From owner-freebsd-hackers  Tue Jun 25 14:13:55 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id OAA21056
          for hackers-outgoing; Tue, 25 Jun 1996 14:13:55 -0700 (PDT)
Received: from mail.think.com (Mail1.Think.COM [131.239.33.245])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA21042
          for <hackers@freebsd.org>; Tue, 25 Jun 1996 14:13:51 -0700 (PDT)
Received: from Early-Bird-1.Think.COM by mail.think.com; Tue, 25 Jun 96 16:52:11 -0400
Received: from compound.Think.COM by Early-Bird.Think.COM; Tue, 25 Jun 96 17:13:32 EDT
Received: (from alk@localhost) by compound.Think.COM (8.7.5/8.7.3) id QAA20467; Tue, 25 Jun 1996 16:16:45 -0500 (CDT)
Date: Tue, 25 Jun 1996 16:16:45 -0500 (CDT)
From: Tony Kimball <alk@Think.COM>
Message-Id: <199606252116.QAA20467@compound.Think.COM>
To: jbhunt@mercury.gaianet.net
Cc: hackers@freebsd.org
Subject: Re: I need help on this one - please help me track this guy down!
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


I suggest inducing the user to repeat her exploit.  Take the system
down.  Wipe the user's directory.  Bring it up, with a motd reporting
a disk crash, and partial restoration.  Log everything the user does.

Or, you might just *ask*.  Most folks who hack a random ISP system do
it for fun, and love to brag about it.