BOFH: The enemy at the gate

Semper vigilo

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Episode 13

BOFH 2004: Episode 13

So we’ve got someone on the network who considers themselves a bit of a ‘leet dood’ hacker.

I notice when IDS starts throwing up portscans stepping through our IP address range one at a time.

“He’s not even bothering to disguise it...” the PFY remarks drily, pointing at an IP address allocated to one of the lesser machines in beancounter central.

“Yeah, AND he’s using a desktop machine, not a service kiosk, which would have obscured the trail a little bit.”

“Really? I prefer turning off Mac-Address change warnings on the router then use a networked printer’s address.”

“Sneaky,” I comment.

“Yeah. So what’s he doing now the scan has finished?”


“Hmmm. Looks like he’s testing rootpaks against our main web server.”

“We're still running Apache on it aren't we?” the PFY asks worriedly.

“No no, 'secure' IIS.”

We laugh a bit at that one, and continue watching. As if..

"Ah! Now he's switching to ftp vulnerabilities.. ... and now back to the portscanning again."

"So not much of a threat?"

"Not as yet. But bear in mind, once he gets into the Beancounters' area with their requirement to administer their own 'servers' it's going to be intrusion city Arizona!"

"Should we warn them?"

"Yeah, I suppose so."

"Give their geek a ring?"

"I was thinking more of pings-of-death on their older unpatched machines.."

... Several crashes later...

"There's something wrong with the network," the Boss blurts, bumbling into Mission Control. "The phones are going mad!"

"Yes, it seems we have a hacker..." I say, pointing at the IDS console.

"It looks like he's using a prepackaged kit to attack our servers in a pseudo random manner to avoid detection," the PFY adds.

"Aren't you going to stop him?"

"Ordinarily yes, but we'd like him to get in somewhere so that we can eavesdrop and see what he's looking for."


"We'll activate the remote snoop client on his machine."

"Remote snoop client?"

"Yeah, we fudged their install media to always install the snoop client. Just to... uh.. help them diagnose problems... if they ask us."

"So they don't know that it's installed on their machines?"


"Do you install this remote stuff on everyone's machines?" the Boss asks.

"What would be the point of that?" I respond, dodging the question so as to avoid putting a quid in the 'lie jar' that the PFY and I recently installed.

"Shouldn't we be calling the police?!" the Boss asks.

"What for?" the PFY asks. "It'll just be some wingnut down in Finance who's watched that movie Wargames one too many times in his childhood and believes he can use the system to trigger a nuclear incident if he tries really hard."

"Which of course he can't," the Boss finishes.

"Well..... probably not. Well 95 per cent certain," the PFY responds.

"You don't sound too sure."

"It's difficult - I mean he might be quite intelligent, he might have outside help, or he might just have beginner's luck."

"So do you know where it's coming from?"

"Yeah, down in accounts. From the IP number I'd guess it's over in the far corner, near where that new guy is."

"New guy?" the Boss asks, forming a theory.

"Yeah, what's his name...... Almed, Amal" the PFY replies, dropping a quid in the lie jar with a >clink<

"Amal," I say. "Remember, he came up to introduce himself. Arab guy, new to London," I say, adding a quid with another quid.

"I... uh..." the Boss says, not wanting to say it.

Honesty, it's just too bloody easy sometimes, and at this rate the jar will be full by lunchtime.

"What.. uh.. does he do?" the Boss asks.

"Something in accounts I think he said," the PFY says >clink<

"Yeah," >clink< I add. "But he needed to borrow a laptop for the time being because they didn't have a machine for him - hey, maybe that's the machine he's using!"

"And you checked his ID."

"WhatID?" the PFY asks.

"His company ID."

"You have to be here for a couple of weeks before your ID's made!" I say.

"Well did he have a swipe card?"

"Uuuuuhhhhm, no, I think I let him through the door." >clink<

"Right. OK," the Boss chirps irrationally, trying to gather his thoughts while pacing excitedly "Right! This Amal chap, what did he look like?"

"Hard to tell. Normal I spose, Tall, strong?"


"Yeah, he was carrying his bag like it was nothing. Huge bag, canvas thing. Green." >clink<

"Khaki, not green," >clink< I correct. "One of those army surplus things that flooded the market after the Gulf W..."


. . . two hours later . . .

"Well it was all a bit of mistake," I say, to the Head of IT as the Boss is taken away for a bit of questioning. "It seems that someone down in Beancounter Central was running a Nessus scan across our hosts - without telling us, mind - which looked to all intents and purposes like an attack from inside the company. Meanwhile my assistant and I were talking about a movie that we'd seen sometime, and he must have mixed the two together in his head." >clink< "Unless of course, he had some other reason for calling the Antiterrorism people. "

"He's often said that he doesn't like the way Microsoft always chooses the American way of spelling," the PFY adds with another >clink<

"So the whole thing was a big mistake."

"Yeah. Well, 95 per cent certain..." ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story


Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.