[olug] Attacked by Romanian Script Kiddies
Charles Bird
cbird at mail.datar8.com
Wed Oct 25 15:25:23 UTC 2006
I was thinking about setting up a 95 or 98 box and pluggin it in and
seeing how long it takes till comprimised...maybe turn it into a drinking
game ;)
Anyone doing anything Sat Night?
Kbw: What kind of box got hit? What happened?
The Ro-attacks have stopped for now, I got a DNS entry for one of the
offending IP's, and it so happens that I know a person that is an admin at
the company that the romanian got his free Name from. :)
>>> How long has this been happening because grandfathers computer just got
>>> hit
>>> by something and I was wondering if that had to any thing to with the
>>> Romanian Script Kiddies.
>>>
>>> Kbw
>
> Don't think that the 'Net was quiet up until a few days ago -- chances are
> that if the computer was not up-to-date on patches nor firewalled from the
> raw Internet, it was compromised only days after it was installed.
>
> <digression>
> Years ago when I was working for an ISP, we had a NOC with a projection
> display of messages/alerts coming in from the various systems deployed.
> It looked great and could give quite a bit of good information.
> Unfortunatly, early on we told it to display any connection that the
> firewalls rejected (condensed into a single source IP address per line).
> The higher the number of blocks from one IP address, the higher the line
> went on the display and changed in color.
> After a few weeks of watching the top 2/3 of the display show nothing but
> red "connection rejected from X.X.X.X" lines, we decided to drop that from
> the display so we could see usefull information.
> Upper managment was still in the "dog and pony" show mode and liked that
> up there to show how well we were protecting the customers servers. We
> ended up making two filters for the display: one for usefull information,
> and another that showed everything including the rejected messages.
> </digression>
>
> Being the closest thing we had to a security person, I tried to take one
> "busy" IP address a day and submit it to the appropriate ARIN/RIPE/etc
> group for removal. At that time, probably 75% of these that I submitted
> were in the Asia Pacific region and mostly registerd to a Chinese ISP. I
> really doubt my e-mails were paid attention to especially considering all
> the reports of "Internet Warfare Training" that many countries are
> promoting now.
>
> Dan
>
> - - - -
> "Wait for that wisest of all counselors, time." -- Pericles
> "I do not fear computers, I fear the lack of them." -- Isaac Asimov
> "Soon we will be able to harness the rotational energy from Orwell's grave
> to solve all world energy problems." -- /. user GigsVT (208848)
> GPG fingerprint:6FFD DB94 7B96 0FD8 EADF 2EE0 B2B0 CC47 4FDE 9B68
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list