From: iw@all.net
Subject: IW Mailing List iw/960315
---------------------------------------------
Subject: Re: IW Mailing List iw/960314 
Date: Thu, 14 Mar 1996 18:36:50 -0800
From: Benjamin Allan Smith 

> 	An intentional insider corruption of a Web page designed to
> turn innocent browsers into launchpads for their attack.  This one
> was tracked down yesterday and has been stopped after recurrences
> by contacting this ISPs ISP and the FBI.
> 
> 	A web site which is misleading people into telnetting into
> our site under the auspices of getting a letter from a self-proclaimed
> computer security expert.

	In reading all of this and the recent firewalls post on the
firewalls mailing list about the Netscape 2.0 email "feature" I'm
beginning to think that the web, as useful as it may be, may be an even
more powerful denial of service weapon. 

	Host A, running Netscape 2.0, gets an http document from a WWW
server.  In this web page are a few html tags which instructs Host A to
send email to, oh say, president@whitehouse.gov.  [Don't ask me for the
tags, look in the digests of the firewalls mailing list from the last
few days].  These html tags are automatically executed if your machine
has access to the sendmail port.  (I verified this on SunOS 4.1.3, a Mac
and a NT box; all running Netscape 2.0.  My SunOS 4.1.3 version of
Netscape 1.1N wasn't vulnerable though :). 

	Imagine if someone put such html tags on the main page of a page
with a high hit rate.  Whitehouse.gov would get email from thousands of
different sites.  I didn't play around with the message content too
much, but if someone could figure out how to send randomly generated
text there would be no way (that I can think of) to filter this out.  Oh
Joy, thank you Netscape. 

	Also, I wonder how many of the sendmail bugs you can run exploit
code on automatically? (And email the results to the hacker).  This
seems a lot worse to me than Fred Cohen's telnet storm.  With Fred each
person had to click on the link.  Here, anyone who views the page with
Netscape 2.0 sends out the email automatically. 

[Moderator's Note: The telnet storm against all.net was done automatically
when they visited a home page with no further clicking needed.  That's why
the high volume was encountered.  This was, in essence, the attack you
described. To quote from http://all.net/ -> Incident:
	...there was code that automatically, and without the knowledge or
	consent of the user, caused Web browsers to telnet into our site. ...
		- Innocent user visits Web page. 
		- Browser automatically telnets into our site.
]

	I wonder how long it will take Netscape to fix this "feature."  And
I wonder how many people will bother to get the patchk 
---------------------------------------------
Date: Fri, 15 Mar 1996 11:50:54 +0000
From: Johann O Jokulsson 
Subject: Re: IW Mailing List iw/960314
...
>The message changed as incidents occured.  Contrary to what previous
>postings indicated, we haven't historically claimed these events as
>attacks.  We simply state that (current form):
>
>	A user at your site has just attempted to telnet into our site. 
>	No users from your site are authorized to telnet into this site. 
>	We thought you would like to know so you could investigate
>	further.  If more telnets come from your site, this may indicate
>	a more substantial attempted entry originating from your site,
>	and should be followed up in more depth and more quickly. 
...
I must say that this is a much more reasonable reply, it doesn't look 
as "hostile" as the previous one(s?) and also fuels most admins innate
paranoia so that they actually might do something :-)

Just my 2 aurar (local currency)
---------------------------------------------
From: fc (Fred Cohen)
Subject: Incident quickly moving into pure PM
Date: Fri, 15 Mar 1996 07:56:27 -0500 (EST)

After countering technical threats and tracking down several attackers,
the incident at all.net went over to an almost purely perception
management exchange.  In response to port 23 Web pointers with
misleading enticements to push the button, we caused our telnet
port to respond with a Web page.

After our original version of this came out, the attackers started to
perpetrate falsehoods to newsgroups, mailing lists, etc.  We changed
several times, and we now use this version:

	Hi.  My name is Fred Cohen.

	You have probably been misled into pushing a button on a Web
	site under the auspices of getting a letter from a
	self-proclaimed security expert.  Or perhaps you were enticed
	into trying to telnet into our site by someone who
	misrepresented this site as something it is not.  A MUD of some
	sort? Perhaps a place where you can get a free guest account?
	These are all lies. 

	This is part of an attack initiated by people who were caught
	trying to break into our site.  It is their way to try to get us
	to stop detecting their attacks. 

	Their attack has involved more than 2,000 innocent internet
	sites and people from all over the world.  It is ongoing and
	malicious, and you can help to stop it. 

