Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Jun 1996 22:39:07 -0400 (EDT)
From:      jaeger <jaeger@com>
To:        "Jordan K. Hubbard" <jkh@time.cdrom.com>
Cc:        Amancio Hasty <hasty@rah.star-gate.com>, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org
Subject:   Re: I need help on this one - please help me track this guy down! 
Message-ID:  <Pine.LNX.3.91.960623222628.9465C-100000@dhp.com>
In-Reply-To: <8378.835580425@time.cdrom.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On Sun, 23 Jun 1996, Jordan K. Hubbard wrote:

> All we have are the "last" logs, which show:
> 
> jkh       ttyp2    a235.pu.ru       Sun Jun 23 16:50 - 17:18  (00:28)
> jkh       ttyp3    a235.pu.ru       Sun Jun 23 15:00 - 15:34  (00:33)
> 
> If someone at the russian site could help correlate this time (PST) to
> the local time at wherever a235.ru.pu came in from, we could at least
> narrow down which user(s) it might have been.
> 
	This appears to be a Dialup IP connection.  If the machine logging
the terminal server (or other dialip access device) wasn't root compromised,
we should see some useful logs.  Probably a stolen account.
	Because of the presence of the lastlog records and the generally
good security of FreeBSD, I also suspect there was no root compromise on
wcarchive.  I'm concerned about the possibility of a DNS server compromise,
given the unusual traceroute results of the intruder's IP.
	On another pessimistic note, I believe most of the telco switches in
Russia are still crossbars, which could make any attempt to trace the
intruder through the phone system fruitless. :<
> 
> 					Jordan
> 
-jaeger



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.960623222628.9465C-100000>