Notes from a Gibsonian novel

**From:** "SERIOUS SITUATION" <[fake email address]>…> **To:** sean@conman.org…> **Subject:** Referencing: http://boston.conman.org/2004/09/14.1 [1]…> **Date:** Sun, 19 Sep 2004 01:18:21 -0500…>
Sean,
My apologies if any of your time, sanity, peace, or data was lost due to the event. But surely I will clarify any of your doubts with some information about the attacks.
It was a hired job. I was sent to take down the majority of XXXXXXXXX's servers/content and actually infiltrated the XXXXXXXXX network physically. I flew to XXXXXXXXXX, and social engineered my way onto client machines. From there I essentially attained enough credentials that left me able to access the companies client database(s), affiliation(s) database(s) … oh and logins to your servers.
… However, your swift.conman.org (or Mark's rather) was running gentoo with some modifications including tighter suid access on vulnerable binaries on the system, and common misconfigurations through the system was also fixed. Finally, using a kernel attack to sniff the memory of a recent “su” execution, root was caught. As I looked around and tried to asses the situation, I suppose Mark witnessed (from another location perhaps) my SSH login attempts to servers he had access to. In any case, switch.conman.org [sic] was unnessesary but I'm glad Mark's paranoia took it down, because it would have left much more work for me to do on game day. By the way, I still had access to swift.conman.org even after it was patched, I had all known system credentials plus there was a kernel entry using portknocking. so if the server was fixed up and left on, even during Mark's paranoia it still would have been a successful attack on my part. So yes, the compromise of swift.conman.org and the other servers are related. I was sloppy, and Mark is paranoid … I guess I lost that one.

I certainly wasn't expecting this.

There was more, including details about the company we're hosting the sites for, even more details about the attack (but really, when it's an inside job, it's all the more harder to prevent) and some details about harding servers to prevent such an attack from happening (like a link to grsecurity.net [2] which I have to check out, but most of the other stuff is common sense). But this does answer a bunch of questions about the past few weeks of cracking activity.

And how do I know for a fact that is guy is telling the truth? He also included the passwords to several accounts on swift.conman.org. To me, that's pretty conclusive evidence.

A new thing I've learned though—portknocking [3], something else to look into.

Anyway, I'm typing this as I sit across the street from a cybercafe so note not to waste your time backtracing. This is my job, don't take it personal.
sincerely and respectfully.

It's tough not to (especially since all this went down while three hurricanes were headed our way) but I guess that's what I get for living in a Gibsonian novel these days.

Update on Thursday, September 23^rd, 2004

Just to clarify one last detail: the cracker did not social engineer his way into the colocation facility in Boca Raton (FastColo.net) [4] or the NAP of the Americas [5] in Miami. The physical access mentioned was the corporate network of the company (which is not located in South Florida) who's sites were hosted on the servers in Boca and Miami.

Just in case there might have been any confusion on the matter.

[1] /boston/2004/09/14.1

[2] http://www.grsecurity.net/

[3] http://www.portknocking.org/

[4] http://fastcolo.net/

[5] http://www.napoftheamericas.com/

Gemini Mention this post

Contact the author