On Wed, 26 Jun 1996, Darren Reed wrote: > I searched around the web on the weekend and found a frightening amount > of hack/crack programs. > > you can grab the stuff I found as: > > ftp://ftp.cyber.com.au/pub/unix/rootkit.tgz (about 900k - gzip'd - of mostly > all source code) > [..snip..] > > Things like "Alta Vista" are your friend! > > Was rather sad to see so much, but... Well, I personally don't mind seeing it too much. It really comes down to the fact that these tools are actively being distributed in "hacker" circles, and by putting them up online they actually sort of even the score. People trying to protect themselves have access to the tools people would use on them, can analyze them, and try to protect themselves accordingly. In a way it comes down to the full disclosure argument, where people argue if exploits for the security holes should be released. By having access to these tools, you are able to analyze them, and not only protect against that particular attack, but perhaps others in its class. (For example, seeing ypx may make people more aware of rpc vulnerabilities and protect themselves against the class of rpc-based exploitations, rather than just changing their nis domainname..) Releasing the exploits also gives them to a wider range of people, but considering how easy it is to get most of these things (irc, for example) I doubt that it makes a very big difference. There are several archives that are heavily used in "hacker" circles, and keep a large (and up to date) archive of tools, information, etc. One of the nicer ones is ftp://ftp.infonexus.com/. [ObSecurityNote] We have seen quite an increase in web-related attacks, specifically trying to exploit cgi's with %0a (newline) characters, trying to grab password files, and run other commands. I would recomend grep'ing through some of your web server logs looking for passwd, %0a, %0A, and things like that. Just in the last few weeks these attacks have increased to the point of several a week.