Script Kiddie issues

[Lonewolf]

Frankly I use the apache filter to check for people looking for cmd.exe or
root.exe or any one of a dozen files, and instead of my log files filling
with their looks they are sent an iframe html page with a virus built in
that formats their windows system. If they aren't running windows then it
it still an annoyance because they get nowhere, but if it is windows, then I
get to have some fun with them.

Just my $.02.

[Michael W . Cocke]

On Fri, 6 Feb 2004 07:55:41 -0800 (PST), [email]lonewolf@nc.rr.com[/email] (Lonewolf)
wrote:

>Frankly I use the apache filter to check for people looking for cmd.exe or
>root.exe or any one of a dozen files, and instead of my log files filling
>with their looks they are sent an iframe html page with a virus built in
>that formats their windows system. If they aren't running windows then it
>it still an annoyance because they get nowhere, but if it is windows, then I
>get to have some fun with them.
>
>Just my $.02.

What a great idea! Wish I knew how to do that.

Mike-

Mornings: Evolution in action. Only the grumpy will survive.
-----------------------------------------------------

Please note - Due to the intense volume of spam, we have
installed site-wide spam filters at catherders.com. If
email from you bounces, try non-HTML, non-encoded,
non-attachments.

[Michael C. Davis]

What a great idea. You'll make lots of new friends in the Big House.

At 04:24 PM 2/6/04 -0500, Michael W.Cocke wrote:

>On Fri, 6 Feb 2004 07:55:41 -0800 (PST), [email]lonewolf@nc.rr.com[/email] (Lonewolf)
>wrote:
>

>>Frankly I use the apache filter to check for people looking for cmd.exe or
>>root.exe or any one of a dozen files, and instead of my log files filling
>>with their looks they are sent an iframe html page with a virus built in
>>that formats their windows system. If they aren't running windows then it
>>it still an annoyance because they get nowhere, but if it is windows, then I
>>get to have some fun with them.
>>
>>Just my $.02.

>
>What a great idea! Wish I knew how to do that.
>
>Mike-
>
>Mornings: Evolution in action. Only the grumpy will survive.
>-----------------------------------------------------
>
>Please note - Due to the intense volume of spam, we have
>installed site-wide spam filters at catherders.com. If
>email from you bounces, try non-HTML, non-encoded,
>non-attachments.
>
>--
>To unsubscribe, e-mail: [email]beginners-unsubscribe@perl.org[/email]
>For additional commands, e-mail: [email]beginners-help@perl.org[/email]
><http://learn.perl.org/> <http://learn.perl.org/first-response>
>
>
>
>

[Lone Wolf]

Nah, because the only ones who receive the file are those attempting to
do harm to my system. Granted I could make it go to a warning page,
which after a few seconds dumps them to the other page, thereby giving
them a warning before I fire the shot, just like a trespasser in my
house. Do I shoot first when they are in MY house in the middle of the
night, or do I give them enough time to shoot me? They are trespassing
on my system. Normal use of the system does NOT require access to
cmd.exe or other files they are looking for to use to exploit the
system. Normal use laws apply, and you CAN and folks DO take steps to
secure their system from others.

Legally I checked with lawyers and the ones in my area say as long as I
keep a log of the accesses I am fine. I took this step after sending
over 200 messages to ISPs to halt their users and receiving no response
to any of the inquiries even though I provided the ISPs with log files
and everything. I did the same with ISPs with spammers and open relays.
Multiple emails to their main offices and local branches with the
spammers email addresses, full headers, and no word back. If the ISP
was not even willing to answer multiple emails they were sent another
email with how to contact me directly and then their entire domain was
added to the server kill file. Cut down on the spam in MY inbox.


-----Original Message-----
From: Michael C. Davis [mailto:mcdavis941@knology.net]
Sent: Saturday, February 07, 2004 8:30 AM
To: [email]beginners@perl.org[/email]
Subject: Re: Script Kiddie issues


What a great idea. You'll make lots of new friends in the Big House.

[Lone Wolf]

Who in their right mind would walk into a courthouse and tell the judge
they were trying to break into a computer system (which in and of itself
holds MANY penalties because information on a company system is
invaluable per previous court cases) and say that they lost data on
their system when their attack was rebuked? The person would get
laughed out of court, if not at the submittal level then when the judge
enters the chamber. At the point the guy admits to trying to hack into
the system the cops can come forward and throw him in jail, the DA would
have a confession on record, and Butch would have a new wife in cell
block D.

But it is all semantics. If they run an AV they are fine, just annoyed.
If they don't run an AV then if they are smart they will catch it and be
fine. If they lose it, well how can they prove where they were, the log
files are gone and unless they are keeping paper records (even better
for the law to prosecute them with) then they have even no way of
proving anything.

