Forgot your password?
typodupeerror
Caldera The Internet

SCO Group Web Site Attacked Again 564

Posted by simoniker
from the bad-boy-come-again dept.
FreeLinux writes "With not much SCO news today, it seemed that this story was needed - Reuters is reporting that, SCO is again suffering under a DDoS attack that has crippled their web site and email system since Wednesday morning. For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system. The denial-of-service attack started at 6:20 a.m. EST Wednesday and continued through the day, said Blake Stowell, spokesman for the Lindon-based company."
This discussion has been archived. No new comments can be posted.

SCO Group Web Site Attacked Again

Comments Filter:
  • And groklaw... (Score:5, Informative)

    by gnuadam (612852) on Wednesday December 10, 2003 @11:31PM (#7686601) Journal
    ...and the happy folks at Groklaw [groklaw.net] already have a statement up with arguments to effect that SCO is fibbing. They think the attack could be a hoax.
    • Re:And groklaw... (Score:5, Informative)

      by Anonymous Coward on Wednesday December 10, 2003 @11:33PM (#7686617)
      SCO's ISP has also been contacted by zdnet. Although SCO claim to have contacted them and to be working with them on the attack with law enforcement officials, it's the first they'd heard of it.

      And a DDoS doesn't have a timeframe. SCO claimed they will be able to get up and going again within 12 hours. So they know it's a DDoS, and don't know who's doing it, but know when it'll stop?

      Good one SCO. Makes us chuckle.
    • by FunWithHeadlines (644929) on Wednesday December 10, 2003 @11:34PM (#7686627) Homepage
      That's right, while the rest of the mainstream media happily reported whatever SCO told them to say, despite the evidence not appearing to support the DDoS story, Groklaw posted a detailed analysis of the situation. Now was it so hard for /. admins to take a quick glance over there, the source for accurate SCO news, before just posting Yet Another SCO Spin version of the story?

      Folks, if it's a SCO story, check with Groklaw before passing judgment. For every bit of FUD coming out of Linden, a blast of anti-FUD is lobbied back.

    • Re:And groklaw... (Score:5, Informative)

      by SkArcher (676201) on Wednesday December 10, 2003 @11:46PM (#7686755) Journal
      I submitted a version of this story with links to Groklaw and various technical resources and got rejected. Wish the /. editors team would pick decent story writers.

      Anyhow folks, the consensus at Groklaw is that either SCO are lying through their teeth and this is all FUD, or their network admin staff are a bunch of incompetents.

      There are no prizes for guessing what the /. theory will be.

      In specific, the outage at www.sco.com started before the reported time by several hours, was already under analysis by Groklaw before the claimed time, the pattern of the servers shutoff is NOT consistent with a SYN DDOS (the claimed attack), but it is consistent with either a planned shutdown, or a network cable being unplugged.

      There was no slowdown of service - see netcraft for the stats. SCO claim e-mail and other services were compromised which do not use the TCP SYN/ACK and are not therefore vulnerable to this attack (when on different servers (which they are, see groklaw for a list). ftp.sco.com remained up, despite being on the same subnet, and smtp.sco.com would respond throughout the duration of the supposed 'attack'.

      The above is a synopsis of Work presented for analysis at Groklaw, any mistakes are my own, any credit is due to the authors on Groklaw and to PJ.
      • by Rick the Red (307103) <Rick.The.Red@gmail. c o m> on Thursday December 11, 2003 @12:06AM (#7686882) Journal
        the consensus at Groklaw is that either SCO are lying through their teeth and this is all FUD, or their network admin staff are a bunch of incompetents.
        That's lawyers for you: always one or the other. Guilty or innocent. Right or wrong. Black or white. Never once considered the possibility that it's both.
      • Re:And groklaw... (Score:4, Interesting)

        by 0x0d0a (568518) on Thursday December 11, 2003 @01:42AM (#7687379) Journal
        SCO claim e-mail and other services were compromised which do not use the TCP SYN/ACK and are not therefore vulnerable to this attack

        "email"? SMTP? POP3? IMAP? All of these are TCP-based, and are therefore vulnerable to SYN flooding.

