Hack Turned Loads of Computers Into Waiting Zombies

[Howell, Paul]

At http://dailynews.yahoo.com/h/nm/20011220/wr/tech_hack_dc_1.html

Thursday December 20 8:01 PM ET 
Hack Turned Loads of Computers Into Waiting Zombies
By Elinor Mills Abreu

SAN FRANCISCO (Reuters) - A company that processes credit card transactions
for Web sites confirmed on Thursday that customer Web server computers have
been hacked and could be used in a massive Internet attack on other
computers.

CCBill LLC of Tempe, Arizona, issued a statement to all of its customers
warning them of the security breach. In an e-mail, the company urged its
customers to change their server passwords and search their systems for
stealth software called a ``bot'' that could be hidden in the system.

The bot, dubbed ``eggdrop,'' is designed to listen for instructions via an
Instant Relay Chat channel, said Dayne Jordan, co-owner of CompleteWeb, a
Columbus, Ohio-based Internet Service Provider.

Once activated, they could swing into action, turning hacked Web servers
into unwitting drones that could be used to take down major Web sites.

On Thursday afternoon there were about 1,200 bots in the IRC channel, Jordan
said, despite claims of CCBill that only a ''minimal percentage'' of its
customers had been hacked.

``The bots are sitting there and waiting. If someone comes into the channel
and executes the right command these machines could be used to launch a huge
distributed denial-of-service attack,'' he added.

In a denial-of-service attack, multiple servers are remotely commanded to
flood a particular Web site with so much traffic that it is rendered
inaccessible to legitimate Internet traffic. Such a concerted attack from
numerous drone computers shut down a handful of sites including Yahoo and
eBay in February 1999.

Alan Paller, research director of the System Networking, Administration and
Security Institute, called the hack a ''really bad infestation.''

In addition to the bots that could be used to turn the Web servers into
zombies, administrative user names and passwords of CCBill's Web site
customers and user names and passwords of their customers have possibly been
exposed, according to Jordan.

Jordan said he informed CCBill of the problem Monday night after receiving a
tip from someone else. Nearly 20 of his own customers had been hacked, all
of them CCBill customers, he said.

Tom Fisher, general manager of CCBill, downplayed the problem and declined
to release much information.

``We've rectified the problem both at our end and the end of our
customers,'' Fisher said. The company has ``thousands'' of customers, he
said, declining to give a total number or say how many were affected by the
hack.

Fisher said the CCBill had not contacted the FBI (news - web sites) because
''it's not that big of an issue.''

In its e-mail to customers, CCBill said it had corrected the source of the
problem and was working to discover who was behind the hack.

``No other systems at CCBill were affected and only hosting passwords need
to be changed,'' the company's e-mail said.