[wplug] Govt. authority over crack attempts?

Alexandros Papadopoulos apapadop at cmu.edu
Fri Sep 26 12:01:08 EDT 2003 

On Friday 26 September 2003 09:28, Russ Schneider wrote:
> Does anyone else think there should be some sort of government
> authority when it comes to illegal crack attempts of networks? 

no

> I mean, it seems that since I set up my new webserver, I get at least
> one "script kiddie" attempt a day on it (see here for a list
> http://www.sugapablo.net/scripts.php ).
>
> What I envision is a central database where sys admins can post the
> IP, date, and script attempted of any attempt to illegally access a
> network. This data can then be used by law-enforcement to issue
> warnings and then fines for inaction to the originating network
> owners.

Think about it. No, really. I'm the bad guy. I instruct 1000 of my bots 
to post YOUR name and IP on that database. Whoohoo, you're blasted off 
the net. Another scenario would be compromising that database and doing 
all sorts of stuff with it. Nice single point of failure for the entire 
"trust" model. And that's without even getting into the discussion of 
how much trust you should put on the government to safeguard you and 
your rights (it hasn't worked very well historically, has it?)

So: No, this would not help. What *would* help, is netizens knowing what 
they're doing and protecting themselves accordignly:

[206.210.67.168]
Login      Name             Tty      Idle  Login Time   Office     
Office Phone
sugapablo  Russ Schneider  *:0             Sep 23 12:42 412.403.04 
412.521.3891
sugapablo  Russ Schneider   pts/1       8  Sep 23 12:42 (:0)
sugapablo  Russ Schneider  *pts/2          Sep 23 12:55 (:0)
sugapablo  Russ Schneider  *pts/3      44  Sep 23 14:54 (:0)

# rpcinfo -p 206.210.67.168
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp   1024  status
    100024    1   tcp   1024  status
    391002    2   tcp   1280  sgi_fam

$ nc 206.210.67.168 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Fri, 26 Sep 2003 14:53:43 GMT
Server: Apache-AdvancedExtranetServer/2.0.47 (Mandrake Linux/1.1mdk) 
PHP/4.3.1
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.1
Connection: close
Content-Type: text/html; charset=ISO-8859-1

Interesting ports on ipl-67-0168.pppoe.stargate.net (206.210.67.168):
(The 1640 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    open     ssh
25/tcp    open     smtp
79/tcp    open     finger
80/tcp    open     http
111/tcp   open     rpcbind
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
631/tcp   open     ipp
1024/tcp  open     kdm
4444/tcp  filtered krb524
5432/tcp  open     postgres
6000/tcp  open     X11
10000/tcp open     snet-sensor-mgmt
17300/tcp filtered kuang2
27374/tcp filtered subseven
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 4.132 days (since Mon Sep 22 07:23:14 2003)

Now, with all this information, many people can do many bad things on 
your box. That box seems to be a very easy target, and I wouldn't be 
surprised if it has already been compromised (at least your ISP is 
protecting you from obvious junk like MS-SQL etc).

What I'm trying to say is:

[0] First, learn how to protect yourself (at the very least turn off all 
uneccessary services you're running)
[1] Then, get on the net and start providing services (HTTP/FTP etc)
[2] If problem persists, whine in WPLUG :-)

-A
-- 
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F  D78C 8260 0CC1 0B75 8265
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://penguin.wplug.org/pipermail/wplug/attachments/20030926/97306a31/attachment-0001.bin

More information about the wplug mailing list