        My guess is a little less conspiracy theory oriented. Some IT guy at SCO royally screwed up and took down an important server. He tried to fix it, but got yelled at by management before he could resolve things. He made up an "oh, hackers did that" story to cover his ass.

        Just because it makes the open source community look bad and they thought that they *were* under attack, SCO execs handed out a press release.
    • by weston (16146) <westonsd&canncentral,org> on Wednesday December 10, 2003 @11:47PM (#7686764) Homepage
      I work in the Canopy Group office buildings at another (non-evil) company. We're all serviced by Center7 [center7.com] and the last time there was the confirmed/acknowledged DDOS attack we felt it hard. Getting to hosts outside of the building was very difficult all day.

      No hiccups today. Center7 did promise last time that they could and would isolate everyone else from SCO, so there is another explanation, but...
      • by gnuadam (612852) on Wednesday December 10, 2003 @11:53PM (#7686805) Journal

        That is interesting. Perhaps you should email pj? I'd definately go mention this over on groklaw, and give as much detail about where you work as you are comfortable doing.

        If they are lying about this, this would play into Red Hat and IBM's suits/coutersuits very well. I mean, we all know they lie to the press all the time, but something like this is just over the top.

      • by Anonymous Coward
        Center7 did promise last time that they could and would isolate everyone else from SCO,

        Sorry, but that's really funny. Does their network switch have the words "Leper Colony" taped on it?

        YLFI
    • by iminplaya (723125) <iminplaya.gmail@com> on Wednesday December 10, 2003 @11:50PM (#7686781) Journal
      At the risk of being redundant, At the risk of being redundant, here's the story http://www.groklaw.net/article.php?story=200312101 63721614 I'm kind of surprised there aren't more comments about the fact that SCO is lying about this. Everything else seems irrelevent(sp) The guys at lwn made comments about checking the facts first before running with the story.
  • by tcopeland (32225) * <tom&thomasleecopeland,com> on Wednesday December 10, 2003 @11:31PM (#7686604) Homepage
    ...by Eric S. Raymond [internetnews.com].

    He makes it clear that SCO is attacking everyone, but he opposes DOS'ing them saying that "the open source community must use the truth, not criminal methods, as its weapons." Nicely done
  • And again... (Score:3, Redundant)

    by xactoguy (555443) on Wednesday December 10, 2003 @11:31PM (#7686606)
    ... do we have to say that this is exactly the kind of thing that we DON'T need? DDoSing them because you are unhappy with the way that they are doing things does nothing but to put a bad name on Linux, its users, and the whole issue in general. All you are doing is sinking to their level, rather than being mature and letting the battle be fought the way it should be, in court ( or, if worse come to worse, with torches and pitchforks in front of SCOs headquarters ;) ).
  • Or not. (Score:5, Informative)

    by Meowing (241289) on Wednesday December 10, 2003 @11:32PM (#7686610) Homepage
    There's been a ton of discussion of this on Groklaw [groklaw.net] today -- consensus is that either this is no attack, or their network is run by doofuses.
    • suspect (Score:5, Insightful)

      by sydlexic (563791) on Wednesday December 10, 2003 @11:59PM (#7686832)
      It is highly suspect that a company who's web site was felled by an ancient and easily defended 'attack' was able to so expertly and swiftly identify the cause in time to write up and distribute a press release before the close of business.
  • by overbyj (696078) on Wednesday December 10, 2003 @11:32PM (#7686611)
    that everytime Darl is sitting on the john dropping a deuce (of course, we know that he is full of shit) and clogs up the toilet, he blames it on a DOP (denial of plumbing) attack by Linux users!

