From owner-freebsd-newbies Fri Jun 2 6:56:50 2000 Delivered-To: freebsd-newbies@freebsd.org Received: from beachpdc1.beachassociates.com (beachpdc1.beachassociates.com [208.246.80.6]) by hub.freebsd.org (Postfix) with ESMTP id 59CC137BA01 for ; Fri, 2 Jun 2000 06:56:39 -0700 (PDT) (envelope-from cday@beachassociates.com) Received: by beachpdc1.beachassociates.com with Internet Mail Service (5.5.2448.0) id ; Fri, 2 Jun 2000 09:56:36 -0400 Message-ID: From: Chad Day To: "'freebsd-newbies@freebsd.org'" Subject: System intrusion followup. Date: Fri, 2 Jun 2000 09:56:31 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, just got off the phone with the FBI, and the local police department came by and took a report last evening. The FBI seemed pretty knowledgeable and really willing to go after the guy, even though our estimated loss was only $2-3k, and they say they usually require $10k.. but since the logs are pretty open and shut and it should be an easy matter to persue, he said they are very likely to go ahead after the guy. One thing I did learn: make sure you have a banner on your FTP login and telnet login saying something like: "UNAUTHORIZED ACCESS PROHIBITED". I didn't have that. :( Rookie mistake, lesson learned. The officer from the local police wasn't too technologically there, but I was able to talk her through a lot of it and wrote down my version of what happened, and she seemed to get the gist of everything after a while. AOL, of course, did jack and you know what. After being disconnected after long hold periods, they kindly told me that they won't take any actions regardless of evidence unless the police/FBI contacted them. Me: "I have his IP address, he's coming from AOL, but they wouldn't give me any more information." FBI: "They'll give it to US." Ahh, go FBI. :) Anyway.. things I've learned that may be of value to other newbies.. Make sure you have ftp/telnet banners with usage policies You can trust your users about as far as you can throw them Keep very detailed ftp logs.. ftpd -l -l and AOL sucks, but you knew that already. Thanks to everyone who has emailed me with advice. Chad Day Beach Associates When I speak german... I think german in my head... but like...Do skript kiddies see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their h34d'5 w43n t43y R +a1k1n6 ? -- SirStanley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message