From owner-freebsd-newbies Thu Jun 1 12:14:13 2000 Delivered-To: freebsd-newbies@freebsd.org Received: from beachpdc1.beachassociates.com (beachpdc1.beachassociates.com [208.246.80.6]) by hub.freebsd.org (Postfix) with ESMTP id 97A0F37B8D5 for ; Thu, 1 Jun 2000 12:14:10 -0700 (PDT) (envelope-from cday@beachassociates.com) Received: by beachpdc1.beachassociates.com with Internet Mail Service (5.5.2448.0) id ; Thu, 1 Jun 2000 15:14:09 -0400 Message-ID: From: Chad Day To: "'freebsd-newbies@freebsd.org'" Subject: System intrusion Date: Thu, 1 Jun 2000 15:14:08 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It appears that one of the users on my system either had a password stolen, or gave it out. This was an account shared by several users to allow uploading of files to a particular directory. Some malicious user got a hold of this, either from another user, or cracked it. He then accessed my box and proceeded to delete files from the directory, along with creating a directory saying something like "TMaN hacked this". All I have logwise that I can see is his connection in the wtmp file, and when the directory was created which matches that time. I don't know where to look for any more details. ftpd was started up with the -l flag, but there's no syslog file or ftp.log file. I have his IP address he's accessing from (he's coming from aol) and the times of access.. he's been logging back in over the past couple days, I've changed the account password to shut him out, no other successful connections. The group that user was in only had rights to that directory, so I'm not too concerned about anything else being compromised, but I am keeping an eye out for it. My question is: what can I do? Should I contact the FBI? (if so, if anyone knows how to go about this best who has had prior experience, I would appreciate information) Contact AOL (which seems to be a waste of time)? I highly suspect that is the right IP address too - we run an IRC channel related to the webpage, and he has repeatedly evaded bans with that AOL account.. he's not really smart enough to know how to go about cloaking himself. Chad Day Beach Associates When I speak german... I think german in my head... but like...Do skript kiddies see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their h34d'5 w43n t43y R +a1k1n6 ? -- SirStanley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message