Home page logo

nanog logo nanog mailing list archives

Re: black hat .cn networks
From: "Henry R. Linneweh" <linneweh () concentric net>
Date: Wed, 02 May 2001 07:12:04 -0700

This is exactly part of problem over this entire issue, the chinese
while some of the kids are more than likely for a few attacks,
but I am willing to bet that some US hackers and foreign hackers
are doing the attacks from .cn hacked accounts for entertainment
purposes and causing an international incident.

Over reaction does not resolve the problem. I would be more
worried about A missile defense system damaged by a Micro
meteor that could potentially kill a couple million Americans
in a fell swoop.

Elias Halldor Agustsson wrote:

Það var Mánudagur í Apríl þegar Roger Marquis sagði:

Walter Prue <prue () ISI EDU> wrote:
The folks in the US  who counterattack might be well advised to
reconsider doing so.  I would imagine that traffic from the US would be
closely monitored.  Any new hacking tricks that these counterattacks
might use would then be recorded and analyzed.  These techniques could
then be used by them to further attack the US.

Does anyone know if these China scares are for real?  The probability
they are simply Pentagon/Administration propaganda seems too high
to discount.  I ask because we've seen no increase in the (already
substantial) number of scans from CN/KR/HK/... netblocks.  Does
any hard evidence exist?

About six months ago, I was doing some forensics on a cracked Linux
system belonging to a friend of mine. It had a rootkit installed, and
a .history file showed that the rootkit had been transferred to the
machine with rcp from the lp account on a host in China.

I logged into the lp account with rlogin. It had ++ in .rhosts.
It was a SunOS 5.5 system with no patches installed. The lastlog
showed logins from dial-up and DSL or cable accounts from all
over England, The Netherlands and the USA. It was obviously being
used as a hacking base and a rootkit repository. There were several
backdoors installed in the system, several setuid root shells lying
around here and there, and a ++ .rhosts file for every system account.

I guess China is an easy target to exploit in this way. General
knowledge of systems security seems low, and most people, even
intellectuals, lack foreign language skills. A complaint will
get ignored because the responsible person doesn't understand
the language it is written in, or even doesn't understand the
technical and security implications of what is happening.

All this makes me suspect the Chinese are victims in this matter,
rather than perpetrators.

In short: never attribute to malice that which can adequately be
explained with stupidity.

|-------Elías Halldór Ágústsson-----------http://this.is/bofh/-------|
| Systems Administrator, Reykjavík, Iceland. NIC handles: EHA2-RIPE, |
| EHA7-RIPE, EHA2-IS, EHA7-IS (at whois.ripe.net and whois.isnet.is) |
|-------Unsolicited commercial email will be dealt with harsly-------|


Thank you;
| Thinking is a learned process.  |
| ICANN member @large             |
| Gigabit over IP, ieee 802.17    |
| working group                   |
| Resilient Packet Transport      |
| http://www.luminousnetworks.com |
Henry R. Linneweh

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]