log in | register | forums
Show:
Go:
Forums
Username:

Password:

User accounts
Register new account
Forgot password
Forum stats
List of members
Search the forums

Advanced search
Recent discussions
- Geminus (Gen:3)
- How likely is it that... (PP:2)
- NetSurf or Iconbar? (Site:1)
- GDPR and RISC OS (News:1)
- Power Switching a RaspberryPi (News:1)
- Messenger Pro reaches release 8 (News:)
- RPCEmu 0.9.0 (Gen:2)
- RISC OS 5.24 arrives (News:)
- Code GCC produces that makes you cry #12684 (Prog:22)
- April News Round-up (News:1)
Related articles
- It's Acorn, but not as we know them...
- Rounding Up February
- Happy New Year!
- Podcast 2
- Orpheus saves ancient library
- Freedom2 Robbed
- April Fools!
- Happy Birthday from Acorn Arcade!
- RISC OS - the week in comments; episode 2
- RISC OS - 24 bits
Latest postings RSS Feeds
RSS 2.0 | 1.0 | 0.9
Atom 0.3
Misc RDF | CDF
Site Search
 
Article archives
The Icon Bar: News and features: ArgoNet hack attack
 

ArgoNet hack attack

Posted by Richard Goodwin on 11:15, 12/6/2001 | , , ,
 
ArgoNet's servers have been attacked by a malicious hacker (cracker), causing the ISP's servers to be taken offline and causing upheaval to it's customers.

The attacks started on Sunday evening, but apparently two SysAdmins were on hand to try to fix the problem within minutes due to a warning system. However, once the cracker found that they were on to him he used other methods to get around their patches and also access other machines faster than they were being patched. This has meant that ArgoNet have used the only real security that a networked machine can have - they've disconnected them from the network physically until they can get them fixed.

This not only affects ArgoNet customers, but also anyone trying to gain access to some high-profile RISC OS websites - Jason Tribbeck's machine apparently has the same vulnerability and is offline, which means riscos.com, riscos.org, vigay.com and of course tribbeck.com are all down.

The machine running the Icon Bar and Acorn Arcade websites runs a different OS and services, and so is hopefully secure from the particular attacks used by the cracker. However, it was taken down last night as a precaution, and may go offline again at any point.
 

  ArgoNet hack attack
  (11:21 12/6/2001)
  Richard Goodwin (11:45 12/6/2001)
    Rob Kendrick (15:06 12/6/2001)
      Richard Goodwin (15:38 12/6/2001)
        Andrew Veitch (16:37 12/6/2001)
          Rob Kendrick (16:52 12/6/2001)
            mark quint (17:31 12/6/2001)
              Gareth Cumella (18:02 12/6/2001)
                Rob Kendrick (19:32 12/6/2001)
                  Nathan (21:28 12/6/2001)
                    Rob Kendrick (21:34 12/6/2001)
                      Richard Goodwin (10:13 13/6/2001)
                        Richard Goodwin (10:17 13/6/2001)
                          Andrew P Harmsworth (11:59 13/6/2001)
                            Chris Williams (18:19 13/6/2001)
                              Ian Hawkins (19:35 13/6/2001)
                                Frazier Parping (13:11 14/6/2001)
                                  Richard Goodwin (13:53 14/6/2001)
                                    Curry Monster (15:54 14/6/2001)
                                      Richard Goodwin (18:10 14/6/2001)
                                        Rob Kendrick (18:20 14/6/2001)
                                          Richard Goodwin (19:07 14/6/2001)
                                            Reinhardt Skidds (19:15 14/6/2001)
                                              mark quint (19:16 14/6/2001)
 
mark quint Message #88698, posted at 11:21, 12/6/2001
Unregistered user heh, you wonder why these 13-year children do just grow up do you? >(
  ^[ Log in to reply ]
 
Richard Goodwin Message #88699, posted at 11:45, 12/6/2001, in reply to message #88698
Unregistered user Some more news - apparently the ArgoNet server wasn't a target for anything too bad itself, but it was being used as a zombie to (potentially) attack other machines in Denial of Service attacks.
  ^[ Log in to reply ]
 