    Press release to follow.....
  • by vosbert (544192) on Wednesday December 10, 2003 @11:33PM (#7686615)
    SCO launches a lawsuit against the anonymous hackers.
  • Ping (Score:5, Funny)

    by penguinoid (724646) <spambait001@yahoo.com> on Wednesday December 10, 2003 @11:33PM (#7686616) Homepage Journal
    In related news, SCO caims ownership of "ping", and will licence it starting at $1000.
  • More SCO FUD (Score:5, Informative)

    by RobGarth (75504) <rgarth@@@gmail...com> on Wednesday December 10, 2003 @11:35PM (#7686650) Homepage
    http://www.groklaw.net/article.php?story=200312101 63721614

    If it is a DDoS attack, SCO are incompetent for not blocking it. Or it is just more FUD.
  • Self Inflicted (Score:5, Informative)

    by bstadil (7110) on Wednesday December 10, 2003 @11:36PM (#7686652) Homepage
    Head over to Netcraft News [netcraft.com] and see how this server "died". If this is a DDOS attach I am Queen of Spain.
  • by frostman (302143) on Wednesday December 10, 2003 @11:36PM (#7686653) Homepage Journal
    ...a Slashdotting?

    Crybabies!
  • FUD (Score:5, Informative)

    by SkArcher (676201) on Wednesday December 10, 2003 @11:36PM (#7686657) Journal
    This is a load of rubbish. See Groklaw [groklaw.net] for a much deeper and more insightful look at what really happened, a full explanation of the technicalities of the DDOS attack (claimed as a SYN attack that took up all the bandwidth and flattened their e-mail - and yet you can still get to ftp.sco.com (on same subnet), smtp.sco.com all other XO.net fed servers. Groklaw also noticed that the machine was down well before the press release claims and that it went straight down - no hiccups or other indications of a DDOS attack, just a straight gone - switched off or unplugged most likely.

    See the netcraft stats for that little bit. If SCO make any claim that this is a DDOS, they are lying through their teeth and the evidence was collected as it happened - see the members zone at Groklaw for the raw Traceroute returns.
  • by drdreff (715277) on Wednesday December 10, 2003 @11:36PM (#7686665) Homepage Journal
    It's all of those corporate Linux users beating down their door to buy licenses. Hurry and get yours today before they're all gone!
  • by Dlugar (124619) on Wednesday December 10, 2003 @11:37PM (#7686669) Homepage
    Come on, Slashdot ... putting SCO on the front page (multiple times sometimes) day after day after day ... and you don't call that deliberate Slashdotting^WDDoS?!

    I call BS.

    Expect letters from Boies and company any time now. "SCO Sues Media Giant Slashdot" the next headline?

    Dlugar
  • by buford_tannen (555867) on Wednesday December 10, 2003 @11:39PM (#7686690)
    This story [bbspot.com] apparently inspired some poor systems peon at sco to set up email autoresponse [bbspot.com] to the email address mentioned in the story.

    I tried it, it works. At least someone at SCO has some sense of humor.
  • by Ignorant Aardvark (632408) <cydeweys.gmail@com> on Wednesday December 10, 2003 @11:42PM (#7686718) Homepage Journal
    How do I enlist my computer as a zombie in the horde to attack SCO?
  • by iabervon (1971) on Wednesday December 10, 2003 @11:42PM (#7686719) Homepage Journal
    According to Groklaw [groklaw.net], not only is it implausible that this is a real attack, it's not even competently done. SCO blames a SYN flood, which is trivial to ignore. Their ISP hasn't had anything to do about it. While they say their email server was down, it actually wasn't. Their FTP server on the next IP over (and on the same block of addresses) had no problems. Their internal network almost certainly isn't anywhere near their Web server, network wise, and, if it was, it would almost certainly have a firewall that's not the web server.

    It's clear that SCO's run out of technical people; not only are they faking technical problems, they can't even make up a technically sound attack on their own systems.
  • by aquarian (134728) on Wednesday December 10, 2003 @11:42PM (#7686721)
    ...playing for the sad souls at SCO...
  • by Maestro4k (707634) on Wednesday December 10, 2003 @11:43PM (#7686729) Journal
    Before I start I should say I absolutely condemn the DDoS against SCO, if there really is one happening.

