Date: Mon, 24 Jun 1996 20:48:18 +0300 (EET DST) From: Narvi <narvi@haldjas.folklore.ee> To: jaeger <jaeger@com> Cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, Amancio Hasty <hasty@rah.star-gate.com>, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960624204601.25097D-100000@haldjas.folklore.ee> In-Reply-To: <Pine.LNX.3.91.960623222628.9465C-100000@dhp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Jun 1996, jaeger wrote: > > > On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > > > All we have are the "last" logs, which show: > > > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > > > If someone at the russian site could help correlate this time (PST) to > > the local time at wherever a235.ru.pu came in from, we could at least > > narrow down which user(s) it might have been. > > > This appears to be a Dialup IP connection. If the machine logging > the terminal server (or other dialip access device) wasn't root compromised, > we should see some useful logs. Probably a stolen account. > Because of the presence of the lastlog records and the generally > good security of FreeBSD, I also suspect there was no root compromise on > wcarchive. I'm concerned about the possibility of a DNS server compromise, > given the unusual traceroute results of the intruder's IP. > On another pessimistic note, I believe most of the telco switches in > Russia are still crossbars, which could make any attempt to trace the > intruder through the phone system fruitless. :< You may be in a mistake on that one... The phone calls in the former Soviet Union used to be traceable :-( So it could be possible to find it out if measures are taken urgently - and I think it has to be the owner of the dial up connection - provided there aren't hundreds of calls per day. Sander > > > > Jordan > > > -jaeger >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960624204601.25097D-100000>