Common-lisp.net down
Tuesday, August 24, 2004
It appears that common-lisp.net has
been attacked again. Since common-lisp.net hosts a lot of
open-source CL projects (SLIME, CMUCL, CL-PREVALENCE, etc),
this is a real bummer. :-(
Karl Krueger on c.l.l.
provided some interesting insights on
why these types of attacks occur:
"Seemingly random or purposeless break-ins seem to be done for a number of purposes. One of the most widely reported -- 'Web site vandalism', or kids breaking in to Web sites only to put up rude messages -- was pretty common a few years ago, but seems to be much less so now. Recent attacks seem to be substantially more sinister in the large.
One of the most common types of 'random' break-ins I see appears to be done in order to use the target system as a staging area for other sorts of attacks. Any system the attacker can gain a shell on can be used to go break into other systems -- and the more hosts between the human attacker and his ultimate target, the harder his trail is to follow.
A common method is to install backdoors on cracked systems, which can be controlled by any number of means. One used on both Unix and Windows systems is an IRC bot, which logs on to a designated IRC server and accepts commands -- 'scan this', 'pingflood that', and so forth. I've gone on IRC channels where *dozens* of these bots are logged in waiting for directions from an attacker.
Google search: 'IRC bot backdoor'
There is a black market in compromised systems, as well. Organized and less-organized crime need them for several purposes. One is spamming. Spammers use compromised hosts -- mostly, these days, home Windows systems -- to send spam. A list of 'fresh open proxies', or newly cracked hosts with proxy software installed, can be sold to spammers. The payoff can be in money diverted to a PayPal account, or in stolen credit card numbers.
Google search: 'fresh open proxies'
Another 'mobster-ish' use of cracked systems is extortion. The criminal threatens an online gambling or porn site as follows: 'Send me a few thousand dollars, or I'll flood your site off the Net.' If the site won't pay up (or so the threat goes) the crooks will use cracked systems to bombard the site with junk traffic.
Google search: 'online flood extortion'
Finally, another one I've seen is to use the cracked system as a file server or Web site for illegal purposes. Some spammers use cracked systems not only as proxies to send spam, but as Web and DNS hosting for the sites advertised in the spam. Any sort of contraband data -- from bootleg software and movies, to national secrets, to child pornography -- is also a good candidate to be hosted on a cracked system, just as abandoned warehouses get used in the illegal drug trade. One Windows 2000 FTP server at my workplace a couple of years ago got filled up by an anonymous visitor with bootleg PlayStation games, porn movies, and Star Trek episodes.
In some cases, it may be that the attacker doesn't have any *specific* use in mind. Having a few cracked systems available is like having a few fake IDs in different names. For the upwardly mobile online criminal, it's an essential tool to hide what you're doing, to send investigators through a few extra hoops to find you (and believe me, tracing back logs across multiple systems is NO FUN, especially when the systems' clocks are wrong), or possibly just to keep in practice."
