Lachlan passed away in January 2010.  As a memorial, this site remains as he left it.
Therefore the information on this site may not be current or accurate and should not be relied upon.
For more information follow this link


(This Webpage Page in No Frames Mode)

Welcome to Lachlan Cranswick's Personal Homepage in Melbourne, Australia

28th March 2001 - a date that will live in Nuisanceville - Bluehaze.com.au gets hacked

Lachlan's Homepage is at http://lachlan.bluehaze.com.au

[Back to Lachlan's Homepage] | [Back to Lachlan's Homepage] | [Misc Things]

bluehaze.com.au gets hacked


  • "Lion Internet Worm" DDOS Targeting Unix Systems
    • At http://www.nipc.gov/warnings/advisories/2001/01-005.htm
    • Lion Find: http://www.sans.org/y2k/lion.htm
    • Highly destructive Linux worm mutating: http://www.theregister.co.uk/content/8/17929.html
    • "This one includes a feature similar to one in the Ramen worm, which altered the Web pages of hacked HTTP servers with the message "Hackers looooooooooooove noodles," signed by the "RameN Crew."
      The new Lion worm sets up an HTTP server on port 27374 and erects a page bearing greetz from the Lion crew, Fearnow told us.
      All versions (there are three now) are virtually idiot proof, fire-and-forget tools. Each package contains a scanner which generates random class B addresses searching for an opening on port 53. It then queries the version, and if it finds it's vulnerable, runs a well-known BIND 8 transaction signature (TSIG) handling code exploit, and installs the t0rn rootkit."
    • "We were hasty this week in our initial coverage, where we took a swipe at the FBI's National Infrastructure Protection Center (NIPC) over a Lion advisory bulletin of theirs which we deemed alarmist."
    • "So the NIPC bulletin is a bit gaseous, but not as grossly flatulent as we'd thought."


  • FBI hacker sleuths hint at power-grid disaster
    • At http://www.theregister.co.uk/content/archive/15538.html
    • "The network in question was stupidly configured for anonymous FTP login with read and write privileges, pretty much a welcome mat for anyone in cyberspace to post and retrieve files as they please. Naturally some kids set up a game, with which they managed to gobble up most of the network bandwidth.
      The incident occurred because hopelessly incompetent network administrators essentially left the door open, the lights on, and set out milk and cookies for their anonymous guests. Technically speaking, they left the writable FTP directory and its sub-directories owned by the FTP account rather than by root, which would have reserved write privileges to the network admins."
    • ""Hacked" it most certainly was not. Trespassing is about the worst offence one could claim here; but with no access control whatsoever in place, there isn't, therefore, any digital "No Trespassing" sign in evidence, and one might argue that they had no reason to believe that the owner didn't intend to make his FTP account available for public use. "
    • Redhat worm touts instant noodles ('Ramen' worm): http://www.theregister.co.uk/content/archive/16168.html
    • Hacking Linux BIND servers becomes child's play: http://www.theregister.co.uk/content/8/17864.html
    • BIND holes mean big trouble on the Net: http://www.theregister.co.uk/content/6/16454.html

    • How you hack into Microsoft: a step by step guide: http://www.theregister.co.uk/content/1/14344.html


      "Barbarians at the gate
      Network security becomes increasingly difficult as point-and-drool cracking tools proliferate. So many painfully easy-to-use appz have been developed in recent years that persistence is now a far more reliable predictor of success than skill: even a newbie cracker can succeed by using pat scripts and casting his nets wide enough"

    • Linux worm attempts to take over insecure servers: http://www.theregister.co.uk/content/8/18117.html

      "The third Linux worm this year, which tries to exploit lax security on Web sites running the open source OS, has been discovered.

      Adore, which is similar to the earlier Ramen and Lion worms, scans Linux hosts on the Internet to determine whether they are vulnerable to well known exploits.

      These include a well publicised vulnerability with BIND, as well as security weaknesses that may be present within Linux services called LPRng, rpc-statd and wu-ftpd (which may be left insecure in default installations).

