Break-In Attempt -- Now What?

Carlos O'Donell carlos-kL/bm3VtGb86eWUC2bWwdA at public.gmane.org
Wed Dec 1 18:38:54 UTC 2004


> Okay, NOW WHAT?
> 
> I found the computer, and even have limited access to it; apart from
> wanting to take it down as payback, I had and have no clue what to do
> next. The Voice Over My Shoulder told me to give it up and go back to
> rechecking those firewall rules. But I can't help but think if I just
> knew a bit more, I could do something -- like find out the guy's ISP and
> send them a note about cracker attempts.
> 
> Advice? Suggestions? (Other than "Get a life" I mean.)

You need to locate the users ISP, and attempt to make contact. I've done
this before, but the language barrier might be too high. Not only that
but the ISP team might even think you're just spamming them.

If you do contact them do not under any circumstance tell them that you
scanned the remote server. You could get in trouble for that yourself,
if they contact *your* ISP... you can just imagine the conversation.

Aside from the above suggestions...

a. Relax, get a beer.
b. Add more firewall rules.
c. Use hosts.allow heavily. Only allow ssh from certain places.
d. Update yourself on the rootkit he attempted to use on your box.
e. Add rules that auto-block such attempts in the future?

That's it really. Welcome to the internet.

Cheers,
Carlos.

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list