[118227] in Cypherpunks
Re: KISA Attack
daemon@ATHENA.MIT.EDU (John Young)
Wed Sep 22 08:06:39 1999
Message-Id: <199909221146.HAA11540@smtp5.mindspring.com>
Date: Wed, 22 Sep 1999 07:35:37 -0400
To: Bill Stewart <bill.stewart@pobox.com>
From: John Young <jya@pipeline.com>
Cc: cypherpunks@cyberpass.net, postmaster@www.kisa.or.kr,
webmaster@www.kisa.or.kr, postmaster@kisa.or.kr, webmaster@kisa.or.kr,
stprt@kisa.or.kr, evaluation@kisa.or.kr, ctt@kisa.or.kr,
cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net, iscst@kisa.or.kr,
postmaster@kosi-oversea-fe1.kix.ne.kr,
webmaster@kosi-oversea-fe1.kix.ne.kr
In-Reply-To: <3.0.5.32.19990922033817.009ad590@idiom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Reply-To: John Young <jya@pipeline.com>
Bill,
Thanks much for your advice. By now you've got a message
from KISA explaining the problem, but I'm not sure the story
is accurate.
The attack stopped from the KISA machine at 06:10. Now,
though, a weird thing is happening. The log shows that everyone
who triesto access jya.com gets the same three files KISA was hitting.
And the KISA robot is listed as the machine running from completely
unrelated addresses.
Here's the KISA bot's last hit and then one of the latest:
sun450.kisa.or.kr - - [22/Sep/1999:06:11:06 -0400] "GET /udlist.htm
HTTP/1.1" 200 10330 "-" "RaBot/1.0 Agent-admin/ist@kisa.or.kr"
cei14.rm.nettuno.it - - [22/Sep/1999:06:11:10 -0400] "GET /udlist.htm
HTTP/1.1" 200 10330 "-" "RaBot/1.0 Agent-admin/ist@kisa.or.kr"
All subsequent log entries follow this format.
However, all files appear to be accessible, so the logger seems
to have been Manchurian Candidated.
I'm itchy-fingering the Seoul earthquake button.
Now, I may have fucked myself by trying to install an .htaccess
file to exclude KISA. That was done about the time the KISA
attack stopped and the weirdness began. I've deleted it to
see what happens. Gotta go off to kill babies so I won't be
able to check until tonight.