      On hosts with vulnerabilities, the Adore worm replaces a system binary, called ps, with a Trojaned version which creates backdoor access to compromised host.

      The worm replaces an Internet service, known as ICMP (Internet Control Message Protocol), with a version containing a back door feature that allows a hacker access to systems whenever a properly formatted command sequence is received over the Internet. Adore also attempt to send sensitive system information to four different email addresses. "


  • Hackers turn racist in attack on hardware site: http://www.theregister.co.uk/content/8/18181.html

    "PC motherboard specialist PC Chips has fallen victim to defacement in an attack that shows that hackers can be unthinking racists.

    The home page of the site, which runs Apache on a Red Hat Linux server, was replaced by a message from the 1i0n Crew, which contained in its headline the racist remark " Kill all the Japanese!", the defacement can be seen here.

    The name of the hacking crew is associated with a Linux worm, called Lion, that attacks BIND servers and installs DDoS tools, and which poses a serious current risk to Web site administrators.

    Paul Rogers, network security analyst at MIS Corporate Defence, said from the evidence on defacement archives it was likely that PC Chips, which is hosted in Hong Kong, had been hit with a variant of the Lion worm.

    There is a variant of the worm that defaces Web pages, said Rogers, who added it would be "trivial" to modify and use it to create the racist message seen on PC Chips' site."


  • From one of the self propelled powers that be - offering moral support and weapons of mass destruction

    Date: Thu, 29 Mar 2001 10:00:30 +0100 (BST)
    To: Lachlan Cranswick lachlan@ldeo.columbia.edu
    Subject: Re: Beware of Geeks - baring electrons
    
    
    
    Dear Lachlan,
    	I now see the deed that the evil ones have accomplished and I'm
    mightely glad that you were not undone by their grotesque act. Have you
    any idea where the attack came from so that I can unleash my weapons of
    mass destruction the nest time I'm in my secret underground lair?
    


    Date: Thu, 29 Mar 2001 18:21:21 +0100 (BST)
    To: Lachlan Cranswick [lachlan@ldeo.columbia.edu]
    Subject: Re: Beware of Geeks - baring electrons
    
    
    
    Lachlan, when I unleash my weapons of mass destruction they know no
    bounds. With the simple press of this here button I can unleash death on
    tens of millions on that continent and extreme unpleasantness to two
    billion more....
    


    Date: Thu, 29 Mar 2001 18:31:35 +0100 (BST)
    To: "L. Cranswick" [lzc@dl.ac.uk]
    Subject: Re: Beware of Geeks - baring electrons
    
    Hmmm, I'll have to ponder that a bit and think hard about those thousands
    of missiles that are primed ready for your command.

    From AusCERT

    ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-2001.05
    -----BEGIN PGP SIGNED MESSAGE-----
    
    ===========================================================================
    A  U  S  C  E  R  T                                           A  L  E  R  T
    
                            AL-2001.05  --  AUSCERT ALERT
                     SANS Institute ALERT - New Bind worm: 1i0n
                                    26 March 2001
    
    ===========================================================================
    
            AusCERT Alert Summary
            ---------------------
    
    Product:                bind 8.2
                            bind 8.2-P1
                            bind 8.2.1
                            bind 8.2.2-Px
                            bind 8.2.3-betas
    Vendor:                 ISC
    Impact:                 Execute Arbitrary Code/Commands
                            Root Compromise
    Access Required:        Remote
    
    Ref:                    AA-2001.01
    
    Summary:
    
    The message included below is an alert issued by the SANS Institute
    regarding a new bind worm "1i0n".  AusCERT has received reports of
    compromises involving this worm which exploits particular bind
    vulnerabilities outlined in AUSCERT Advisory AA-2001.01 - ISC BIND
    Vulnerability released 31 January 2001.
    
