Security Incidents mailing list archives
Re: Possible AIM Hack?
From: "Steven" <steven () lovebug org>
Date: Wed, 15 Mar 2006 21:49:25 -0500
Yes as I've covered in my previous e-mails anything is possible, but like I said -- a persistent and permanent problem only affected him and his account could indicate a compromise. If it was temporary then it very may well have been some other problem. For all I know it was packet loss on his network that caused it never appropriately send the password and also resulted in him being bumped off. Who knows.. but if *still* can't logon he has an account issue. AIM servers aren't the only way to authenticate your screen name. There are a number of web-based screenname.aol.com pages and other locations that this can be done at.
Steven----- Original Message ----- From: <Valdis.Kletnieks () vt edu>
To: "Steven" <steven () lovebug org>Cc: "Travis Haymore" <thaymore () gmail com>; <belka () att net>; <incidents () securityfocus com>
Sent: Wednesday, March 15, 2006 9:36 PM Subject: Re: Possible AIM Hack? On Wed, 15 Mar 2006 19:48:01 EST, Steven said:
later, 6 hours later, 5 days later, etc. Additionally, if some server thatgives a yea/nay is on a coffe + donut break -- what would that have to do with kicking you offline after already being authenticated?
"A distributed system is one in which the failure of a computer you didn't even
know existed can render your own computer unusable." -- Leslie Lamport When designing very large and complex systems, it gets harder and harder toavoid designing into them all sorts of odd dependencies and cascading failure
modes. For instance, the last 3 times our modem pool terminal servers got hosed up, it was due to the TACACS server not being able to contact our LDAP server. And the connection timeouts to the LDAP server were caused by somemisbehaving software beating up on *another* one of our servers and making that server create a flood of non-optimized LDAP queries (most LDAP server software goes into severe oink mode when it has to do queries it doesn't have a pre-built
index for). Got that? The terminal server got indigestion waiting for the TACACS server,which was trying to talk to the LDAP server, but couldn't get a word in edgewise
because some OTHER server was spewing broken queries at the LDAP server.Counting the user's machine, and the machine originating the broken query to the other server, there was a total of *7* logical machines in the chain (actually more, as several of these were really multiple machines behind a load balancer).
This sort of thing is just *loads* of fun to unsnarl at 10PM, when none ofthe system architects are handy, but plenty of people are still trying to use
the modem pool... ;) I'd not be at *all* surprised if an unexpected failure of AOL's auth servercaused the main AIM servers to hiccup when they got a new inbound request and were unable to deal with the failure mode, and dropping all the already existing
sessions during the hiccup reset.And to tie it all back into the INCIDENTS charter - one of the most common causes of a corporate server getting exploited is when a hacker finds some code that glues 2 server systems together, and the code isn't perfect. Of course, this also means that it's usually very difficult to figure out what happened, which is why you often see "The hackers had been in the system for at least 3 weeks
before they were detected".....
Current thread:
- Possible AIM Hack? belka (Mar 14)
- RE: Possible AIM Hack? Michael Wright (Mar 14)
- Re: Possible AIM Hack? Travis Haymore (Mar 14)
- Re: Possible AIM Hack? Steven (Mar 14)
- Re: Possible AIM Hack? Valdis . Kletnieks (Mar 15)
- Re: Possible AIM Hack? Steven (Mar 16)
- Re: Possible AIM Hack? Valdis . Kletnieks (Mar 16)
- Re: Possible AIM Hack? Steven (Mar 16)
- Re: Possible AIM Hack? Steven (Mar 14)
- <Possible follow-ups>
- RE: Possible AIM Hack? Jeff Britton, Monitored Security (Mar 14)
- Message not available
- RE: Possible AIM Hack? Benjamin Tomhave (Mar 14)
- Message not available
- Re: Possible AIM Hack? Dustin Childers (Mar 16)
- RE: Possible AIM Hack? Phillip R Cooper II (Mar 16)
- RE: Possible AIM Hack? ACMurray (Mar 16)
- Re: Possible AIM Hack? Valdis . Kletnieks (Mar 17)
- RE: Possible AIM Hack? Jeff Bryner (Mar 17)