-----Original Message-----
From: Michael C. Davis [mailto:mcdavis941@knology.net]
Sent: Saturday, February 07, 2004 8:30 AM
To: [email]beginners@perl.org[/email]
Subject: Re: Script Kiddie issues


What a great idea. You'll make lots of new friends in the Big House.

[Wiggins D'Anconia]

Lone Wolf wrote:

> Nah, because the only ones who receive the file are those attempting to
> do harm to my system. Granted I could make it go to a warning page,
> which after a few seconds dumps them to the other page, thereby giving
> them a warning before I fire the shot, just like a trespasser in my
> house. Do I shoot first when they are in MY house in the middle of the
> night, or do I give them enough time to shoot me? They are trespassing
> on my system. Normal use of the system does NOT require access to
> cmd.exe or other files they are looking for to use to exploit the
> system. Normal use laws apply, and you CAN and folks DO take steps to
> secure their system from others.
>

Securing your system from someone is different than firing back. And
your house analogy is really dumb, it has predefined borders that are
very distinct. Your webserver is open and you are inviting someone to
look at anything on it, for the same reason that you can't shoot me for
walking on the sidewalk in front of your house (assuming you lived where
such things exist).... If you want to use the analogy shutdown port 80,
then if someone tries to enter though port 80 then fire back. You are
actually causing more problem for those of us that have to deal with the
problems, by only helping yourself. What is to stop a spammer or script
kiddie finding out about your ruse, possibly even listening in on the
conversation, and rather than trying to hack your system starts sending
out mass emails to people with a URL in it that directs them to your
system and that URL, all of a sudden your victims become his victims and
he has used you in a scheme to haunt the very users you wished to defend.

> Legally I checked with lawyers and the ones in my area say as long as I
> keep a log of the accesses I am fine. I took this step after sending
> over 200 messages to ISPs to halt their users and receiving no response
> to any of the inquiries even though I provided the ISPs with log files
> and everything. I did the same with ISPs with spammers and open relays.
> Multiple emails to their main offices and local branches with the
> spammers email addresses, full headers, and no word back. If the ISP
> was not even willing to answer multiple emails they were sent another
> email with how to contact me directly and then their entire domain was
> added to the server kill file. Cut down on the spam in MY inbox.
>
>

Lawyers... right, I am sure they will be happy to take your money while
they attempt to defend you in a court where a judge is going to tell
them they are as dumb as your stunt for trying to defend you...

Like I said, script kiddies aren't worth the time.......

[url]http://danconia.org[/url]

[Bill Akins]

> -----Original Message-----

> From: LoneWolf [mailto:lonewolf@nc.rr.com]
> Sent: Friday, February 06, 2004 10:56 AM
> To: [email]beginners@perl.org[/email]
> Subject: Script Kiddie issues
>
>
> Frankly I use the apache filter to check for people looking
> for cmd.exe or root.exe or any one of a dozen files, and
> instead of my log files filling with their looks they are
> sent an iframe html page with a virus built in that formats
> their windows system. If they aren't running windows then it
> it still an annoyance because they get nowhere, but if it is
> windows, then I get to have some fun with them.
>
> Just my $.02.
>

I hope it installs Linux on their system with grub & root passwords set
to something like:
HJ@I$hu%ihUI*hweqH^UI_=hgSdSHzU67t&t678YT&*t67T78T 78_&*t%78T78t*&y9HUGy8
ogbIyn908-h{

Either that or send 'em a system image of WinDoze 3.0 :)

[Daniel Staal]

--As off Saturday, February 7, 2004 12:37 PM -0500, Wiggins d'Anconia
is alleged to have said:

> What is to stop a spammer or script kiddie finding out about your
> ruse, possibly even listening in on the conversation, and rather
> than trying to hack your system starts sending out mass emails to
> people with a URL in it that directs them to your system and that
> URL, all of a sudden your victims become his victims and he has
> used you in a scheme to haunt the very users you wished to defend.

--As for the rest, it is mine.

Or, the more likely scenario: Launching his attack from a compromised
computer in the first place. (That is, the first attempt to contact
you is from some poor computer that the script kiddie has already
compromised. Not their own computer. Not even someone who knows
they are running the script kiddie's software.)

After all, that is the normal way they work...