    AusCERT is issuing this external security bulletin as an AusCERT Alert to
    emphasize the significance of the potential impact of the 1i0n worm and
    the vulnerabilities outlined in AA-2001.01.  For details on detection and
    removal, refer to the SANS Alert included below.  More information about
    these vulnerabilities and the availability of updated vendor software
    packages is available in recent AusCERT External Security Bulletins and
    Advisories:
    
            AusCERT Alert AA-2001.01 - ISC BIND Vulnerability
            ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2001.01
    
            CERT Advisory CA-2001-02 - Multiple Vulnerabilities in BIND
            ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.037
    
            RHSA-2001:007-03 - Updated bind packages available
            ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.038
    
            Internet Security Systems Security Alert - Remote Vulnerabilities   
            in BIND versions 4 and 8
            ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.039
    
    - --------------------------BEGIN INCLUDED TEXT--------------------
    
    - -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    ALERT!  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET 
    
    March 23, 2001 7:00 AM
    
    Late last night, the SANS Institute (through its Global Incident
    Analysis Center) uncovered a dangerous new worm that appears to be
    spreading rapidly across the Internet.  It scans the Internet looking
    for Linux computers with a known vulnerability. It infects the
    vulnerable machines, steals the password file  (sending it to a
    China.com site), installs other hacking tools, and forces the newly
    infected machine to begin scanning the Internet looking for other
    victims.
    
    Several experts from the security community worked through the night to
    decompose the worm's code and engineer a utility to help you discover
    if the Lion worm has affected your organization.
    
    Updates to this announcement will be posted at the SANS web site,
    http://www.sans.org
    
    
    DESCRIPTION
    
    The Lion worm is similar to the Ramen worm. However, this worm is
    significantly more dangerous and should be taken very seriously.  It
    infects Linux machines running the BIND DNS server.  It is known to
    infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
    8.2.3-betas. The specific vulnerability used by the worm to exploit
    machines is the TSIG vulnerability that was reported on January 29,
    2001.
    
    The Lion worm spreads via an application called "randb".  Randb scans
    random class B networks probing TCP port 53. Once it hits a system, it
    checks to see if it is vulnerable. If so, Lion exploits the system using
    an exploit called "name".  It then installs the t0rn rootkit.
    
    Once Lion has compromised a system, it:
    
    - - - Sends the contents of /etc/passwd, /etc/shadow, as well as some
    network settings to an address in the china.com domain.
    - - - Deletes /etc/hosts.deny, eliminating the host-based perimeter
    protection afforded by tcp wrappers.
    - - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
    inetd, see /etc/inetd.conf)
    - - - Installs a trojaned version of ssh that listens on 33568/tcp
    - - - Kills Syslogd , so the logging on the system can't be trusted
    - - - Installs a trojaned version of login
    - - - Looks for a hashed password in /etc/ttyhash
    - - - /usr/sbin/nscd (the optional Name Service Caching daemon) is
    overwritten with a trojaned version of ssh.
    
    The t0rn rootkit replaces several binaries on the system in order to
    stealth itself. Here are the binaries that it replaces:
    
    du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
    ps, pstree, top
    
    - - - "Mjy" is a utility for cleaning out log entries, and is placed in /bin
    and /usr/man/man1/man1/lib/.lib/.
    - - - in.telnetd is also placed in these directories; its use is not known
    at this time.  
    - - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
    
    DETECTION AND REMOVAL
    
    We have developed a utility called Lionfind that will detect the Lion
    files on an infected system.  Simply download it, uncompress it, and
    run lionfind.  This utility will list which of the suspect files is on
    the system.
    
    At this time, Lionfind is not able to remove the virus from the system.
    If and when an updated version becomes available (and we expect to
    provide one), an announcement will be made at this site.
    
    Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
    
    
    REFERENCES
    
    Further information can be found at:
    
    http://www.sans.org/current.htm
    http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
    Multiple Vulnerabilities in BIND
    http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
    in transaction signature (TSIG) handling code
    http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
    The following vendor update pages may help you in fixing the original BIND
    vulnerability:
    
    Redhat Linux RHSA-2001:007-03 - Bind remote exploit
    http://www.redhat.com/support/errata/RHSA-2001-007.html
    Debian GNU/Linux DSA-026-1 BIND
    http://www.debian.org/security/2001/dsa-026
    SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
    http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
    Caldera Linux CSSA-2001-008.0 Bind buffer overflow
    http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
    http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
    
    This security advisory was prepared by Matt Fearnow of the SANS
    Institute and William Stearns of the Dartmouth Institute for Security
    Technology Studies.
    
    The Lionfind utility was written by William Stearns. William is an
    Open-Source developer, enthusiast, and advocate from Vermont, USA. His
    day job at the Institute for Security Technology Studies at Dartmouth
    College pays him to work on network security and Linux projects.
    
    Also contributing efforts go to Dave Dittrich from the University of
    Washington, and Greg Shipley of Neohapsis
    
    Matt Fearnow
    SANS GIAC Incident Handler
    
    If you have additional data on this worm or a critical quetsion  please
    email lionworm@sans.org
    - -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org
    
    iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
    ek+YCliAS832nnMIzP28ezM=
    =E1SG
    - -----END PGP SIGNATURE-----
    
    - --------------------------END INCLUDED TEXT--------------------
    
    This security bulletin is provided as a service to AusCERT's members.  As
    AusCERT did not write the document quoted above, AusCERT has had no control
    over its content.  The decision to use any or all of this information is
    the responsibility of each user or organisation, and should be done so in
    accordance with site policies and procedures.
    
    NOTE: This is only the original release of the security bulletin.  It may
    not be updated when updates to the original are made.  If downloading at
    a later date, it is recommended that the bulletin is retrieved directly
    from the original authors to ensure that the information is still current.
    
    Contact information for the authors of the original document is included
    in the Security Bulletin above.  If you have any questions or need further
    information, please contact them directly.
    
    Previous advisories and external security bulletins can be retrieved from:
    
            http://www.auscert.org.au/Information/advisories.html
    
    If you believe that your system has been compromised, contact AusCERT or
    your representative in FIRST (Forum of Incident Response and Security
    Teams).
    
    Internet Email: auscert@auscert.org.au
    Facsimile:      (07) 3365 7031
    Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                    AusCERT personnel answer during Queensland business hours
                    which are GMT+10:00 (AEST).
                    On call after hours for emergencies.
    
    -----BEGIN PGP SIGNATURE-----
    Version: 2.6.3i
    Charset: noconv
    Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
    
    iQCVAwUBOr8uiyh9+71yA2DNAQG0iwP/aRbnhZBpCrmb5jY/1sq8KLvtphSgfK38
    YW9L7MOePXEH/qPcjk9Iuz3ibuY1SaOobAJlnwcJYlYLg0pVoxOzHndeS/v73qab
    UA1qlJdRTvYweR9jY6Al6F6pQM9qyrMoS4OaoN3Dir2NOIONUNGgIsOpA7ZEQgAn
    UPwZbcEkvl0=
    =XqnN
    -----END PGP SIGNATURE-----
    

    Daresbury Laboratory Web Ring of Life:
    [Ordering Pizzas while at Daresbury Lab]
    [Junk Food Machines of Darebsury Laboratory]
    [Pubs and Restaurants around Daresbury Laboratory]
    [Hatton Arms Description]
    [Taxi, Bus, Train, etc - services-information slightly relevant to Daresbury Laboratory]

    [Back to Lachlan's Homepage] | [Back to Lachlan's Homepage] | [Misc Things]

    (This Webpage Page in No Frames Mode)

    If you are feeling sociable, my new E-mail address is [address now invalid] (replace the *at* with an @ ) . Old E-mail addresses might be giving forwarding or reliability problems. Please use clear titles in any Email - otherwise messages might accidentally get put in the SPAM list due to large amount of junk Email being received. So, if you don't get an expected reply to any messages, please try again.