William Knowles was known to say...
>
> [Forwarded by: Mark Arena <marena@iinet.net.au>]
>
> Hi all,
>
> I just thought I'd clear up all these rumors, questions etc regarding
> the denial of service attacks which happened a while ago.
>
> 1) Did mafiaboy use trinoo or smurf?
> He didnt use either. He used a program called mstream and yes its
> private. It basically is similar to trinoo. It comprises of a client
The source code has been posted as of Tuesday I beleive. Also, for the
record, it's not "new". It is, however, "recently discovered" and still
somewhat raw. Then again, NT is still raw after several years. But I
digres.... It is also claimed that it is based on stream2.c.
The source code was posted to BugTraq Sat. Apr 29, 2000 by <Anonymous>.
Reference:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-04-29&msg=200004291748.TAA13203@lobeda.jena.thur.de
Details that I am referencing can be found at:
http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-04-29&msg=Pine.GUL.4.21.0005011456280.16155-100000@red3.cac.washington.edu
> and a server. With the server it listens on port 7983 and you specify
Two variants are already considered for mstream, "wild" and "source".
Wild being the variant which was discovered on a Uni's rootkitted linux
box, and "source" being the one based off the alleged source code.
The second URL I refernce yields:
Communication
-------------
Attacker to handler(s): 6723/tcp (in published source)
15104/tcp ("in the wild")
12754/tcp (in recovered source)
Agent to Handler(s): 9325/udp (in published source)
6838/udp ("in the wild")
Handler to agent(s): 7983/udp (in published source)
10498/udp ("in the wild")
> 2) So did mafiaboy actully hack anything?
>
> 3) Did mafiaboy take out all the sites?
>
> 4) How come it took so long for mafiaboy to get arrested?
> Simple he hanged low and the fbi etc had not enough evidence to make
> an arrest that was until his outburst on self-evident's msg board. His
> allowed the fbi etc to swoop swiftly and quickly.
>
> Now its time for my opinion:
> 1) Do you think mafiaboy will get convicted?
> Well it depends, if mafiaboy admits to dos'ing those sites then yes I
> believe he will be convicted then again if he denies it I believe they
> won't have enough evidence on him. The only reason they caught him is
> that his nick etc was posted on www.self-evident.com He also said to a
> person I know that he destroyed the hard drive in a fire which would
> give the fbi no physical evidence at his end.
Snipped out a bit of text but wanted to leave the bulleted points and the
chose message body. Not to seem like I'm running around waving a flag,
but from the boys over at 2600 magazine had fun with the nick in IRC.
Taken from:
http://www.2600.com/news/2000/0420.html
"When the name "mafiaboy" was first mentioned months ago, a couple of us
hopped onto IRC using that nick.....Amazingly, the person who fell for it
the hardest is the very person now being quoted widely in the media as
having caught the perpetrator."
Makes me wonder about the sharpness of individuals at Recourse,
personally. If the day has come when merely possessing a nickname in IRC
means you are seriously that person, then I should be deported soon, as I
was using "Elian" a few weeks ago.
My point? Too much supposition and conjecture surround the Mafiaboy that
actually did the DDoSing, and the Mafiaboy that had been sought out. The
waters have become very muddied, and I personally do not beleive that
anyone on any side of any fence on this issue can really make accurate
assumtions or assessments of the situation.
Keep the big picture in sight, don't focus too much, or you'll neglect
important issues. Like the fact that we may never know the truth. Hard
to accept, but it happens.
The first two URLs I listed contain a large amount of data about mstream.
Highly recommended.
Remember, true knowledge lies in knowing what you do *not* know.
-aj.
--
"When you're having a bad day and it seems like people are trying your
patience to no end, remember: it takes 42 muscles to frown but only 4 to
pull the trigger on a decent sniper rifle."
ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Thu May 4 13:13 CDT 2000