Rob Kendrick Message #88700, posted at 15:06, 12/6/2001, in reply to message #88699
Unregistered user What operating system was it that Argonet were using? I hope it wasn't RedHat (which has had numerous worms known about for months) or a BIND exploit. Too many ISPs these days don't patch serious holes in their servers. Some are even foolish enough to have double standards when encrypting connections (such as not having telnetd (because you transmit your password in the clear) and only ssh. Then you notice that they use IMAP, POP or FTP non-encrypted (and therefor transmitting your password in the clear.)
The internet boom is occuring as we speak, and too many people are having boxes co-located that are simply not secure, either because they've been set up badly, or they've not applied patches to plug serious flaws and holes. They'll have no sympathy from me. It's like leaving your car unlocked, and complaining when it's been nicked.
  ^[ Log in to reply ]
 
Richard Goodwin Message #88701, posted at 15:38, 12/6/2001, in reply to message #88700
Unregistered user The attack came in via an FTP server buffer overrun, which has only been known about for less than a month. So no, ArgoNet's servers were not left open like an unlocked car, and the vulnerability is present in many Unixen - officially reported NOT in Linux, just Solaris and *BSD, although this has recently been called into question.
  ^[ Log in to reply ]
 
Andrew Veitch Message #88702, posted at 16:37, 12/6/2001, in reply to message #88701
Unregistered user Am I right in presuming then that, given that the exploit has "been known about for less than a month", this exploit is not the ftp globbing exploit (as reported April 10, CERT CA-2001-07)?
(Also officially reported NOT in Linux, just Solaris and *BSD :-)
  ^[ Log in to reply ]
 
Rob Kendrick Message #88703, posted at 16:52, 12/6/2001, in reply to message #88702
Unregistered user <grin> You're not suggesting that Argonet might be amateurs, are you? :)
  ^[ Log in to reply ]
 
mark quint Message #88704, posted at 17:31, 12/6/2001, in reply to message #88703
Unregistered user what gets me is why should we really have to lock our cars?
whats wrong with having a perfect world :D
what group of people would be likely to being doing these DOS attacks & why? :/
  ^[ Log in to reply ]
 
Gareth Cumella Message #88705, posted at 18:02, 12/6/2001, in reply to message #88704
Unregistered user Hackers, who needs them!
  ^[ Log in to reply ]
 
Rob Kendrick Message #88706, posted at 19:32, 12/6/2001, in reply to message #88705
Unregistered user *Crackers*, please. A hacker, unlike what the television will tell you, is something quite different.
  ^[ Log in to reply ]
 
Nathan Message #88707, posted at 21:28, 12/6/2001, in reply to message #88706
Unregistered user Rob, I think you are referring to "knackers".
  ^[ Log in to reply ]
 
Rob Kendrick Message #88708, posted at 21:34, 12/6/2001, in reply to message #88707
Unregistered user :)

For people who don't know/understand the difference between a 'hacker' and a 'cracker', the following URLs may be of insight:

http://www.dict.org/bin/Dict?Form=Dict1&Query=hacker&Strategy=*&Database=foldoc&submit=Submit+query

(note defs. 5 and 7) and

http://www.dict.org/bin/Dict?Form=Dict1&Query=cracker&Strategy=*&Database=foldoc&submit=Submit+query

  ^[ Log in to reply ]
 
Richard Goodwin Message #88709, posted at 10:13, 13/6/2001, in reply to message #88708
Unregistered user Hey, at least I got something right in the report then - all I seem to get is email giving contrary arguments for and against the use of the apostrophe in "it's". <flame on> ;)

If you're implying that ArgoNet are ametuers, at least they had someone on hand on a Sunday afternoon to diagnose and try to fix the problem; given the number of other machines used in the same DDoS, they weren't alone in being attacked, but there were a hell of a lot of people out there that weren't so clued and were still wondering what was going on on Tuesday. And we're talking about people with machines in professional hosting sites, not lame ADSL users. Scary. And why didn't the hosting facility configure the router to lessen the impact of the resulting DDoS in the first place? They're *still* having problems with attack traffic going through their system. IMHO kudos to ArgoNet for dealing with it so quickly (I'm completely unbiased of course ;).