Daniel T. Staal

---------------------------------------------------------------
This email copyright the author. Unless otherwise noted, you
are expressly allowed to retransmit, quote, or otherwise use
the contents for non-commercial purposes. This copyright will
expire 5 years after the author's death, or in 30 years,
whichever is longer, unless such a period is in excess of
local copyright law.
---------------------------------------------------------------

[Eternius]

Lone Wolf wrote:

> Nah, because the only ones who receive the file are those attempting to
> do harm to my system. Granted I could make it go to a warning page,
> which after a few seconds dumps them to the other page, thereby giving
> them a warning before I fire the shot, just like a trespasser in my
> house. Do I shoot first when they are in MY house in the middle of the
> night, or do I give them enough time to shoot me? They are trespassing
> on my system. Normal use of the system does NOT require access to
> cmd.exe or other files they are looking for to use to exploit the
> system. Normal use laws apply, and you CAN and folks DO take steps to
> secure their system from others.
>
> Legally I checked with lawyers and the ones in my area say as long as I
> keep a log of the accesses I am fine. I took this step after sending
> over 200 messages to ISPs to halt their users and receiving no response
> to any of the inquiries even though I provided the ISPs with log files
> and everything. I did the same with ISPs with spammers and open relays.
> Multiple emails to their main offices and local branches with the
> spammers email addresses, full headers, and no word back. If the ISP
> was not even willing to answer multiple emails they were sent another
> email with how to contact me directly and then their entire domain was
> added to the server kill file. Cut down on the spam in MY inbox.
>
>
> -----Original Message-----
> From: Michael C. Davis [mailto:mcdavis941@knology.net]
> Sent: Saturday, February 07, 2004 8:30 AM
> To: [email]beginners@perl.org[/email]
> Subject: Re: Script Kiddie issues
>
>
> What a great idea. You'll make lots of new friends in the Big House.
>
>

<answer>
American attitude will destroy the world. thank you.
If your system is stable, (nearly) no one can harm you.
stop beeing paranoid. attack and destruction are as always the best
solutions.
regards

Eternius
</answer>

[U235sentinel]

I've been holding off on responding to this thread but now....

I've dealth with security for some time on Unix/Linux systems. Some of
my favorite products certainly have the ability to perform a counter
attack however the author of those products always warn the user NOT to
taunt happy fun ball. :-)

You will only annoy the attacker (presuming it's not a zombie) and you
will become a target. Just a warning.



Daniel Staal wrote:

> --As off Saturday, February 7, 2004 12:37 PM -0500, Wiggins d'Anconia
> is alleged to have said:
>

>> What is to stop a spammer or script kiddie finding out about your
>> ruse, possibly even listening in on the conversation, and rather
>> than trying to hack your system starts sending out mass emails to
>> people with a URL in it that directs them to your system and that
>> URL, all of a sudden your victims become his victims and he has
>> used you in a scheme to haunt the very users you wished to defend.

>
>
> --As for the rest, it is mine.
>
> Or, the more likely scenario: Launching his attack from a compromised
> computer in the first place. (That is, the first attempt to contact
> you is from some poor computer that the script kiddie has already
> compromised. Not their own computer. Not even someone who knows they
> are running the script kiddie's software.)
>
> After all, that is the normal way they work...
>
> Daniel T. Staal
>
> ---------------------------------------------------------------
> This email copyright the author. Unless otherwise noted, you
> are expressly allowed to retransmit, quote, or otherwise use
> the contents for non-commercial purposes. This copyright will
> expire 5 years after the author's death, or in 30 years,
> whichever is longer, unless such a period is in excess of
> local copyright law.
> ---------------------------------------------------------------
>

[James Edward Gray II]

On Feb 7, 2004, at 11:37 AM, Wiggins d'Anconia wrote:

> Securing your system from someone is different than firing back. And
> your house analogy is really dumb, it has predefined borders that are
> very distinct. Your webserver is open and you are inviting someone to
> look at anything on it, for the same reason that you can't shoot me
> for walking on the sidewalk in front of your house (assuming you lived
> where such things exist).... If you want to use the analogy shutdown
> port 80, then if someone tries to enter though port 80 then fire back.
> You are actually causing more problem for those of us that have to
> deal with the problems, by only helping yourself. What is to stop a
> spammer or script kiddie finding out about your ruse, possibly even
> listening in on the conversation, and rather than trying to hack your
> system starts sending out mass emails to people with a URL in it that
> directs them to your system and that URL, all of a sudden your victims
> become his victims and he has used you in a scheme to haunt the very
> users you wished to defend.

Thank you. You said what I wanted to and better. I was worried reason
had left this thread altogether.