    I find it quite sad that our community has to loudly distance itself from supposed DDoS attacks and such against SCO while SCO makes a total mockery of the legal system and justice in general with their current campaign. For those who may not have noticed some earlier posts, discussion on Groklaw has brought up the possibility that this isn't a DDoS, but either just idiotic network admins on SCO's part, or perhaps even an intentional takedown to *cough* allow for a nice bit of publicity on their part. Whatever the true case is (and I'm not advocating any as the real one, I'll leave that for others to decide), SCO has certainly scored some nice negative publicity towards the OSS crowd, even if the DDoS is real and the attackers have nothing to do with OSS.

    IIRC there was an earlier supposed DDoS against SCO's servers that turned out to be that the servers were just down.

    In any case, it's nice to see the /. crowd (as always) advocating fair play and not using vigilante justice. Too bad SCO doesn't seem to believe in the fair play bit.

  • by stwrtpj (518864) <[p.stewart] [at] [comcast.net]> on Wednesday December 10, 2003 @11:46PM (#7686751) Journal

    From the article header:

    For the third time this year, the SCO Group's Web site came under attack, apparently by hackers unhappy with the company's legal threats against users of the Linux operating system.

    Where in the article did it say this? I certainly can't find it.

    Slashdot editors might want to RTFA before approving a post. The submitter of this one got a wee bit overzealous.

  • by Dutchmaan (442553) on Wednesday December 10, 2003 @11:47PM (#7686763) Homepage
    Look at what SCO does to the Linux community.. fractures and bickering... Destroying something that was supposed to be moral and good for all.

    One can almost feel the power of the ring at work....
  • New Icon (Score:5, Funny)

    by Coryoth (254751) on Wednesday December 10, 2003 @11:50PM (#7686784) Homepage Journal
    I would like to suggest that, once this case is finally settled, Slashdot begin using the caldera systems icon for "Laugh, it's Funny" instead of the Monty Python foot. I know I already associate that blue and red C with a good humourous story.

    Jedidiah.
  • by Kris_J (10111) * on Wednesday December 10, 2003 @11:51PM (#7686789) Journal
    After printing 1 million pages of source code [com.com], anyone's network might take a bit of time to recover.

    (This would have fitted on a single CD. I think we should add environmental terrorism to the list of SCO's offences.)

  • by mcleodnine (141832) on Thursday December 11, 2003 @12:01AM (#7686851)

    I've been folowing this story all day and the last thing I expected to see on /. was a regurgitation of "facts" with a 'questionable heritage'.

    Several sites (groklaw, lwn) have already pointed out that the claims of being hacked [yahoo.com] should be viewed with a liberal ointment of skepticism for any of the following reasons;

    • SCO was full of shit on the last DDoS 'attack'
    • SYN flood? Are you bullshitting me? A corporate firewall that can't handle something as old as that? Was it a high volume attack?
    • Funny that every other network server on the same subnet was still available (ie: ftp.sco.com)
    • my personal favorite "and corporate operational traffic to be unavailable during the morning hours including e-mail, the company intranet, and customer support operations" - corporate intranet down from a DDoS?. If that means that employees can't surf jobs.com because they get ported through the same address space as their http server then I guess the GNU.Linux community has little to worry about. Anybody that dim couldn't possibly find their way to court let alone be the plaintiff in a three billin dollar lawsuit.
  • by Korgan (101803) on Thursday December 11, 2003 @12:02AM (#7686860) Homepage
    This is getting just annoying. As has already been pointed out, the facts point to this being another hoax. However, as not everyone else in this community knows much about Security, let me add my few years of experience in to help those who don't understand.

    I should point out, this has pretty much been covered by Groklaw already and my methods don't vary too much from those already posted by them.

    SCO claims their email and web servers are unavailable because of a DDoS attack that has also infiltrated their Intranet and affected helpdesk services as well as other internal services. If this is the case, then it is more than just a DDoS they're suffering, or they are negligent in the highest order for failing to take simple steps to ensure a risk mitigated environment for conducting business within.

