Slashdot Mirror

← Back to Stories (view on slashdot.org)

Script Kiddy HOWTO

Posted by ryuzaki0 on from the stuff-to-read dept.

Dan Cyr sent us a link to the Script Kiddy HOWTO which is actually quite amusing, and quite satirical about its subject matter. As far as HOWTOs go, I don't think you'll find it very useful.

3 of 162 comments (clear)

  1. HOWTO Bust Script Kiddies? by gavinhall · · Score: 3

    Posted by TRF:

    I need a howto on busting script kiddies. A script kiddie breaks into our server with the wu-ftp exploit, and sets up an irc bot. We immediately patch the holes and delete his bot (after making a copy of all the bot's config files.) It's too late though because the malicious little bastard has already set up a back door and he logs in as root and does "rm -rf /"

    Well, I know the channel where he keeps his bots on IRC, but that's all I know about him. How do we locate him though? How do we collect on hundreds of hours worth of labor that he destroyed? We aren't a big company, just a group of people paying out of our own pockets and credit cards to try to start our own business--we didn't even have enough money to afford a tape backup for the server. I'd love to nail the little bitch.

    Todd
    Every 45 seconds, another arrest for Linux. 695000 last year. It's time for a change.

  2. it doesnt work by ruud · · Score: 3

    i tried it but it doesnt work
    whats that gcc thing its talking about
    --

    --
    bgphints - internet routing news, hints and ti
  3. HOWTO Bust Script Kiddies? by Todd+Knarr · · Score: 3

    Rule #1: never reveal to an intruder that you know that he's there until after you've tracked down everything he's modified and are in a position to remove his additions. When you spotted his bot, you should have left it alone and started checking the rest of the system for modifications, removing the bot and closing him down only after you were sure you'd closed all the other holes he'd opened.

    Rule #2: once you have removed an intruder, assume he'll be back and continue to monitor for him. If possible, stop all legit non-local ( network or modem ) access so that any such access must be the intruder. When he shows up, watch his every step without revealing yourself to him and see what he goes for.

    Rule #3: always have backups. Always. If an intruder gets in it's almost certain that he'll destroy something, even if only by accident. You should always be in a position to let him destroy things, if for no other reason than to watch for what exploits or backdoors he uses in the process. I follow the old MS-DOS system rules: keep backups of data for a long enough time that you can get a clean one by going far enough back, and restore programs and such from clean distribution media or sources rather than depending solely on backups which could be corrupted by an intruder who's been in long enough.