I hacked DOI.net.
Now that a judge has banned the DOI from the ‘net because of how easy it was to attack them, I can reveal that I was an inside hacker at the DOI.
A little over-the-top, I know, and since everyone knows how easy hacking the DOI would have been it doesn’t really merit that kind of build up, but back when I worked at MMS as one of their UNIX sysadmins, I, being a foolish, consious person, decided to run a port-scan on the network. Now, being foolish, I didn’t discuss this with anyone — they would just tell me to stop. And, as further proof of my foolishness. I decided to scan the entire class B subnet that the DOI owned, not just the segments used by MMS. Finally, I put it in a cron job so that it would run every Tuesday.
Now, this is all looks pretty stupid in hindsight. Especially the cron job. But the reports I was getting back were facinating. For example, the story on what the investigators found reveals:
Certain Interior computers were also running web servers, file transfer programs, remote access servers and other technologies that could allow anonymous access by outsiders.
It was all these machines I was seeing. Hundreds running default IIS installations (from 2.x on). Printers with web interfaces, routers, switches — you name it, I saw it.
I was just curious, but even unrestrained curiosity can be dangerous. The people at Indian Affairs noticed problems with their mainframe and were finally able to track it down to my machine — to me.
They told me that the portscan crashed the mainframe’s TCP/IP stack (which indicates a fragile stack that needs to be patched, really) every time it ran. Not too surprising since I was using the default scan mode of nmap — hit thousands of ports in rapid succession — instead of any of the more stealthy methods. But how did they find me? Their logs showed attempts to access rlogin and rsh — two ports out of thousands.
Yes, I learned quite a few things from that episode, not the least of which was Don’t portscan using nmap’s default settings.