BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

this don't look good

Subject: this don't look good
From: jkinz at kinz.org (Jeff Kinz)
Date: Wed, 25 Jan 2006 08:00:34 -0500
In-reply-to: <1138193156.25653.6.camel@adler.photodetection.com>; from adler@stephenadler.com on Wed, Jan 25, 2006 at 07:45:56AM -0500
References: <1138193156.25653.6.camel@adler.photodetection.com>

On Wed, Jan 25, 2006 at 07:45:56AM -0500, Stephen Adler wrote:
> guess what..... I've just issued a last -a on my PC and look what came
> up... a bunch of people have broken into my root account. Any
> suggestions as to how I should proceed?
> 

Log all the time you spend working on it (see below)

Perhaps monitor the system to see what IRC/IM channels they are using.

Take the system off the network, remove any data you need (No scripts, no
executables, no libraries, nothing executable)

Do forensics to see if you can find out how they got in

Reformat the hard drives and re-install.

Set up a honeypot on your public IP

reconnect system to net

Calculate a labor rate that gets you above the FBI minimum for actually
looking into the problem  (FBI_MIN/#_of_hours_Worked) 

Report intrusion to the FBI with amount of damages
(use nearest office, with a written report that summarizes what you
found)

Notify FBI when the attackers "break in again" to the honeypot.

If the FBI sees you a reliable source of info about ongoing computer
crime they may actually try to do something about it.  Most of the time
they don't have any resources available for this.  They are just
overwhelmed.

> root     pts/12       Wed Jan 25 06:49   still logged in 230.red-217-127-235.staticip.rima-tde.net
> root     pts/10       Wed Jan 25 01:56   still logged in 230.red-217-127-235.staticip.rima-tde.net
> root     pts/10       Tue Jan 24 23:03 - 23:40  (00:37) 62-14-84-170.inversas.jazztel.es
> root     pts/10       Tue Jan 24 21:04 - 21:39  (00:34) 62-14-84-170.inversas.jazztel.es
> root     pts/10       Mon Jan 23 21:03 - 21:16  (00:12) accf43bc.ipt.aol.com
> root     pts/12       Mon Jan 23 20:57 - 00:09  (03:11) 62-14-84-170.inversas.jazztel.es

> adler    pts/11       Mon Jan 23 20:56   still logged in    :0.0

^^^^^^    : this one looks especially dangerous.  
            Perhaps a member of a "T: cell ?


-- 
Jeff Kinz, Emergent Research, Hudson, MA.
speech recognition software may have been used to create this e-mail

"The greatest dangers to liberty lurk in insidious encroachment by men
of zeal, well-meaning but without understanding." - Brandeis

To think contrary to one's era is heroism. But to speak against it is
madness. -- Eugene Ionesco

References:
- this don't look good
  - From: adler at stephenadler.com (Stephen Adler)

Prev by Date: this don't look good
Next by Date: this don't look good
Previous by thread: this don't look good
Next by thread: this don't look good
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org