	The best way is to immediately post a message to the same group
	or site that lied to you to get you to come here.  Identify the
	people who lied to the whole newsgroup, mailing list, or site
	manager. 

	As their falsehoods are revealed and their names become well
	known people from all over the world will come to distrust them. 
	If you send their names and their postings to our administrator,
	we will publish them for the whole world to see.

	If you want to know the whole story, look at  my web page. 

	These people attacked our site because we are becoming
	increasingly effective in stopping their attacks, and they
	resent that. 

	We are sending a letter to your systems administrator as part of
	our automated response to attempted entries to our site.  Please
	tell the full details to your site administrator and ask them to
	help save others from this sort of abuse by adding their voice
	to yours. 

	Sites known to be actively participating in this activity:
		www.c2.org
		www.seastrom.com
		alt.2600

	If you didn't get here by being misled, you should be aware that
	we do not allow unauthorized users to access our site, and we
	track down each attempted entry.  It would be best for you to
	immediately report your activity to your systems administrator
	before they have to contact you first.  We also monitor and
	respond to attacks and threats of all sorts.  For details on our
	use policy, see our Web page under "policy".

As they tried different tactics and our automated response got systems
administrators talking to their users, we slowly found out more about
what was hapenning and were able to counter more and different types of
lies.  We now get about 1 attempt per hour and it is going down.  I also
suspect that the people who perpetrated the lies are getting some negative
responses from the world.

The venues they are now using included:
	AOL Chat groups
	Usenet news groups
	IRC chat groups
	University accounts they have broken into
	Free and stolen accounts at various ISPs
---------------------------------------------
Date: Fri, 15 Mar 1996 13:22:15 -0500 (EST)
From: Craig Rowland 
Subject: Re: IW Mailing List iw/960311

Re: Automated Telnet Responses

At several sites I look after we watch the logs closely as well. 
However I choose to ignore telnet incidences where people just connect,
and certainly will not write the sysadmin of a system unless an overt
attempt is made to enter the system. 

Usually a simple letter to the sysadmin and Internic domain contacts (I
always do the latter in case the sysadmin is the hacker, which happens
on occassion) will get results.  Typically I include the log violation
entries so the receiver can get a chronological order of events. 
Persistent cases will have the entire domain blocked from any system
services.  On occassion I have been known to initiate a talk session
(from a system *outside* of the domain that is being hacked, I have a
system set up just for this purpose) with the person if they are
on-line.  I will normally not present any information to them about what
domain I'm referring to or my name, and I will simply and nicely ask
them to move on to another site.  This usually stops the problem. 

I prefer to avoid threats that cannot be enforced.  Threatening FBI
action sounds nice, but in reality is not that big of a concern. 
Hacking computers is relatively risk-free and a hacker's chances of
getting caught are so remote that is is rarely worth the time to even
attempt to catch the person.  I can say this based on the following
sociological facts:

1) If a crime is frequent, common, *or* has a good chance of being solved,
   it is rarely reported by the media. This is the case for robberies, 
   muggings (frequent and common), or murder (good chance of being solved)
   and many others.

2) Uncommon crimes, or crimes that are difficult to solve are always reported
   by the media. Hacking is such a crime, because it is so infrequently
   solved by law enforcement the FBI and Secret Service always hold a 
   media circus when a hacker is caught. They probably do this to illustrate
   that they are actively enforcing the law and are doing a good job. 
   When in fact their success rate is rather paltry.

I personally would advise a more passive stance for your site, only 
acting if more active attacks are made. The Internet is so vast and 
filled with so many delinquents that often the best stance is to simply 
make the person move on.
---------------------------------------------
Date: Fri, 15 Mar 1996 13:20:22 -0500 (EST)
From: Bob Bowes 
Subject: Re: IW Mailing List iw/960314

> ...
> 	Actually, there are both CERT and DoD bulletins on appropriate
> warning banners.  These banners should (ideally) be displayed *PRIOR*
> to login (ie, before the login prompt), but most OS's today don't
> allow for this and as such the banners are normally displayed in the
> motd.  For us (DoD/USN), the message is as follows (at least this is
> what is showing up on all of our machines):
> 

tcpwrappers allow you to display a banner prior to receiving the login 
prompt.  It can show either of two messages based on whether accessed 
from the host is permitted or not.  On my machine, I simply return a 
"telnet from xxx.xxx.xxx.xxx not permitted", and then close the 
connection.  Of course, this is logged and I can follow up if need be.
---------------------------------------------