for the filesystem that were stored
> *elsewhere*, the safe and sensible way to be sure you'll have gotten all
> the trojaned binaries out is by wiping the filesystem and starting over
> from known clean media.
> There's also the small matter of if it was a worm, then the filename
> "maniac" could be significant in naming it. If it was a script kiddie,
> then it's likely a rootkit that they got from someone who goes by that
> name. In any case, the other filenames you listed were rather common
> fare. In none of these contexts are the phrases 'worm', 'hacker/cracker',
> 'trojan' interchangeable with each other.
> Computer Forensics is a science, and for this reason isn't typically part
> of the literary arts programs--being vague isn't useful.
> In either case, you should be ashamed that you had binaries that stale
> lying around exposed. This is the internet, and while I am quite sure
> people would like to take the attitude that it's only their system that
> gets compromised, their system is quite often used to do harm to others,
> so it's more like leaving weapons of mass-destruction poorly secured in
> the back-yard, i.e., not a very responsible thing to do.
More information about the svlug