Site defaced - what next?

[jkinz at kinz.org (Jeff Kinz)]

On Fri, Aug 06, 2004 at 10:29:20AM -0400, Greg Rundlett wrote:
> My site was owned and defaced.  
> 
........<SNIPPED>..........
> 
> Anyway, there isn't a significant financial loss involved in this, it is 
> more a nuisance since my site is informational.  But still, my question 
> to the group is what if anything should be done to hunt down the 
> script-kiddie who defaced the page.  Is there any regulatory body that 
> ISP's report these incidents to?

Who ever did it broke some laws, so it is a crime, unfortunately the FBI
won't move on it unless you lost at least $10K.   

That said, however, definitely file a report with the Police or FBI.
Adding more numbers to that category of crime will raises the budgetary
value of enforcing those laws at all levels and so eventually law
enforcement will get more resources to follow up, but only if we report
the crimes.

As for finding the SOB, if the guilty party can be positively identified 
it would be helpful to everyone to know who it is.  If they are local
I would certainly want to be aware of their activities. 

If they are not local, the community which they live in is probably
interested in knowing who they are and what they do as well.


Did the server get rooted as well? or just defaced ?  If its not rooted,
then you may have some log file information that may be useful.  (of
course even if its there, it may not help, depends on the sophistication
of the attacker.)

Also - would you consider putting up a honeypot?  If they attacked once,
they may try again and it would be much easier to find out who it is 
if a honeypot is active.


> 
> ps. This is not in any way connected to running a CVS pserver -- an 
> earlier thread discussed the vulnerabilities therein.
> 
> -- 
> FREePHILE
> We are 'Open' for Business
> Free and Open Source Software
> http://www.freephile.com
> (978) 270-2425
> If you are smart enough to know that you're not smart enough to be an
> Engineer, then you're in Business.
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 

-- 
Our father, which art in Redmond, Monopoly be thy name.
Thy empire come, thy OS never done, shipping as it is in development 

Give us this day, our daily bug And forgive address violations
as we forgive those viruses that trespass against us

Lead us not unto competition but deliver us from Choice
For thine is the license, the revenue and the greed forever. Amen
========================================== 

Linux and Open Source.  The New Base.  

Now All your base belongs to you, for free.

Jeff Kinz, Emergent Research, Hudson, MA.