From owner-freebsd-newbies Fri Jun 2 7: 9:50 2000 Delivered-To: freebsd-newbies@freebsd.org Received: from gw.Adl.USSR.net (digita1.lnk.telstra.net [139.130.137.85]) by hub.freebsd.org (Postfix) with ESMTP id 3102F37B91B for ; Fri, 2 Jun 2000 07:09:44 -0700 (PDT) (envelope-from wabit@adl.ussr.net) Received: from localhost (wabit@localhost) by gw.Adl.USSR.net (8.10.1/8.10.1) with ESMTP id e52E9Uf23033; Fri, 2 Jun 2000 23:39:30 +0930 (CST) Date: Fri, 2 Jun 2000 23:39:29 +0930 (CST) From: james To: Chad Day Cc: "'freebsd-newbies@freebsd.org'" Subject: Re: System intrusion followup. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Chad, Thanks for the message, and the warning about "Unauthorized access prohibited" messages.... /etc/ftpwelcome contains the ftp motd, where is the file that is displayed before the login prompt? - or are we limited to displaying something after they've connected, via /etc/motd ? regards james On Fri, 2 Jun 2000, Chad Day wrote: > Date: Fri, 2 Jun 2000 09:56:31 -0400 > From: Chad Day > To: "'freebsd-newbies@freebsd.org'" > Subject: System intrusion followup. > > Well, just got off the phone with the FBI, and the local police department > came by and took a report last evening. > > The FBI seemed pretty knowledgeable and really willing to go after the guy, > even though our estimated loss was only $2-3k, and they say they usually > require $10k.. but since the logs are pretty open and shut and it should be > an easy matter to persue, he said they are very likely to go ahead after the > guy. > > One thing I did learn: make sure you have a banner on your FTP login and > telnet login saying something like: "UNAUTHORIZED ACCESS PROHIBITED". I > didn't have that. :( Rookie mistake, lesson learned. > > The officer from the local police wasn't too technologically there, but I > was able to talk her through a lot of it and wrote down my version of what > happened, and she seemed to get the gist of everything after a while. > > AOL, of course, did jack and you know what. After being disconnected after > long hold periods, they kindly told me that they won't take any actions > regardless of evidence unless the police/FBI contacted them. > > > > Me: "I have his IP address, he's coming from AOL, but they wouldn't give me > any more information." > FBI: "They'll give it to US." > > Ahh, go FBI. :) > > Anyway.. things I've learned that may be of value to other newbies.. > > Make sure you have ftp/telnet banners with usage policies > You can trust your users about as far as you can throw them > Keep very detailed ftp logs.. ftpd -l -l > and AOL sucks, but you knew that already. > > Thanks to everyone who has emailed me with advice. > > Chad Day > Beach Associates > > When I speak german... I think german in my head... but like...Do skript > kiddies see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their > h34d'5 w43n t43y R +a1k1n6 ? -- SirStanley > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-newbies" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message