Site defaced - what next?

[jjohnson at sunrise-linux.com (miah)]

Nobody (any law enforcing body)  cares unless you lost lots of money.
Hunting down the script kiddie is pointless because another one will
replace him.  Besides, what are you going to do.. slap his wrists?

BAD KIDDIE

-miah

On Fri, Aug 06, 2004 at 10:29:20AM -0400, Greg Rundlett wrote:
> My site was owned and defaced.  It looks like the mediawiki script that 
> I recently installed to create a free-software community may have opened 
> the 'door' to the site being compromised.  This is unconfirmed however.
> 
> With the little investigation that I've had time to do, it looks like 
> the cracker may have used a wiki script that I have to open an 'image' 
> or remote file that was actually a php script which in combination with 
> allow_url_fopen would allow arbitrary code to be executed on the host.  
> In turn, the 'image' (a shell creation script) was used to rewrite 
> directories and files.  The homepage itself is just a plain (Microsoft 
> Frontpage) htm file.
> 
> Anyway, there isn't a significant financial loss involved in this, it is 
> more a nuisance since my site is informational.  But still, my question 
> to the group is what if anything should be done to hunt down the 
> script-kiddie who defaced the page.  Is there any regulatory body that 
> ISP's report these incidents to?
> 
> I contacted my ISP, and I downloaded a copy of the site to do my own 
> local forensic investigation.
> 
> ps. This is not in any way connected to running a CVS pserver -- an 
> earlier thread discussed the vulnerabilities therein.
> 
> -- 
> FREePHILE
> We are 'Open' for Business
> Free and Open Source Software
> http://www.freephile.com
> (978) 270-2425
> If you are smart enough to know that you're not smart enough to be an
> Engineer, then you're in Business.
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>