Hacked. Reporting?

Tue, 19 Sep 2000 16:00:55 -0700 

  I have an interesting question for everyone.  As of friday, my machine was 
hacked.  Not a problem, I caught it fairly easily.  I did do something that 
most people probrably do *NOT* do.  I fixed the prob that allowed him to get 
in, but I'm continuing to allow him to run rampent in the account he isn't 
aware that I know exists.  His app that is giving him access is currently 
running it's merry little but off..

  Basically, he's running a distributed attack daemon, being controlled via an 
eggdrop bot, connected to IRC.  In the process of looking at the logs, etc, I 
now have a fairly *VAST* amount of knowledge regarding this little bugger, 
along with other sites he's hacked from, who have the same hole in them.  The 
question is..

  What can I *DO* with all this data?  I've now started to monitor the output 
logs from the stupid eggdrop hack, currently running as 'netserver', which is, 
or course, currently connected to EFNet.  I have tcpsnoop logging all of the 
data coming into that application.  Technically, right now I could hijack this 
twinks network, becouse he's ordering it by using public chat commands.  I've 
seen them come.  He occasionally ftp's into the box to check to ensure the 
account is still valid.  I'm looking at this $%@#^&$%@&@$%*&.

  Now I know, leaving my box open is dangerouse.  But I can wipe this box 
without much of an effort.  I won't lose anything.

  But damned it, I want this little &$*%#^&#%&&#%^*#%^()&(%^.

  Any suggestions?  He currently has hacked at least 24 other machines, running 
simular apps, running on the same server.  He's using a package available at 
http://www.punk.uk.net/botpack1.3.tgz, which looks like a standard IRC bot hack 
setup.  I intend on informing the other machine administrators that he's 
broken, but for now, I'm logging it with all my might.

  Frusteratingly yours..

  One *VERY PO'd* individual..


--- 
Thomas Charron
<< Wanted: One decent sig >>
<< Preferably litle used  >>
<< and stored in garage.  ?>>

**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************

Reply via email to