Very Virtual — The digital vandals

Telnet to the target NT system on port 135. Send a random string of about 10 characters. Close the connection. That’s it. The server’s CPU will go into overdrive and lock the sysadmin out of his own network. The only way he can regain control is to shut down and reboot.

If you want to kill the server’s IIS services, try port 1031. A similar attack on port 53 will put paid to DNS. One simple bug, so many ways to exploit it!

The moment you go on the Web, you invite people to come look at your window display. Some people will be content with doing that. Some more will try and peek where you don’t want them to. But the really committed gentry will go round to the side entrance, force their way in and vandalise the whole place. Nobody is really safe from attack. Even the security-obsessed CIA once got its home page on the Web replaced by a spoof. Graphic examples of what a hacker is capable of are compiled at the home page spun off from the alt.2600 newsgroup (2600.com/hackedpages). Take a look. It might be educative.

So, if your sysadmin isn’t really reasoned, stay off Unix systems, including NT. The more complex, flexible and powerful a system is, the more likely is it to offer hackers easy access. You’ll be far safer with Mac or Windows servers. They’re pretty staid stuff, but they’re less likely to give the guys in dark hats easy access. A good steel safe often offers the burglar a greater challenge than an infrared security net.

Another serious source of trouble is Common Gateway Interface (CGI) scripts. Most people do not realise that they need to be chosen with as much care as the OS and the server software. Usually, they just do an Archie search and download from any old server. It is far more sensible to get them written by someone you can trust. Failing that, only those versions of common scripts that have been tried and tested should be downloaded. Most important, if you’re a service provider, encourage your users to, well, use their accounts. Many log in only once in a few weeks or so. Yet they are the people who can first alert you to breakins through accounts. The commonest giveaway is mystery mail, usually from an autoresponder the hacker was stupid enough to mail to, or direct replies from Usenet postings. There’s a dead giveaway for shell account users: Pine sets the inbox to read-only if there are simultaneous logins. And if you get an FTP connect message when you’re quietly browsing your mail, someone else obviously has your password. Now that VSNL is slowly getting used to the idea that it can coexist with other ISPs (provided they pay big bucks to it for their connections), it is time wannabe providers started wising up to these issues. A good sysadmin should alert his subscribers to watch out for abnormal activity online. He should choose his OS and his server with care, and avoid keeping unnecessary software on his hard disks. And when a user tells him his account is behaving oddly, he should be responsive. Because finally, the hacker will break through into the server and it won’t be just the user’s problem any more.