-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following is *NOT* legal advice.
Mitchell Brown wrote: > Here's the scoop: > > Shaw calls me, tells me that my domain (untitled1.ca Are you sure? > <http://untitled1.ca>) has been port scanning big companies (their > clients) for the last month - if it doesn't stop, they'll press charges. > Whoaaa! My hosting providor says that he's 99% sure its not their > server, as they have up to date PHP and MySQL and run rootkit checks > every night. Good. So that leaves two possibilities > > * Some rogue computer has a *.untitled1.ca dns entry stamped all > over their IP Which actually means nothing. Start with the IP owner. Really, they should be going by the IP. Somebody owns that IP and is ultimately responsible for its security and behavior (and also its reverse DNS). The crap will flow downhill from there. Likely the guy on the phone is clueless and likes to scare people. The law is not a fast process. You do not use lawyers if you want something done quickly. Always ask for identification (name, rep number, department, supervisor are not bad things to ask for) and record the information as well as the time of day and the phone number they called from. I have had some experience as I had a similar situation with a server in the US and a misbehaving client (libel in case you were curious), This sounds fishy to me. You are not Shaw's customer, they should not be contacting you. > * My host isn't as right as he thinks he is > This is certainly possible. Hubris sets you up for a terrible fall. > As a precaution, I've wiped out the MySQL database on the website. My > hosting providor disabled DNS resolution until I give him notice as > well. At this point, I'm looking for options. I don't wanna get sued... > Here's my plan of action, I'd be grateful for input I have seen more than a few worms get in via bad php code. Some precautions, I keep the web root on its own partition, with noexec and nosuid in the fstab. If possible avoid programs that are not compatible with PHP safe mode. /tmp is its own partition with noexec ALL mount points have extended ACLs configured. This is really worth learning. Also nmap, gcc, nessus etc, do not belong on production servers! > > 1. Call Shaw in the morning, get the specific ip address of the hacker\ This is what they should be doing, Using reverse DNS is lame. They should not give out that information anyway, as it should be the police who gets this info (ironically, they may violate FOIP by giving you this info). You should only be informed if it is your IP, in your case, you don't actually own your IP, your provider does (he or she may be leasing it from someone else, but the point is that I highly doubt that you "own" the IP itself. > 2. See if that IP has a DNS entry for my domain Doesn't really matter. host xxx.xxx.xxx.xxx will tell you what the reverse DNS is, but that doesn't really mean anything. whois -h whois.geektools.com xxx.xxx.xxx.xxx will tell you who owns the IP. (tip, I alias this in my .bashrc, eg. alias whois="whois -h whois.geektools.com") > 3. If 2 = true, then KICK THAT PERSONS ASS Not your job > 4. If 2 = false, then KICK HOSTS ASS Also not your job. Since it is Shaw being attacked, it is really up to them to involve the appropriate law enforcement agency. You will likely not be able to figure out whose ass to kick, no offense, but they are likely better at hiding than you are at finding. Assuming of course that your box has not been compromised and is not in fact the source of the port scanning. Like Shawn said, do the due diligence part, document your steps, and make *sure* that your box is secure. > > Sigh. This is the end of my rant for the moment. God give me strength! <flame bait snipped... I have very strong thoughts on this, but they are not appropriate for this list :) > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJh13wRXgH3rKGfMRAvQ/AJ9+SwreIAOkLbjezsOdGcSL+D+UuwCffSyL WjH0wv1fB1GA6iMD0XEEo0o= =kb9F -----END PGP SIGNATURE----- _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
