On Sun, 7 Jan 1996, John Young wrote:
Quoting some body: On Christmas Day 1994 the attack begins.
First, the intruder breaks into a California Internet site that bears the cryptic name toad.com. Working from this machine, the intruder issues seven commands to see who's logged on to Shimomura's workstation, and if he's sharing files with other machines.
From Shimomura's mail last January:
: The IP spoofing attack started at about 14:09:32 PST on 12/25/94. The first : probes were from toad.com (this info derived from packet logs): : : 14:09:32 toad.com# finger -l @target : 14:10:21 toad.com# finger -l @server : 14:10:50 toad.com# finger -l root@server : 14:11:07 toad.com# finger -l @x-terminal : 14:11:38 toad.com# showmount -e x-terminal : 14:11:49 toad.com# rpcinfo -p x-terminal : 14:12:05 toad.com# finger -l root@x-terminal
Then the automatic spoofing attack begins. It will all be over in sixteen seconds. The prediction packet attack program fires off a flurry of packets to busy out the trusted Internet server so it can't respond. Next, the program sends twenty more packets to Shimomura's UNIX workstation.
Again, quoting Shimomura's mail: : About six minutes later, we see a flurry of TCP SYNs (initial connection : requests) from 130.92.6.97 to port 513 (login) on server... : 130.92.6.97 appears to be a random (forged) unused address (one that will : not generate any response to packets sent to it)... Given that this was a _spoofing_ attack, mayhaps the packets from toad.com were also forgeries. Anyone in the know? - PS -- Ng Pheng Siong <ngps@pacific.net.sg> NetCentre Pte Ltd * Singapore Finger for PGP key.