Acorn Arcade forums: News and features: ArgoNet hack attack
Posted by Richard Goodwin on 10:15, 12/6/2001
| RISC OS, Acorn, Site, The Vigay
ArgoNet's servers have been attacked by a malicious hacker (cracker), causing the ISP's servers to be taken offline and causing upheaval to it's customers. The attacks started on Sunday evening, but apparently two SysAdmins were on hand to try to fix the problem within minutes due to a warning system. However, once the cracker found that they were on to him he used other methods to get around their patches and also access other machines faster than they were being patched. This has meant that ArgoNet have used the only real security that a networked machine can have - they've disconnected them from the network physically until they can get them fixed. This not only affects ArgoNet customers, but also anyone trying to gain access to some high-profile RISC OS websites - Jason Tribbeck's machine apparently has the same vulnerability and is offline, which means riscos.com, riscos.org, vigay.com and of course tribbeck.com are all down. The machine running the Icon Bar and Acorn Arcade websites runs a different OS and services, and so is hopefully secure from the particular attacks used by the cracker. However, it was taken down last night as a precaution, and may go offline again at any point.
|
ArgoNet hack attack |
|
(10:21 12/6/2001) Richard Goodwin (10:45 12/6/2001) Rob Kendrick (14:06 12/6/2001) Richard Goodwin (14:38 12/6/2001) Andrew Veitch (15:37 12/6/2001) Rob Kendrick (15:52 12/6/2001) mark quint (16:31 12/6/2001) Gareth Cumella (17:02 12/6/2001) Rob Kendrick (18:32 12/6/2001) Nathan (20:28 12/6/2001) Rob Kendrick (20:34 12/6/2001) Richard Goodwin (09:13 13/6/2001) Richard Goodwin (09:17 13/6/2001) Andrew P Harmsworth (10:59 13/6/2001) Chris Williams (17:19 13/6/2001) Ian Hawkins (18:35 13/6/2001) Frazier Parping (12:11 14/6/2001) Richard Goodwin (12:53 14/6/2001) Curry Monster (14:54 14/6/2001) Richard Goodwin (17:10 14/6/2001) Rob Kendrick (17:20 14/6/2001) Richard Goodwin (18:07 14/6/2001) Reinhardt Skidds (18:15 14/6/2001) mark quint (18:16 14/6/2001)
|
|
mark quint |
Message #88698, posted at 10:21, 12/6/2001 |
Unregistered user
|
heh, you wonder why these 13-year children do just grow up do you? >( |
|
[ Log in to reply ] |
|
Richard Goodwin |
Message #88699, posted at 10:45, 12/6/2001, in reply to message #88698 |
Unregistered user
|
Some more news - apparently the ArgoNet server wasn't a target for anything too bad itself, but it was being used as a zombie to (potentially) attack other machines in Denial of Service attacks. |
|
[ Log in to reply ] |
|
Rob Kendrick |
Message #88700, posted at 14:06, 12/6/2001, in reply to message #88699 |
Unregistered user
|
What operating system was it that Argonet were using? I hope it wasn't RedHat (which has had numerous worms known about for months) or a BIND exploit. Too many ISPs these days don't patch serious holes in their servers. Some are even foolish enough to have double standards when encrypting connections (such as not having telnetd (because you transmit your password in the clear) and only ssh. Then you notice that they use IMAP, POP or FTP non-encrypted (and therefor transmitting your password in the clear.) The internet boom is occuring as we speak, and too many people are having boxes co-located that are simply not secure, either because they've been set up badly, or they've not applied patches to plug serious flaws and holes. They'll have no sympathy from me. It's like leaving your car unlocked, and complaining when it's been nicked. |
|
[ Log in to reply ] |
|
Richard Goodwin |
Message #88701, posted at 14:38, 12/6/2001, in reply to message #88700 |
Unregistered user
|
The attack came in via an FTP server buffer overrun, which has only been known about for less than a month. So no, ArgoNet's servers were not left open like an unlocked car, and the vulnerability is present in many Unixen - officially reported NOT in Linux, just Solaris and *BSD, although this has recently been called into question. |
|
[ Log in to reply ] |
|
Andrew Veitch |
Message #88702, posted at 15:37, 12/6/2001, in reply to message #88701 |
Unregistered user
|
Am I right in presuming then that, given that the exploit has "been known about for less than a month", this exploit is not the ftp globbing exploit (as reported April 10, CERT CA-2001-07)? (Also officially reported NOT in Linux, just Solaris and *BSD :-) |
|
[ Log in to reply ] |
|
Rob Kendrick |
Message #88703, posted at 15:52, 12/6/2001, in reply to message #88702 |
Unregistered user
|
<grin> You're not suggesting that Argonet might be amateurs, are you? :) |
|
[ Log in to reply ] |
|
mark quint |
Message #88704, posted at 16:31, 12/6/2001, in reply to message #88703 |
Unregistered user
|
what gets me is why should we really have to lock our cars? whats wrong with having a perfect world :D what group of people would be likely to being doing these DOS attacks & why? :/ |
|
[ Log in to reply ] |
|
Gareth Cumella |
Message #88705, posted at 17:02, 12/6/2001, in reply to message #88704 |
Unregistered user
|
Hackers, who needs them! |
|
[ Log in to reply ] |
|
Rob Kendrick |
Message #88706, posted at 18:32, 12/6/2001, in reply to message #88705 |
Unregistered user
|
*Crackers*, please. A hacker, unlike what the television will tell you, is something quite different. |
