Computerworld: Security experts search for 'Moof'Jun 19, 1999, 10:54 (5 Talkback[s])
(Other stories by Deborah Radcliff)
"For several months, Zepp had tracked someone who had been trashing servers at Internet providers and colleges in the U.S., Canada and England. All he had to go on was the hacker's alias, Moof, who showed up in the /etc/passwd files on Linux machines just before wiping out the file directories and rendering those machines unusable.
"The attack is delivered in a one-two punch, said Mark Wood, product line manager at Internet Security Systems Inc. (ISS) in Atlanta.
"It's the first punch -- the sneaky way the cracker gets in -- that network managers need to watch out for. The attacker finds ports to vulnerable services using a "slow port scan," in which a single packet is delivered to a different port about every three hours. A slow port scan flies beneath any intrusion-detection tool's radar, making it nearly impossible to catch."