Date: Sun, 23 Jun 1996 22:39:07 -0400 (EDT) From: jaeger <jaeger@com> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: Amancio Hasty <hasty@rah.star-gate.com>, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.LNX.3.91.960623222628.9465C-100000@dhp.com> In-Reply-To: <8378.835580425@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > All we have are the "last" logs, which show: > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > If someone at the russian site could help correlate this time (PST) to > the local time at wherever a235.ru.pu came in from, we could at least > narrow down which user(s) it might have been. > This appears to be a Dialup IP connection. If the machine logging the terminal server (or other dialip access device) wasn't root compromised, we should see some useful logs. Probably a stolen account. Because of the presence of the lastlog records and the generally good security of FreeBSD, I also suspect there was no root compromise on wcarchive. I'm concerned about the possibility of a DNS server compromise, given the unusual traceroute results of the intruder's IP. On another pessimistic note, I believe most of the telco switches in Russia are still crossbars, which could make any attempt to trace the intruder through the phone system fruitless. :< > > Jordan > -jaeger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.960623222628.9465C-100000>