    Lets start with their Mail Server.
    Everyone has a backup mail server, usually hosted by a 3rd party to ensure that if your primary mail server is offline for any reason, mail can still be delivered successfully. The fact that SCO claimed their mail servers were unavailable suggests they either failed to purchase this extremely basic service or their setup is absolutely wrong by anyones standards. The purpose of multiple MX records is for this exact situation. You start with a high priority MX record (say 10) and work your way down the order (usually in steps of +10, so the secondary is usually 20).

    Their Web Server
    Their webserver is hosted on exactly the same subnet as their ftp server. However, during this attack, their FTP server has been available to anyone thats tried to connect to it. If they were suffering a DDoS attack of the proportions that SCO claims, this server would also have been affected and taken offline. Yet this is not the case. This blows open entirely the philosophy of a DDoS attack without any of the further evidence.

    SCO has alluded to the fact that the attack is a basic SYN Flood. A very simple and old attack that has been blockable by nearly every appliance and OS for the past 3 years at least. Yet if they are suffering as they claim, then they are guilty of negligence for failing to apply patches or even configure their platforms correctly. Its very easy to turn the SYN Cookies on in Linux (sysctl isn't rocket science) and just as easy in something like a Cisco Router/PIX Firewall or a Checkpoint Firewall.

    The claims that this has adversely affected their intranet suggests that the intranet is in some way exposed to the Internet. Even more alarming is the fact that it disabled their Helpdesk services for a period as well. This would suggest that their network has absolutely no perimeter protection of any kind. The smallest flaw in a product they use could apparently be used to access their core network infrastructure. Isn't that where their source code and IP documentation are kept? I'd start getting very worried about now if I were an investor.

    Due diligence is a core principle of any company. That includes ensuring that the services relied upon are securely and properly setup and maintained. If SCO truly has been affected by an attack of any kind on the magnitued they're claiming, then they should be legally responsible for the results of their failure to perform due diligence. (However, IANAL so don't quote me on legalities, especially given I live in NZ, not the US).

    In short, the supposed attack on SCO does not add up at all. In fact, if they are being attacked this time round, they are in serious legal trouble themselves if their reports are accurate.

    I would also question why they have released this to the press as a Press Release instead of getting on with fixing the problem as quickly as possible. Also, how is it that their mail services are now restored, their FTP server never offline, yet their website remains offline? Surely, a DDoS would affect both.

    Not to mention the fact that it would affect SCOs upstream provider who, when contacted last time, saw absolutely no evidence of an attack in progress at a
    • by Trepalium (109107) on Thursday December 11, 2003 @01:50AM (#7687419)
      Except, we should accept the fact that, perhaps the intention behind this wasn't to be credible to technical people. What else has happened to SCO recently, you should be asking. "RBC rethinks SCO deal" [globetechnology.com] - RBC, who, along with Baystar, invested $50 million into SCO has begun looking at the contingency fees SCO will pay to their lawyers if SCO is bought out. SCO has postponed their 2003 earnings release and invester conference call to December 22 from December 8, and there's been some speculation that they will not be able to announce a profit this quarter without some 'creative' accounting. SCO lost both of IBM's motion to compel discovery, and have to turn over these 'million lines of code' that IBM has illegally copied into Linux. SCO's stock price has been dropping recently. None of these items really made it into the press in any meaningful way.

      Now we get this 'quick fix' press release that gets to paint the Linux community as a bunch of criminals and thugs. They know full well the press won't bother to check facts, and it should be enough to distract from the negative things that have been happening. They get to look like a victim in the press, and they can do so without any proof what so ever.

  • by Snoopy77 (229731) on Thursday December 11, 2003 @12:03AM (#7686868) Homepage
    Wasn't it just a flood of Linux license payments?
  • by bleeper4 (730343) on Thursday December 11, 2003 @12:04AM (#7686873)
    so does that mean they can sue themselves?
  • by LordK3nn3th (715352) on Thursday December 11, 2003 @12:06AM (#7686881)
    Darl McBride, stumbling drunk (as usual) around SCO's headquarters, accidently tripped over the server's power cord.

