The bane of any System Administrator, script kiddies crack into systems, usually to prove to their friends that they're "l33t" or to run an IRC bot. Luckily, they are generally as incompetent as they are annoying. It's amazing how much effort script kiddies go through to hide their tracks, even though they usually end up doing one or two stupid things that immediately reveals their presence. Some examples I've dealt with in my career:
  • Deleting /var/adm. Within five minutes we received cron messages with errors to that effect.
  • Replacing important system binaries. Tripwire catches this almost immediately.
  • Starting a warez site. What's the point? Warez sites consume so much bandwidth and disk space that they will be shut down within a few hours at the most.
  • Leaving files in /tmp. I look in /tmp frequently because I tend to make a mess of it myself. I quickly discover anything that isn't familiar.
It's also amusing how much effort they go through to cover their tracks, when they forget the obvious, like .bash_history files and the fact that the system syslogs to a remote log server.

Of course, this is a good thing. Imagine what it would be like if script kiddies were actually competent?

Script kiddies in general are annoying flies that deserve to be swatted. Anyone who runs a system connected to the internet with halfway decent logging will see them regularly knocking on the door with the exploit of the month.

Script kiddies tend to use scanners to scan large netblocks for potentially vulnerable hosts and canned exploits to attempt exploitation. Unless you've pissed them off in IRC or have a web page they're intent on vandalizing, they probably won't stay around long if the first exploit dosen't work - you won't generally see concentrated attacks. The large number of insecure hosts on the net makes this bulk scanning worthwhile and provides them with hosts to act from. Bulk scanning also increases the likelihood that someone will notice, complain, and get the box taken offline. In order to counter this, kiddies may select a throwaway machine to do the scanning from and, if they're using a blind exploit, another machine to come back and check to see who's been compromised.

What they want the machines for is anyone's guess, but it's a good bet that they're interested in defacements, warez, or IRC wars.

The most common activity I see are automated scans for systems offering anonymous FTP. I assume that they're interested in it either because they want a warez base or because certain ftp exploits require writable directories. I see between one and four probes a week on my systems, although those on a /24 in an academic network seem to draw more attention than those on a pair of /28s on a commercial ISP's DSL lines.
A person who gains illicit access to networked computer systems by using short programs (scripts) which automate the process of finding vulnerable computers and breaking into them. Because it is possible to scan many hundreds of IP addresses in a second, and because a small but significant fraction of the hosts on the Internet harbor well-known security holes, script kiddies are able to do quite well at their chosen hobby.

Different script kiddies use their compromised hosts for different purposes. The most widely visible script kiddie action on a compromised host is to vandalize any Web pages it might contain. However, Web vandalism is by no means a script kiddie's only use for a system. Many use them to operate IRC bots, which help them harass other IRC users or fight for territory on IRC. Others use them as storage areas for bootleg software or other contraband files. Some run distributed denial-of-service daemons, which let the script kiddie flood other hosts off the network. Script kiddies also, of course, use well-connected hosts as stepping stones to break into other hosts.

Script kiddies are often condemned by crackers — people who discover and exploit new security holes — as immature and uncreative, as they only run scripts to attack holes others have discovered and documented; they don't do anything original. Despite their uncreativity, though, script kiddies pose a serious problem to many Internet sites. For various reasons, ranging from incompetence to understaffing to internal politics, it is not always possible for Net sites to maintain top-notch security — and those who cannot, can expect to be rooted on a regular basis.


The easiest defenses against script kiddies are to restrict the services running on your publicly exposed hosts, and to keep the daemons that run these services up to date with the latest patches from your software distributor. Since script kiddies rely on publicized, well-known security holes to do their mischief, keeping up to date with the latest fixes can cut them off. In addition, you should be running some sort of firewall to block at least the most obviously illegitimate accesses into your network.

If you are in a position where you can't preëmptively require all the exposed hosts on your network to keep up to date, you may find that running a portscan detector or other network intrusion detection system — such as the ever-popular snort — will give you some chance to catch the kiddies in the act and take measures in response.

Script kiddies are not going to go away easily. The law can catch some of them and deter some others, but it will not stop the mass of script kids from continuing to commit their crimes. For every 14-year-old "hacker wizard" the FBI catch, there are a couple hundred whom nobody has the time or resources to even chase. In the long run, everyone who participates in the Internet — from end users to large sites to ISPs to programmers and software vendors — is going to have to get a lot more security conscious if the damage due to Internet hooliganry is to be stemmed.

scribble = S = scrog

script kiddies pl.n.

1. [very common] The lowest form of cracker; script kiddies do mischief with scripts and programs written by others, often without understanding the exploit they are using. Used of people with limited technical expertise using easy-to-operate, pre-configured, and/or automated tools to conduct disruptive activities against networked systems. Since most of these tools are fairly well-known by the security community, the adverse impact of such actions is usually minimal. 2. People who cannot program, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages. More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; someone who thinks of code as magical incantations and asks only "what do I need to type to make this happen?"

--The Jargon File version 4.3.1, ed. ESR, autonoded by rescdsk.

Log in or register to write something here or to contact authors.