nanog mailing list archives
Re: black hat .cn networks
From: Elias Halldor Agustsson <elias () skyrr is>
Date: Wed, 2 May 2001 13:54:57 +0000
Það var Mánudagur í Apríl þegar Roger Marquis sagði:
Walter Prue <prue () ISI EDU> wrote:The folks in the US who counterattack might be well advised to reconsider doing so. I would imagine that traffic from the US would be closely monitored. Any new hacking tricks that these counterattacks might use would then be recorded and analyzed. These techniques could then be used by them to further attack the US.Does anyone know if these China scares are for real? The probability they are simply Pentagon/Administration propaganda seems too high to discount. I ask because we've seen no increase in the (already substantial) number of scans from CN/KR/HK/... netblocks. Does any hard evidence exist?
About six months ago, I was doing some forensics on a cracked Linux system belonging to a friend of mine. It had a rootkit installed, and a .history file showed that the rootkit had been transferred to the machine with rcp from the lp account on a host in China. I logged into the lp account with rlogin. It had ++ in .rhosts. It was a SunOS 5.5 system with no patches installed. The lastlog showed logins from dial-up and DSL or cable accounts from all over England, The Netherlands and the USA. It was obviously being used as a hacking base and a rootkit repository. There were several backdoors installed in the system, several setuid root shells lying around here and there, and a ++ .rhosts file for every system account. I guess China is an easy target to exploit in this way. General knowledge of systems security seems low, and most people, even intellectuals, lack foreign language skills. A complaint will get ignored because the responsible person doesn't understand the language it is written in, or even doesn't understand the technical and security implications of what is happening. All this makes me suspect the Chinese are victims in this matter, rather than perpetrators. In short: never attribute to malice that which can adequately be explained with stupidity. -- |-------Elías Halldór Ágústsson-----------http://this.is/bofh/-------| | Systems Administrator, Reykjavík, Iceland. NIC handles: EHA2-RIPE, | | EHA7-RIPE, EHA2-IS, EHA7-IS (at whois.ripe.net and whois.isnet.is) | |-------Unsolicited commercial email will be dealt with harsly-------|
Current thread:
- RE: black hat .cn networks, (continued)
- RE: black hat .cn networks Scott Raymond (May 01)
- Re: black hat .cn networks Adam Rothschild (May 01)
- Re: black hat .cn networks Shawn McMahon (May 01)
- Re: black hat .cn networks Valdis . Kletnieks (May 01)
- Re: black hat .cn networks Scott Francis (May 01)
- Re: black hat .cn networks Pat Myrto (May 01)
- Re: black hat .cn networks Michael C . Wu (May 01)
- Re: black hat .cn networks John Fraizer (May 02)
- Re: black hat .cn networks Shawn McMahon (May 02)
- Re: black hat .cn networks Shawn McMahon (May 02)
- Re: black hat .cn networks John Fraizer (May 02)
- Re: black hat .cn networks Elias Halldor Agustsson (May 02)
- Re: black hat .cn networks Henry R. Linneweh (May 02)
- Re: black hat .cn networks Justin Hinderliter (May 07)
- Re: black hat .cn networks Dan Hollis (May 07)
- Re: black hat .cn networks Justin Hinderliter (May 07)
- Re: black hat .cn networks Patrick Evans (May 08)
- Re: black hat .cn networks Franklin Lian (May 08)
- Re: black hat .cn networks John Fraizer (May 08)
- Re: black hat .cn networks Bryan C. Andregg (May 08)
- Re: black hat .cn networks David Charlap (May 08)
- RE: black hat .cn networks Matt Levine (May 08)
- Re: black hat .cn networks Henry R. Linneweh (May 02)
- RE: black hat .cn networks Scott Raymond (May 01)