    SCO's technicians are busy working to fix the problem.
  • linux users? (Score:5, Insightful)

    by gyratedotorg (545872) on Thursday December 11, 2003 @12:08AM (#7686892) Homepage
    just out of curiousity, what do you think makes people assume that any attacks on sco are from the linux community? to me, its almost as if walmart.com got attacked and everyone blamed the mom-and-pop stores. ridiculous.
  • its amazing.. (Score:3, Insightful)

    by Suppafly (179830) <slashdot@s[ ]afly.net ['upp' in gap]> on Thursday December 11, 2003 @12:11AM (#7686907)
    It's amazing that they are only DoS'd during their employee's working hours.
  • DDoS (Score:3, Funny)

    by unoengborg (209251) on Thursday December 11, 2003 @12:19AM (#7686944) Homepage
    Distributed Denial of Stock?

    SCO quicly respond by sending a quickfix pressrelease.
  • by WindBourne (631190) on Thursday December 11, 2003 @12:20AM (#7686949) Journal
    The group(s) would be attacking all SCO boxes online rather than just a single web site. Why take down the company if you can simply make their customers quit buying their crap. No, I suspect this is just a hoax.
  • double bluff? (Score:5, Insightful)

    by another_twilight (585366) on Thursday December 11, 2003 @12:20AM (#7686952)
    Careful.

    There is a decent chance that their claims are designed to inflame.

    Claim the Open Source community is behind it and you get a bunch of people who have already been accused starting to think they may as well commit the 'crime' for which they are being blamed.

    Sure the claims made by SCO have always been seen to be ridiculous, from a technical POV. But their point has never been to convince the geeks. They are playing to a larger audience and seen in that light their bumbling and fumbling, technically, starts to look a little more deliberate.

    Call me paranoid, but SCO could be trying to create the incident they claim is ocurring right now.
  • by Platinum Dragon (34829) on Thursday December 11, 2003 @12:23AM (#7686975) Journal
    WARNING: I'm going to vector some rumours here. Feel free to slap them down if inaccurate, as I'm too damned lazy/tired to investigate myself right now.

    There are some rumours floating around the Yahoo SCOX message board that several directories containing Linux source code, such as patches and updates, are now missing from SCO's ftp server. Months ago, many people pointed out that SCO itself continued distributing copies of the kernel in support and updates directories on their ftp server. There is also speculation the strangely internal nature of this so-called DDoS attack may be part of an Ollie North operation to prevent certain evidence from falling into IBM's hands via discovery.

    SCO's execs need to read The Boy Who Cried Wolf a few times, and learn the lesson within. Darl, unlike Ken Lay, does not have close friends in the White House, and probably would not escape prosecution for any illegal acts being committed under his watch at SCO.
  • Maybe (Score:3, Funny)

    by Catharz (223736) on Thursday December 11, 2003 @01:26AM (#7687309)
    They had a 3rd person connect to their 2 user version of SCO Unix?
  • by sisukapalli1 (471175) on Thursday December 11, 2003 @01:29AM (#7687323)
    Something is suspicious about the announcement of a DDOS on a bad day for SCO stock (note that SCOX stock fell quite a bit today). Most likely, it is to divert attention from the real problems (investors speaking up, etc.)

    Some of the wall street lemmings will fall for this, just like many /. lemmings went on a limb claiming "oh, c'mon guys, don't let *us all* get into distepute."

    S
  • by RamsÚs Morales (13327) on Thursday December 11, 2003 @02:00AM (#7687459)
    No one can fall victim of a SYN flood attack these days. You don't need a DDOS with "thousands of servers" to do a SYN flood attack. SCO's ISP isn't suffering anything related to a DDOS attack. The shutdown pattern of the SCO's servers shows that they were unpluged. Groklaw [groklaw.net] has a good disection of the hoax.

    Therefore, I would like to know what are the /. editors waiting for, in order to update the story stating it as a fraud from SCO.

    I wouldn't be surprised if SCO issues a press release tomorrow saying that the evidence they were going to show in January 5 was destroyed.

