Script kiddies
in general are
annoying flies that deserve to be
swatted. Anyone who runs a
system connected to the
internet with
halfway decent logging will see them regularly
knocking on the door with the
exploit of the month.
Script
kiddies tend to use
scanners to scan large
netblocks for potentially
vulnerable hosts and
canned exploits to attempt
exploitation. Unless you've
pissed them off in
IRC or have a
web page they're intent on
vandalizing, they probably won't
stay around long if the first
exploit dosen't work - you won't generally see
concentrated attacks. The large number of
insecure hosts on the net makes this
bulk scanning worthwhile and provides them with
hosts to act from.
Bulk scanning also increases the
likelihood that someone will
notice,
complain, and get the box taken
offline. In order to
counter this,
kiddies may select a
throwaway machine to do the
scanning from and, if they're using a
blind exploit, another machine to come back and
check to see who's been
compromised.
What they
want the machines for is
anyone's guess, but it's a
good bet that they're interested in
defacements,
warez, or
IRC wars.
The
most common activity I see are automated scans for systems offering
anonymous FTP. I assume that they're interested in it either because they want a
warez base or because certain
ftp exploits require
writable directories. I see between
one and
four probes a
week on my systems, although those on a
/24 in an
academic network seem to draw more
attention than those on a pair of
/28s on a
commercial ISP's
DSL lines.