Date: Thu, 01 Jun 2000 13:05:26 -0700 From: Doug King <dking@malf.net> To: Chad Day <cday@beachassociates.com>, "'freebsd-newbies@freebsd.org'" <freebsd-newbies@FreeBSD.ORG> Subject: Re: System intrusion Message-ID: <3936C217.C615F2CD@malf.net> References: <A8D9B16D2196D2118B6E00A0C9E307F423857A@beachpdc1.beachassociates.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Chad, It's not real clear about just who has jurisdiction... certainly, the FBI does, since this guy probably used a "means of interstate commerce" to hack you... even if he actually came from "next door". The problem is that if it's a "common hack" with less than $50,000 damage, they're not going to be interested. (Exception... if there is evidence that you were hacked to stifle speech (in other words, an act of "Cyber-terrorism"), they'll be less interested in the amount of damage, and more interested in the *kind* of speech that was being attacked (the more "politically correct", the better.) Your local police *also* have jurisdiction, as well as the police where the hacker lives. In this case, your locals might be interested, but they are likely not terribly technologically sophisticated... so they'll likely want to see "physical evidence"(like fingerprints, dna samples, and pry-bar marks on the covers of your computer), since that is what they DO understand. The locals where the hacker lives will only be interested if they can catch the hacker while he is in the process of hacking you BTW... my credentials for commenting... I'm the "tech admin" that is referenced in this Salon article: http://www.salon.com/tech/feature/1999/05/26/guns_veggies/index.html The hacker in that case used a qpopper exploit to gain root access... which we detected almost instantly... Then, (s)he changed the root password and started destroying stuff. We tried to intervene ...but unfortunately, the machine was collocated, and we couldn't get the co-lo facilities manager to pull the plug on the box before the hacker executed a "rm -rf /*"... almost an hour after we asked that the machine be unplugged. sigh... To the best of my knowledge, the FBI is still pursuing that case, albeit not very vigorously... Last I heard, they had served a search warrant on the gun site and found lot's of vailed threats against the Nelsons, but nothing (directly) linking the site to the Vegsource hack. Hope this (not very encouraging) story helps... Doug King Chad Day wrote: > > It appears that one of the users on my system either had a password stolen, > or gave it out. This was an account shared by several users to allow > uploading of files to a particular directory. > > Some malicious user got a hold of this, either from another user, or cracked > it. He then accessed my box and proceeded to delete files from the > directory, along with creating a directory saying something like "TMaN > hacked this". > > All I have logwise that I can see is his connection in the wtmp file, and > when the directory was created which matches that time. I don't know where > to look for any more details. ftpd was started up with the -l flag, but > there's no syslog file or ftp.log file. > > I have his IP address he's accessing from (he's coming from aol) and the > times of access.. he's been logging back in over the past couple days, I've > changed the account password to shut him out, no other successful > connections. The group that user was in only had rights to that directory, > so I'm not too concerned about anything else being compromised, but I am > keeping an eye out for it. > > My question is: what can I do? Should I contact the FBI? (if so, if > anyone knows how to go about this best who has had prior experience, I would > appreciate information) Contact AOL (which seems to be a waste of time)? > > I highly suspect that is the right IP address too - we run an IRC channel > related to the webpage, and he has repeatedly evaded bans with that AOL > account.. he's not really smart enough to know how to go about cloaking > himself. > > Chad Day > Beach Associates > > When I speak german... I think german in my head... but like...Do skript > kiddies see a w40l3 8uncha 1's and 0's and 3's and 4's and 7's in their > h34d'5 w43n t43y R +a1k1n6 ? -- SirStanley > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-newbies" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3936C217.C615F2CD>