    This is just too much. I thought "evil corporations" existed only on comic books, and hollywood movies.
  • lies (Score:5, Informative)

    by Permission Denied (551645) on Thursday December 11, 2003 @02:16AM (#7687536) Journal
    www.sco.com is on 216.250.128.12

    The following machines are running currently-reachable FTP servers:

    216.250.128.7
    216.250.128.13
    216.250.128.14
    216.250.128.15
    216.250.128.16
    216.250.128.17

    I was able to download /pub/ls-lR from ftp.sco.com (216.250.128.13) 74.91 KB/s (600 Kb/s). My broadband is rated at 640 Kb/s, so the bottleneck was likely at my end. These machines are almost certainly on the same subnet and are likely connected to the same gear (SCO's subnetting is their choice, but if ftp.sco.com and www.sco.com are on different subnets, their subnet masks are 255.255.255.254 and they must have only two IPs per subnet - I don't believe this is even possible as you need a network and a broadcast IP for each subnet).

    The fact that all of these machines are reachable and that at least one of them can saturate a broadband link indicates that SCO is not having any bandwidth problems. I also performed some ICMP tests and the machine is not sending out port-unreachables, timestamp-replies or netmask-replies - these seem blocked upstream. I'm getting a little nervous sending out these funny packets as I don't want anyone to accuse me of anything, but everything indicates that the machine is completely offline. If they allowed some ICMP replies through upstream, receiving a reply would show that the machine is actually online, but somehow cannot handle TCP requests (and the problem is not bandwidth as shown, so it would have to be something wrong with the host, such as a firewall rule); if they allowed through ICMP replies and the machine did not respond whereas others on the subnet did respond, it would show that the machine is almost definitely offline unless it has a more restrictive firewall than the other machines (very unlikely given that this, as-claimed, could have been prevented with syncookies). As it stands, one can only say that the machine is very likely offline (unplugged or turned off).

    SCO's incoming mail server seems to be working fine. They only have one MX record for sco.com and it resolves to 216.250.130.2 for me at the moment. I only connected to it and saw a banner, but easy way to test this further is to send a message to an invalid address @sco.com and see if a bounce gets back. I don't want to give them an email address.

    All of this is current as of 2003-12-10 21:57, Mountain time (SCO is in Utah). Further investigation lead nowhere; thus the delay in the post.

  • by AtariDatacenter (31657) on Thursday December 11, 2003 @02:27AM (#7687570)
    Early in the morning, someone was exploiting a rooted SCO corporate web server. But they tripped over an intrusion detection alarm. System/network administrators were notified.

    Per their company policy, they shut SCO's entire network off from the entire world. "Internal mail servers and other support servers were unavailable." After a few hours, they determined that the intrustion was limited to the main corporate web server. The web server was broken off from the network. Network connectivity was restored (but no longer having a web server). "The web server is under a denial of service attack."

    SCO employees begin the process of either restoring the existing web server from backup, or preserving the existing server, and bringing online a new server from bare metal. The process is expected to take at least twelve hours. An SCO executive informs at least one media outlet that they expect the problem to be resolved in some time after twelve hours. They're still working on it.

    This also fits what happened in August, when their corporate web server was unavailable for THREE DAYS. When it was brought back online, the content was reportedly changed in some areas. It sounds like an inexperienced bare-metal restore or an untested solution. Perhaps part of the web site was not retreivable via backup, and they had to recreate some sections from scratch.

    My theory, which I believe totally fits the facts, is that SCO has been rooted and does not want to admit this publicly. So the DDoS/SYN is their cover story, which is close, but doesn't fit the facts well enough to avoid suspicion.

    I would appreciate a read on this theory with some feedback postive/negative.
  • by hsoom (680862) on Thursday December 11, 2003 @02:59AM (#7687685)
    The Age has an article titled Doubts cast on SCO claims of denial of service attack [theage.com.au]. It's good to see a mainstream news service not just reporting the FUD but actually digging a little deeper.

It is better to give than to lend, and it costs about the same.

Working...