|
[ Log in to reply ] |
|
Nathan |
Message #88707, posted at 20:28, 12/6/2001, in reply to message #88706 |
Unregistered user
|
Rob, I think you are referring to "knackers". |
|
[ Log in to reply ] |
|
Rob Kendrick |
Message #88708, posted at 20:34, 12/6/2001, in reply to message #88707 |
Unregistered user
|
:) For people who don't know/understand the difference between a 'hacker' and a 'cracker', the following URLs may be of insight: http://www.dict.org/bin/Dict?Form=Dict1&Query=hacker&Strategy=*&Database=foldoc&submit=Submit+query (note defs. 5 and 7) and http://www.dict.org/bin/Dict?Form=Dict1&Query=cracker&Strategy=*&Database=foldoc&submit=Submit+query |
|
[ Log in to reply ] |
|
Richard Goodwin |
Message #88709, posted at 09:13, 13/6/2001, in reply to message #88708 |
Unregistered user
|
Hey, at least I got something right in the report then - all I seem to get is email giving contrary arguments for and against the use of the apostrophe in "it's". <flame on> ;) If you're implying that ArgoNet are ametuers, at least they had someone on hand on a Sunday afternoon to diagnose and try to fix the problem; given the number of other machines used in the same DDoS, they weren't alone in being attacked, but there were a hell of a lot of people out there that weren't so clued and were still wondering what was going on on Tuesday. And we're talking about people with machines in professional hosting sites, not lame ADSL users. Scary. And why didn't the hosting facility configure the router to lessen the impact of the resulting DDoS in the first place? They're *still* having problems with attack traffic going through their system. IMHO kudos to ArgoNet for dealing with it so quickly (I'm completely unbiased of course ;). And as for the original problem I don't have the exact details (I lost interest when I realised I wasn't vulnerable to that attack and started scrabbling for the security kit to secure my own box instead) but as the machine hasn't long been set up, and had all the latest software installed at that point, it's more a case of bad timing than poor judgement that that particular box was hacked. As for the other boxen, I think they were taken down temporarily as a precaution. |
|
[ Log in to reply ] |
|
Richard Goodwin |
Message #88710, posted at 09:17, 13/6/2001, in reply to message #88709 |
Unregistered user
|
BTW, a better resource for definitions of this type is the Jargon File:
http://www.tuxedo.org/~esr/jargon/html/entry/hacker.html http://www.tuxedo.org/~esr/jargon/html/entry/cracker.html
http://www.tuxedo.org/~esr/jargon/html/entry/scratch-monkey.html
|
|
[ Log in to reply ] |
|
Andrew P Harmsworth |
Message #88711, posted at 10:59, 13/6/2001, in reply to message #88710 |
Unregistered user
|
Cor blimey guv! Well done Argo for getting it fixed in good time, though. |
|
[ Log in to reply ] |
|
Chris Williams |
Message #88712, posted at 17:19, 13/6/2001, in reply to message #88711 |
Unregistered user
|
theregister.co.uk have just done a report in DoS attacks. See www.grc.com, security techspert Steve Gibson's site took a whacking from zombies using IRC. Chris @ drobe |
|
[ Log in to reply ] |
|
Ian Hawkins |
Message #88713, posted at 18:35, 13/6/2001, in reply to message #88712 |
Unregistered user
|
Pfft, have we finished trolling yet? |
|
[ Log in to reply ] |
|
Frazier Parping |
Message #88714, posted at 12:11, 14/6/2001, in reply to message #88713 |
Unregistered user
|
More importantly, is the situation resolved now? |
|
[ Log in to reply ] |
|
Richard Goodwin |
Message #88715, posted at 12:53, 14/6/2001, in reply to message #88714 |
Unregistered user
|
All the ArgoNet servers (and services) are back online now (at least as much as normal ;). As for the rest of it, that part of the network doesn't seem as slow as it did yesterday, which I take as a good sign. |
|
[ Log in to reply ] |
|
Curry Monster |
Message #88716, posted at 14:54, 14/6/2001, in reply to message #88715 |
Unregistered user
|
And have they now installed satan, and made sure they check for security holes more often? :) |
|
[ Log in to reply ] |
|
Richard Goodwin |
Message #88717, posted at 17:10, 14/6/2001, in reply to message #88716 |
Unregistered user
|
I doubt they'd tell you what they'd installed even if you asked them :) Security by obfuscation on it(')s own isn't good, but in combination every bit helps ;) |
|
[ Log in to reply ] |
|
Rob Kendrick |
Message #88718, posted at 17:20, 14/6/2001, in reply to message #88717 |
Unregistered user
|
Simple rule: "it's" is short for "it is". It does not say anything about ownership. For example: "Bob's garage" is correct. "It's door is green" is not. |
|
[ Log in to reply ] |
|
Richard Goodwin |
Message #88719, posted at 18:07, 14/6/2001, in reply to message #88718 |
Unregistered user
|
Really don't give a monkeys, just wish people would stop emailing me about it. |
|
[ Log in to reply ] |
|
Reinhardt Skidds |
Message #88720, posted at 18:15, 14/6/2001, in reply to message #88719 |
Unregistered user
|
Shouldn't that be "monkey's" ;-) |
|
[ Log in to reply ] |
|
mark quint |
Message #88721, posted at 18:16, 14/6/2001, in reply to message #88720 |
Unregistered user
|
damn, looks like ill be looking for some local 'on-a-budget' Monkey-Dealers in Free-Ads then :D |
|
[ Log in to reply ] |
|
|
Acorn Arcade forums: News and features: ArgoNet hack attack |