BOFH: The enemy at the gate
BOFH 2004: Episode 13
So we’ve got someone on the network who considers themselves a bit of a ‘leet dood’ hacker.
I notice when IDS starts throwing up portscans stepping through our IP address range one at a time.
“He’s not even bothering to disguise it...” the PFY remarks drily, pointing at an IP address allocated to one of the lesser machines in beancounter central.
“Yeah, AND he’s using a desktop machine, not a service kiosk, which would have obscured the trail a little bit.”
“Really? I prefer turning off Mac-Address change warnings on the router then use a networked printer’s address.”
“Sneaky,” I comment.
“Yeah. So what’s he doing now the scan has finished?”
“Hmmm. Looks like he’s testing rootpaks against our main web server.”
“We're still running Apache on it aren't we?” the PFY asks worriedly.
“No no, 'secure' IIS.”
We laugh a bit at that one, and continue watching. As if..
"Ah! Now he's switching to ftp vulnerabilities.. ... and now back to the portscanning again."
"So not much of a threat?"
"Not as yet. But bear in mind, once he gets into the Beancounters' area with their requirement to administer their own 'servers' it's going to be intrusion city Arizona!"
"Should we warn them?"
"Yeah, I suppose so."
"Give their geek a ring?"
"I was thinking more of pings-of-death on their older unpatched machines.."
... Several crashes later...
"There's something wrong with the network," the Boss blurts, bumbling into Mission Control. "The phones are going mad!"
"Yes, it seems we have a hacker..." I say, pointing at the IDS console.
"It looks like he's using a prepackaged kit to attack our servers in a pseudo random manner to avoid detection," the PFY adds.
"Aren't you going to stop him?"
"Ordinarily yes, but we'd like him to get in somewhere so that we can eavesdrop and see what he's looking for."
"We'll activate the remote snoop client on his machine."
"Remote snoop client?"
"Yeah, we fudged their install media to always install the snoop client. Just to... uh.. help them diagnose problems... if they ask us."
"So they don't know that it's installed on their machines?"
"Do you install this remote stuff on everyone's machines?" the Boss asks.
"What would be the point of that?" I respond, dodging the question so as to avoid putting a quid in the 'lie jar' that the PFY and I recently installed.
"Shouldn't we be calling the police?!" the Boss asks.
"What for?" the PFY asks. "It'll just be some wingnut down in Finance who's watched that movie Wargames one too many times in his childhood and believes he can use the system to trigger a nuclear incident if he tries really hard."
"Which of course he can't," the Boss finishes.
"Well..... probably not. Well 95 per cent certain," the PFY responds.
"You don't sound too sure."
"It's difficult - I mean he might be quite intelligent, he might have outside help, or he might just have beginner's luck."
"So do you know where it's coming from?"
"Yeah, down in accounts. From the IP number I'd guess it's over in the far corner, near where that new guy is."
"New guy?" the Boss asks, forming a theory.
"Yeah, what's his name...... Almed, Amal" the PFY replies, dropping a quid in the lie jar with a >clink<
"Amal," I say. "Remember, he came up to introduce himself. Arab guy, new to London," I say, adding a quid with another quid.
"I... uh..." the Boss says, not wanting to say it.
Honesty, it's just too bloody easy sometimes, and at this rate the jar will be full by lunchtime.
"What.. uh.. does he do?" the Boss asks.
"Something in accounts I think he said," the PFY says >clink<
"Yeah," >clink< I add. "But he needed to borrow a laptop for the time being because they didn't have a machine for him - hey, maybe that's the machine he's using!"
"And you checked his ID."
"WhatID?" the PFY asks.
"His company ID."
"You have to be here for a couple of weeks before your ID's made!" I say.
"Well did he have a swipe card?"
"Uuuuuhhhhm, no, I think I let him through the door." >clink<
"Right. OK," the Boss chirps irrationally, trying to gather his thoughts while pacing excitedly "Right! This Amal chap, what did he look like?"
"Hard to tell. Normal I spose, Tall, strong?"
"Yeah, he was carrying his bag like it was nothing. Huge bag, canvas thing. Green." >clink<
"Khaki, not green," >clink< I correct. "One of those army surplus things that flooded the market after the Gulf W..."
. . . two hours later . . .
"Well it was all a bit of mistake," I say, to the Head of IT as the Boss is taken away for a bit of questioning. "It seems that someone down in Beancounter Central was running a Nessus scan across our hosts - without telling us, mind - which looked to all intents and purposes like an attack from inside the company. Meanwhile my assistant and I were talking about a movie that we'd seen sometime, and he must have mixed the two together in his head." >clink< "Unless of course, he had some other reason for calling the Antiterrorism people. "
"He's often said that he doesn't like the way Microsoft always chooses the American way of spelling," the PFY adds with another >clink<
"So the whole thing was a big mistake."
"Yeah. Well, 95 per cent certain..." ®