James

[Wiggins D Anconia]

> Lone Wolf wrote:
>

> > Nah, because the only ones who receive the file are those attempting to
> > do harm to my system. Granted I could make it go to a warning page,
> > which after a few seconds dumps them to the other page, thereby giving
> > them a warning before I fire the shot, just like a trespasser in my
> > house. Do I shoot first when they are in MY house in the middle of the
> > night, or do I give them enough time to shoot me? They are trespassing
> > on my system. Normal use of the system does NOT require access to
> > cmd.exe or other files they are looking for to use to exploit the
> > system. Normal use laws apply, and you CAN and folks DO take steps to
> > secure their system from others.
> >
> > Legally I checked with lawyers and the ones in my area say as long as I
> > keep a log of the accesses I am fine. I took this step after sending
> > over 200 messages to ISPs to halt their users and receiving no response
> > to any of the inquiries even though I provided the ISPs with log files
> > and everything. I did the same with ISPs with spammers and open relays.
> > Multiple emails to their main offices and local branches with the
> > spammers email addresses, full headers, and no word back. If the ISP
> > was not even willing to answer multiple emails they were sent another
> > email with how to contact me directly and then their entire domain was
> > added to the server kill file. Cut down on the spam in MY inbox.
> >
> >
> > -----Original Message-----
> > From: Michael C. Davis [mailto:mcdavis941@knology.net]
> > Sent: Saturday, February 07, 2004 8:30 AM
> > To: [email]beginners@perl.org[/email]
> > Subject: Re: Script Kiddie issues
> >
> >
> > What a great idea. You'll make lots of new friends in the Big House.
> >
> >

>
> <answer>
> American attitude will destroy the world. thank you.
> If your system is stable, (nearly) no one can harm you.
> stop beeing paranoid. attack and destruction are as always the best
> solutions.
> regards
>
> Eternius
> </answer>

Instead of 'answer' you should have bracketed that in 'irony'...

[url]http://danconia.org[/url]

[u235sentinel@comcast.net]

Unfortunately this attitude is not solely American. We've been around for only 200 years and these problems seem to come from much MUCH further in the past from a variety of countries.

Now back to the reason we are really here. Perl anyone ::grinz::

> Lone Wolf wrote:
>

> > Nah, because the only ones who receive the file are those attempting to
> > do harm to my system. Granted I could make it go to a warning page,
> > which after a few seconds dumps them to the other page, thereby giving
> > them a warning before I fire the shot, just like a trespasser in my
> > house. Do I shoot first when they are in MY house in the middle of the
> > night, or do I give them enough time to shoot me? They are trespassing
> > on my system. Normal use of the system does NOT require access to
> > cmd.exe or other files they are looking for to use to exploit the
> > system. Normal use laws apply, and you CAN and folks DO take steps to
> > secure their system from others.
> >
> > Legally I checked with lawyers and the ones in my area say as long as I
> > keep a log of the accesses I am fine. I took this step after sending
> > over 200 messages to ISPs to halt their users and receiving no response
> > to any of the inquiries even though I provided the ISPs with log files
> > and everything. I did the same with ISPs with spammers and open relays.
> > Multiple emails to their main offices and local branches with the
> > spammers email addresses, full headers, and no word back. If the ISP
> > was not even willing to answer multiple emails they were sent another
> > email with how to contact me directly and then their entire domain was
> > added to the server kill file. Cut down on the spam in MY inbox.
> >
> >
> > -----Original Message-----
> > From: Michael C. Davis [mailto:mcdavis941@knology.net]
> > Sent: Saturday, February 07, 2004 8:30 AM
> > To: [email]beginners@perl.org[/email]
> > Subject: Re: Script Kiddie issues
> >
> >
> > What a great idea. You'll make lots of new friends in the Big House.
> >
> >

>
> <answer>
> American attitude will destroy the world. thank you.
> If your system is stable, (nearly) no one can harm you.
> stop beeing paranoid. attack and destruction are as always the best
> solutions.
> regards
>
> Eternius
> </answer>
>
> --
> To unsubscribe, e-mail: [email]beginners-unsubscribe@perl.org[/email]
> For additional commands, e-mail: [email]beginners-help@perl.org[/email]
> <http://learn.perl.org/> <http://learn.perl.org/first-response>
>
>

[Jenda Krynicky]

From: "Lone Wolf" <LoneWolf@nc.rr.com>

> Nah, because the only ones who receive the file are those attempting
> to do harm to my system. ...

To receive a file and to render the page and execute the scripts are
two different things. I don't want to dash you, but your
"counterattack" is simply pointless. The people that are scanning
your system for holes do not do that (unless eternaly stupid) by
hand. They do not run internet explorer and try to browse to all
those funny URLs. And the programs that do send the requests do not
care about your virus, they do not render the returned page to the
user, they just check whether the response is whatever it should be
if your server is vulnerable.

The worst thing you could do to them is to hold the connections until
they time out each time (to slow down the scaners).

The only people that might be affected by your witticism are those
kiddies (note the missing "script"!) that just read somewhere that
it's possible to break into some web servers by a URL like that and
by accident use your server to try it out. I don't think you are
likely to get a lot of those :-}

Jenda
===== [email]Jenda@Krynicky.cz[/email] === [url]http://Jenda.Krynicky.cz[/url] =====
When it comes to wine, women and song, wizards are allowed
to get drunk and croon as much as they like.
-- Terry Pratchett in Sourcery