[ Gene Kim is from Tripwire – LT ed. ]
“Unfortunately, since subverted servers were used in the
attack, it’s quite possible that the target servers may now be
subverted as well. The possibility is all the more plausible
because the chaos caused by the ‘fire and smoke’ would provide an
ideal diversion for someone to silently slip into the backyard and
change a door lock. This means that the next big attack could
originate from Yahoo!, Buy.com, or E*TRADE. The 1988 Morris
Internet Worm shows how subtle and insidious tampered files were
often detected only after the immediate threat of denial of service
had passed.”
“Here’s how that scenario might unfold the next time around. The
hacker begins by finding some grappling hook into the target
server, usually a network service (such as the web server process)
that has some exploitable bug. This grappling hook provides the
attacker with the ability to gain administrative privileges, just
like the server operator, while staying below the radar screen %96
all this transpires without alerting the server owner.”
“To subvert the server, the attacker can use an attack toolkit,
also known as a ‘root kit,’ downloadable from hacker sites on the
Internet. This toolkit contains software that replaces system
programs that control critical server operations. These tampered
programs hide any traces of the attacker and provide backdoors for
future entry. In short, these programs serve to blind the rightful
server owner and degrade the owner’s ability to respond, stacking
the deck in favor of the attacker. In hacker parlance, this server
is now ‘owned.’ At this point, the server could be used as a
launching point for a DDOS attack against another site.”