BOFH: The enemy at the gate

Semper vigilo

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

Episode 13

BOFH 2004: Episode 13

So we’ve got someone on the network who considers themselves a bit of a ‘leet dood’ hacker.

I notice when IDS starts throwing up portscans stepping through our IP address range one at a time.

“He’s not even bothering to disguise it...” the PFY remarks drily, pointing at an IP address allocated to one of the lesser machines in beancounter central.

“Yeah, AND he’s using a desktop machine, not a service kiosk, which would have obscured the trail a little bit.”

“Really? I prefer turning off Mac-Address change warnings on the router then use a networked printer’s address.”

“Sneaky,” I comment.

“Yeah. So what’s he doing now the scan has finished?”


“Hmmm. Looks like he’s testing rootpaks against our main web server.”

“We're still running Apache on it aren't we?” the PFY asks worriedly.

“No no, 'secure' IIS.”

We laugh a bit at that one, and continue watching. As if..

"Ah! Now he's switching to ftp vulnerabilities.. ... and now back to the portscanning again."

"So not much of a threat?"

"Not as yet. But bear in mind, once he gets into the Beancounters' area with their requirement to administer their own 'servers' it's going to be intrusion city Arizona!"

"Should we warn them?"

"Yeah, I suppose so."

"Give their geek a ring?"

"I was thinking more of pings-of-death on their older unpatched machines.."

... Several crashes later...

"There's something wrong with the network," the Boss blurts, bumbling into Mission Control. "The phones are going mad!"

"Yes, it seems we have a hacker..." I say, pointing at the IDS console.

"It looks like he's using a prepackaged kit to attack our servers in a pseudo random manner to avoid detection," the PFY adds.

"Aren't you going to stop him?"

"Ordinarily yes, but we'd like him to get in somewhere so that we can eavesdrop and see what he's looking for."


"We'll activate the remote snoop client on his machine."

"Remote snoop client?"

"Yeah, we fudged their install media to always install the snoop client. Just to... uh.. help them diagnose problems... if they ask us."

"So they don't know that it's installed on their machines?"


"Do you install this remote stuff on everyone's machines?" the Boss asks.

"What would be the point of that?" I respond, dodging the question so as to avoid putting a quid in the 'lie jar' that the PFY and I recently installed.

"Shouldn't we be calling the police?!" the Boss asks.

"What for?" the PFY asks. "It'll just be some wingnut down in Finance who's watched that movie Wargames one too many times in his childhood and believes he can use the system to trigger a nuclear incident if he tries really hard."

"Which of course he can't," the Boss finishes.

"Well..... probably not. Well 95 per cent certain," the PFY responds.

"You don't sound too sure."

"It's difficult - I mean he might be quite intelligent, he might have outside help, or he might just have beginner's luck."

"So do you know where it's coming from?"

"Yeah, down in accounts. From the IP number I'd guess it's over in the far corner, near where that new guy is."

"New guy?" the Boss asks, forming a theory.

"Yeah, what's his name...... Almed, Amal" the PFY replies, dropping a quid in the lie jar with a >clink<

"Amal," I say. "Remember, he came up to introduce himself. Arab guy, new to London," I say, adding a quid with another quid.

"I... uh..." the Boss says, not wanting to say it.

Honesty, it's just too bloody easy sometimes, and at this rate the jar will be full by lunchtime.

"What.. uh.. does he do?" the Boss asks.

"Something in accounts I think he said," the PFY says >clink<

"Yeah," >clink< I add. "But he needed to borrow a laptop for the time being because they didn't have a machine for him - hey, maybe that's the machine he's using!"

"And you checked his ID."

"WhatID?" the PFY asks.

"His company ID."

"You have to be here for a couple of weeks before your ID's made!" I say.

"Well did he have a swipe card?"

"Uuuuuhhhhm, no, I think I let him through the door." >clink<

"Right. OK," the Boss chirps irrationally, trying to gather his thoughts while pacing excitedly "Right! This Amal chap, what did he look like?"

"Hard to tell. Normal I spose, Tall, strong?"


"Yeah, he was carrying his bag like it was nothing. Huge bag, canvas thing. Green." >clink<

"Khaki, not green," >clink< I correct. "One of those army surplus things that flooded the market after the Gulf W..."


. . . two hours later . . .

"Well it was all a bit of mistake," I say, to the Head of IT as the Boss is taken away for a bit of questioning. "It seems that someone down in Beancounter Central was running a Nessus scan across our hosts - without telling us, mind - which looked to all intents and purposes like an attack from inside the company. Meanwhile my assistant and I were talking about a movie that we'd seen sometime, and he must have mixed the two together in his head." >clink< "Unless of course, he had some other reason for calling the Antiterrorism people. "

"He's often said that he doesn't like the way Microsoft always chooses the American way of spelling," the PFY adds with another >clink<

"So the whole thing was a big mistake."

"Yeah. Well, 95 per cent certain..." ®

The Essential Guide to IT Transformation

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
VMware builds product executables on 50 Mac Minis
And goes to the Genius Bar for support
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Microsoft says 'weird things' can happen during Windows Server 2003 migrations
Fix coming for bug that makes Kerberos croak when you run two domain controllers
Cisco says network virtualisation won't pay off everywhere
Another sign of strain in the Borg/VMware relationship?
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.