From owner-freebsd-hackers  Mon Jun 24 10:44:01 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA11331
          for hackers-outgoing; Mon, 24 Jun 1996 10:44:01 -0700 (PDT)
Received: from haldjas.folklore.ee (Haldjas.folklore.ee [193.40.6.121])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA11249;
          Mon, 24 Jun 1996 10:43:36 -0700 (PDT)
Received: (from narvi@localhost) by haldjas.folklore.ee (8.6.12/8.6.12) id UAA26882; Mon, 24 Jun 1996 20:48:19 +0300
Date: Mon, 24 Jun 1996 20:48:18 +0300 (EET DST)
From: Narvi <narvi@haldjas.folklore.ee>
To: jaeger <jaeger@com>
cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>,
        Amancio Hasty <hasty@rah.star-gate.com>, hackers@FreeBSD.org,
        security@FreeBSD.org, ache@FreeBSD.org
Subject: Re: I need help on this one - please help me track this guy down! 
In-Reply-To: <Pine.LNX.3.91.960623222628.9465C-100000@dhp.com>
Message-ID: <Pine.BSF.3.91.960624204601.25097D-100000@haldjas.folklore.ee>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk



On Sun, 23 Jun 1996, jaeger wrote:

> 
> 
> On Sun, 23 Jun 1996, Jordan K. Hubbard wrote:
> 
> > All we have are the "last" logs, which show:
> > 
> > jkh       ttyp2    a235.pu.ru       Sun Jun 23 16:50 - 17:18  (00:28)
> > jkh       ttyp3    a235.pu.ru       Sun Jun 23 15:00 - 15:34  (00:33)
> > 
> > If someone at the russian site could help correlate this time (PST) to
> > the local time at wherever a235.ru.pu came in from, we could at least
> > narrow down which user(s) it might have been.
> > 
> 	This appears to be a Dialup IP connection.  If the machine logging
> the terminal server (or other dialip access device) wasn't root compromised,
> we should see some useful logs.  Probably a stolen account.
> 	Because of the presence of the lastlog records and the generally
> good security of FreeBSD, I also suspect there was no root compromise on
> wcarchive.  I'm concerned about the possibility of a DNS server compromise,
> given the unusual traceroute results of the intruder's IP.
> 	On another pessimistic note, I believe most of the telco switches in
> Russia are still crossbars, which could make any attempt to trace the
> intruder through the phone system fruitless. :<

You may be in a mistake on that one... The phone calls in the former 
Soviet Union used to be traceable :-( So it could be possible to find it 
out if measures are taken urgently - and I think it has to be the owner 
of the dial up connection - provided there aren't hundreds of calls per 
day.

	Sander

> > 
> > 					Jordan
> > 
> -jaeger
>