From owner-freebsd-hackers Sun Jun 23 19:39:18 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA14906 for hackers-outgoing; Sun, 23 Jun 1996 19:39:18 -0700 (PDT) Received: from dhp.com (dhp.com [199.245.105.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id TAA14895; Sun, 23 Jun 1996 19:39:10 -0700 (PDT) Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id WAA09944; Sun, 23 Jun 1996 22:39:07 -0400 Date: Sun, 23 Jun 1996 22:39:07 -0400 (EDT) From: jaeger To: "Jordan K. Hubbard" cc: Amancio Hasty , hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <8378.835580425@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > All we have are the "last" logs, which show: > > jkh ttyp2 a235.pu.ru Sun Jun 23 16:50 - 17:18 (00:28) > jkh ttyp3 a235.pu.ru Sun Jun 23 15:00 - 15:34 (00:33) > > If someone at the russian site could help correlate this time (PST) to > the local time at wherever a235.ru.pu came in from, we could at least > narrow down which user(s) it might have been. > This appears to be a Dialup IP connection. If the machine logging the terminal server (or other dialip access device) wasn't root compromised, we should see some useful logs. Probably a stolen account. Because of the presence of the lastlog records and the generally good security of FreeBSD, I also suspect there was no root compromise on wcarchive. I'm concerned about the possibility of a DNS server compromise, given the unusual traceroute results of the intruder's IP. On another pessimistic note, I believe most of the telco switches in Russia are still crossbars, which could make any attempt to trace the intruder through the phone system fruitless. :< > > Jordan > -jaeger