I was more or less forgetting about the person, learning from your mistakes, and going
from there... yes, you should not disable anything or do anything to try and scare them
off if you want to log/monitor what theyre doing. Ive never had it happened to me, so I
was just saying what I _would_ do, had it happened to me.
"Kenneth E. Lussier" wrote:
> I mostly agree with all of this. There is, however, one *MAJOR* point
> that I disagree with. The point that I disagree with is disabling the
> account. Before I get jumped all over for this, there is a good reason
> for it. By letting him continue to use the system, his activities can be
> tracked. This is extremely important in computer forensics. The first
> thing that should be done is to notify a higher power. The person or
> people that have cracked the system have committed several federal
> crimes, and you have a chance to stop them. Let the intruder play for a
> few days, then pull the network cable on the system. That way you have
> all of the evidence that you need. Don't reinstall the box. Keep it as
> well preserved as possible. That way, when the time comes to put him/her
> away, you have a really big nail for his/her coffin.
>
> If you want an in-depth strategy guide, I suggest the SANS guide to
> incident response @
> http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm .
>
> MNSHO,
> Kenny
>
> Tony Lambiris wrote:
> >
> > First, you disable his account, contact the admins of the other hacked boxes, see
> > if you can trace his ip and find a little info on him (you should at least be able
> > to get what ISP he uses.
> >
> > Now on securing your box. You'd better reinstall, thats all I have to say. Im
> > taking a shot in the dark here, but you were running Red Hat 6.2 w/ wu-ftp(2.6.0)
> > with anonymous access enabled? A few pointers after you get you reinstall.
> >
> > DISABLE EVERYTHING YOU DO NOT NEED. This also means anonymous access to your
> > account. I bet I could find at least 10 things wrong with the way your system was
> > setup (i.e. sendmail, apache, etc...).
> > Put some good firewall rules in. Im not going to go into this, but the book
> > building linux and openbsd firewalls proves invaluable to me.
> >
> > You might also want to think about what kind of intormation your services are
> > giving to people (i.e. a default 404 for apache yields its version number, a
> > default connect to sendmail will tell you its version number.) I know most would
> > call this security through obscurity, but let me tell you it goes a long way.
> >
> > Also, if this was a dedicated server, you might want to consider running OpenBSD.
> >
> > Thomas Charron wrote:
> >
> > > I have an interesting question for everyone. As of friday, my machine was
> > > hacked. Not a problem, I caught it fairly easily. I did do something that
> > > most people probrably do *NOT* do. I fixed the prob that allowed him to get
> > > in, but I'm continuing to allow him to run rampent in the account he isn't
> > > aware that I know exists. His app that is giving him access is currently
> > > running it's merry little but off..
> > >
> > > Basically, he's running a distributed attack daemon, being controlled via an
> > > eggdrop bot, connected to IRC. In the process of looking at the logs, etc, I
> > > now have a fairly *VAST* amount of knowledge regarding this little bugger,
> > > along with other sites he's hacked from, who have the same hole in them. The
> > > question is..
> > >
> > > What can I *DO* with all this data? I've now started to monitor the output
> > > logs from the stupid eggdrop hack, currently running as 'netserver', which is,
> > > or course, currently connected to EFNet. I have tcpsnoop logging all of the
> > > data coming into that application. Technically, right now I could hijack this
> > > twinks network, becouse he's ordering it by using public chat commands. I've
> > > seen them come. He occasionally ftp's into the box to check to ensure the
> > > account is still valid. I'm looking at this $%@#^&$%@&@$%*&.
> > >
> > > Now I know, leaving my box open is dangerouse. But I can wipe this box
> > > without much of an effort. I won't lose anything.
> > >
> > > But damned it, I want this little &$*%#^&#%&&#%^*#%^()&(%^.
> > >
> > > Any suggestions? He currently has hacked at least 24 other machines, running
> > > simular apps, running on the same server. He's using a package available at
> > > http://www.punk.uk.net/botpack1.3.tgz, which looks like a standard IRC bot hack
> > > setup. I intend on informing the other machine administrators that he's
> > > broken, but for now, I'm logging it with all my might.
> > >
> > > Frusteratingly yours..
> > >
> > > One *VERY PO'd* individual..
> > >
> > > ---
> > > Thomas Charron
> > > << Wanted: One decent sig >>
> > > << Preferably litle used >>
> > > << and stored in garage. ?>>
> > >
> > > **********************************************************
> > > To unsubscribe from this list, send mail to
> > > [EMAIL PROTECTED] with the following text in the
> > > *body* (*not* the subject line) of the letter:
> > > unsubscribe gnhlug
> > > **********************************************************
> >
> > **********************************************************
> > To unsubscribe from this list, send mail to
> > [EMAIL PROTECTED] with the following text in the
> > *body* (*not* the subject line) of the letter:
> > unsubscribe gnhlug
> > **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
