The Initial Intrusion
- Initial root compromise points of origin
- "No charge" ISPs
- Single PPP account "guest", password "password"
- No AUP, no user records, no Caller-ID, no trap/trace
- Compromised systems in Korea, Germany, Sweden, Jamaica, UK, etc.
- Compromised name servers, web servers, home systems,
software development companies, "day trading" companies,
ecommerce sites, ISPs, NASA, .mil sites... you name it
- Using wingate and telnet gateways to bounce off
foreign sites
- Stolen dialup accounts
- Apparent 24x7 scanning, sifting into sets
of single architecture/single vulnerability.
- Attacks then come in waves, hitting many systems in a very short
time period: exploit, install backdoor, install tools, lather,
rinse, repeat
- Often using "Root Kits" to conceal programs/files/connections
[Next]
|
[Prev]
|
[Top]
Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Mon Nov 1 22:12:00 PST 1999