Date: Thu, 22 Jun 2000 23:35:27 -0400 From: "John Telford" <j.telford@sympatico.ca> To: <dking@malf.net>, "Chad Day" <cday@beachassociates.com>, "'freebsd-newbies@freebsd.org'" <freebsd-newbies@FreeBSD.ORG> Subject: Re: System intrusion Message-ID: <008601bfdcc4$12c27da0$6e0de440@johnnyb> References: <A8D9B16D2196D2118B6E00A0C9E307F423857A@beachpdc1.beachassociates.com> <3936C217.C615F2CD@malf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I just gave my ISP an APC Masterswitch wich will allow us to power down or cold start a hung (or in Doug's case a box under attack) my colocated boxes remotely. Worth the $600.00 I think, of course we have to hope the Masterswitch doesn't get hacked :) John. ----- Original Message ----- From: Doug King <dking@malf.net> To: Chad Day <cday@beachassociates.com>; 'freebsd-newbies@freebsd.org' <freebsd-newbies@FreeBSD.ORG> Sent: Thursday, June 01, 2000 4:05 PM Subject: Re: System intrusion > Hi Chad, > > It's not real clear about just who has jurisdiction... certainly, the > FBI does, since this guy probably used a "means of interstate commerce" > to hack you... even if he actually came from "next door". The problem is > that if it's a "common hack" with less than $50,000 damage, they're not > going to be interested. (Exception... if there is evidence that you were > hacked to stifle speech (in other words, an act of "Cyber-terrorism"), > they'll be less interested in the amount of damage, and more interested > in the *kind* of speech that was being attacked (the more "politically > correct", the better.) > > Your local police *also* have jurisdiction, as well as the police where > the hacker lives. In this case, your locals might be interested, but > they are likely not terribly technologically sophisticated... so they'll > likely want to see "physical evidence"(like fingerprints, dna samples, > and pry-bar marks on the covers of your computer), since that is what > they DO understand. > > The locals where the hacker lives will only be interested if they can > catch the hacker while he is in the process of hacking you > > BTW... my credentials for commenting... I'm the "tech admin" that is > referenced in this Salon article: > http://www.salon.com/tech/feature/1999/05/26/guns_veggies/index.html > > The hacker in that case used a qpopper exploit to gain root access... > which we detected almost instantly... > > Then, (s)he changed the root password and started destroying stuff. We > tried to intervene > > ...but unfortunately, the machine was collocated, and we couldn't get > the co-lo facilities manager to pull the plug on the box before the > hacker executed a "rm -rf /*"... almost an hour after we asked that the > machine be unplugged. sigh... > > To the best of my knowledge, the FBI is still pursuing that case, albeit > not very vigorously... Last I heard, they had served a search warrant on > the gun site and found lot's of vailed threats against the Nelsons, but > nothing (directly) linking the site to the Vegsource hack. > > Hope this (not very encouraging) story helps... > > Doug King > > Chad Day wrote: > > > > It appears that one of the users on my system either had a password stolen, > > or gave it out. This was an account shared by several users to allow > > uploading of files to a particular directory. > > > > Some malicious user got a hold of this, either from another user, or cracked > > it. He then accessed my box and proceeded to delete files from the > > directory, along with creating a directory saying something like "TMaN > > hacked this". > > > > All I have logwise that I can see is his connection in the wtmp file, and > > when the directory was created which matches that time. I don't know where > > to look for any more details. ftpd was started up with the -l flag, but > > there's no syslog file or ftp.log file. > > > > I have his IP address he's accessing from (he's coming from aol) and the > > times of access.. he's been logging back in over the past couple days, I've > > changed the account password to shut him out, no other successful > > connections. The group that user was in only had rights to that directory, > > so I'm not too concerned about anything else being compromised, but I am > > keeping an eye out for it. > > > > My question is: what can I do? Should I contact the FBI? (if so, if > > anyone knows how to go about this best who has had prior experience, I would > > appreciate information) Contact AOL (which seems to be a waste of time)? > > > > I highly suspect that is the right IP address too - we run an IRC channel > > related to the webpage, and he has repeatedly evaded bans with that AOL > > account.. he's not really smart enough to know how to go about cloaking > > himself. > > > > Chad Day > > Beach Associates > > > > When I speak german... I think german in my head... but like...Do skript > > kiddies see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their > > h34d'5 w43n t43y R +a1k1n6 ? -- SirStanley > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-newbies" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-newbies" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008601bfdcc4$12c27da0$6e0de440>