security focus: Security Whitepaper: Seeds may already be sown for worse attacksMar 01, 2000, 18:28 (2 Talkback[s])
(Other stories by Gene Kim)
[ Gene Kim is from Tripwire - LT ed. ]
"Unfortunately, since subverted servers were used in the attack, it's quite possible that the target servers may now be subverted as well. The possibility is all the more plausible because the chaos caused by the 'fire and smoke' would provide an ideal diversion for someone to silently slip into the backyard and change a door lock. This means that the next big attack could originate from Yahoo!, Buy.com, or E*TRADE. The 1988 Morris Internet Worm shows how subtle and insidious tampered files were often detected only after the immediate threat of denial of service had passed."
"Here's how that scenario might unfold the next time around. The hacker begins by finding some grappling hook into the target server, usually a network service (such as the web server process) that has some exploitable bug. This grappling hook provides the attacker with the ability to gain administrative privileges, just like the server operator, while staying below the radar screen %96 all this transpires without alerting the server owner."
"To subvert the server, the attacker can use an attack toolkit, also known as a 'root kit,' downloadable from hacker sites on the Internet. This toolkit contains software that replaces system programs that control critical server operations. These tampered programs hide any traces of the attacker and provide backdoors for future entry. In short, these programs serve to blind the rightful server owner and degrade the owner's ability to respond, stacking the deck in favor of the attacker. In hacker parlance, this server is now 'owned.' At this point, the server could be used as a launching point for a DDOS attack against another site."