And as for the original problem I don't have the exact details (I lost interest when I realised I wasn't vulnerable to that attack and started scrabbling for the security kit to secure my own box instead) but as the machine hasn't long been set up, and had all the latest software installed at that point, it's more a case of bad timing than poor judgement that that particular box was hacked. As for the other boxen, I think they were taken down temporarily as a precaution.

  ^[ Log in to reply ]
 
Richard Goodwin Message #88710, posted at 10:17, 13/6/2001, in reply to message #88709
Unregistered user BTW, a better resource for definitions of this type is the Jargon File:
http://www.tuxedo.org/~esr/jargon/html/entry/hacker.html
http://www.tuxedo.org/~esr/jargon/html/entry/cracker.html
http://www.tuxedo.org/~esr/jargon/html/entry/scratch-monkey.html
  ^[ Log in to reply ]
 
Andrew P Harmsworth Message #88711, posted at 11:59, 13/6/2001, in reply to message #88710
Unregistered user Cor blimey guv! Well done Argo for getting it fixed in good time, though.
  ^[ Log in to reply ]
 
Chris Williams Message #88712, posted at 18:19, 13/6/2001, in reply to message #88711
Unregistered user theregister.co.uk have just done a report in DoS attacks. See www.grc.com, security techspert Steve Gibson's site took a whacking from zombies using IRC.

Chris @ drobe

  ^[ Log in to reply ]
 
Ian Hawkins Message #88713, posted at 19:35, 13/6/2001, in reply to message #88712
Unregistered user Pfft, have we finished trolling yet?
  ^[ Log in to reply ]
 
Frazier Parping Message #88714, posted at 13:11, 14/6/2001, in reply to message #88713
Unregistered user More importantly, is the situation resolved now?
  ^[ Log in to reply ]
 
Richard Goodwin Message #88715, posted at 13:53, 14/6/2001, in reply to message #88714
Unregistered user All the ArgoNet servers (and services) are back online now (at least as much as normal ;). As for the rest of it, that part of the network doesn't seem as slow as it did yesterday, which I take as a good sign.
  ^[ Log in to reply ]
 
Curry Monster Message #88716, posted at 15:54, 14/6/2001, in reply to message #88715
Unregistered user And have they now installed satan, and made sure they check for security holes more often? :)
  ^[ Log in to reply ]
 
Richard Goodwin Message #88717, posted at 18:10, 14/6/2001, in reply to message #88716
Unregistered user I doubt they'd tell you what they'd installed even if you asked them :) Security by obfuscation on it(')s own isn't good, but in combination every bit helps ;)
  ^[ Log in to reply ]
 
Rob Kendrick Message #88718, posted at 18:20, 14/6/2001, in reply to message #88717
Unregistered user Simple rule: "it's" is short for "it is". It does not say anything about ownership. For example: "Bob's garage" is correct. "It's door is green" is not.
  ^[ Log in to reply ]
 
Richard Goodwin Message #88719, posted at 19:07, 14/6/2001, in reply to message #88718
Unregistered user Really don't give a monkeys, just wish people would stop emailing me about it.
  ^[ Log in to reply ]
 
Reinhardt Skidds Message #88720, posted at 19:15, 14/6/2001, in reply to message #88719
Unregistered user Shouldn't that be "monkey's" ;-)
  ^[ Log in to reply ]
 
mark quint Message #88721, posted at 19:16, 14/6/2001, in reply to message #88720
Unregistered user damn, looks like ill be looking for some local 'on-a-budget' Monkey-Dealers in Free-Ads then :D
  ^[ Log in to reply ]
 

The Icon Bar: News and features: ArgoNet hack attack