Date: Thu, 1 Jun 2000 15:14:08 -0400 From: Chad Day <cday@beachassociates.com> To: "'freebsd-newbies@freebsd.org'" <freebsd-newbies@freebsd.org> Subject: System intrusion Message-ID: <A8D9B16D2196D2118B6E00A0C9E307F423857A@beachpdc1.beachassociates.com>
next in thread | raw e-mail | index | archive | help
It appears that one of the users on my system either had a password stolen, or gave it out. This was an account shared by several users to allow uploading of files to a particular directory. Some malicious user got a hold of this, either from another user, or cracked it. He then accessed my box and proceeded to delete files from the directory, along with creating a directory saying something like "TMaN hacked this". All I have logwise that I can see is his connection in the wtmp file, and when the directory was created which matches that time. I don't know where to look for any more details. ftpd was started up with the -l flag, but there's no syslog file or ftp.log file. I have his IP address he's accessing from (he's coming from aol) and the times of access.. he's been logging back in over the past couple days, I've changed the account password to shut him out, no other successful connections. The group that user was in only had rights to that directory, so I'm not too concerned about anything else being compromised, but I am keeping an eye out for it. My question is: what can I do? Should I contact the FBI? (if so, if anyone knows how to go about this best who has had prior experience, I would appreciate information) Contact AOL (which seems to be a waste of time)? I highly suspect that is the right IP address too - we run an IRC channel related to the webpage, and he has repeatedly evaded bans with that AOL account.. he's not really smart enough to know how to go about cloaking himself. Chad Day Beach Associates When I speak german... I think german in my head... but like...Do skript kiddies see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their h34d'5 w43n t43y R +a1k1n6 ? -- SirStanley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A8D9B16D2196D2118B6E00A0C9E307F423857A>