Break-In Attempt -- Now What?
Peter King
peter.king-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Tue Nov 30 16:00:29 UTC 2004
Yesterday someone tried to break into my system (behind a firewall with
only port 22 open for ssh), apparently running some sort of kit: a few
thousand attempts in about seven minutes, most trying for "obvious"
names (web server root admin and so on). I caught this about two hours
later while reviewing my logfiles, which, in addition to faithfully
logging all the break-in attempts, also snagged the intruder's IP
address.
Two hours later? Well, what the hell, I thought, and ran traceroute on
it. And there it was: the computer from which the attacks had been
launched was up and running on the net somewhere (I think Korea but it
wasn't entirely clear from traceroute).
So, why not? I ran nmap against it, with a no-ping scan and OS
detection.
Lo and behold, a Linux 2.4.7 system with a spate of wide-open ports,
including ftp (!). I tried it, and it permitted anonymous ftp, though
apparently chrooted: I couldn't discover anything about its identity.
Also imap, pop3, ssh, and a few filtered ports (irc and the netbios
suite among them).
Okay, NOW WHAT?
I found the computer, and even have limited access to it; apart from
wanting to take it down as payback, I had and have no clue what to do
next. The Voice Over My Shoulder told me to give it up and go back to
rechecking those firewall rules. But I can't help but think if I just
knew a bit more, I could do something -- like find out the guy's ISP and
send them a note about cracker attempts.
Advice? Suggestions? (Other than "Get a life" I mean.)
--
Peter King peter.king-H217xnMUJC0sA/PxXw9srA at public.gmane.org
Department of Philosophy
215 Huron Street
The University of Toronto (416)-978-3788 ofc
Toronto, ON M5S 1A1
CANADA
http://individual.utoronto.ca/pking/
=========================================================================
GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42)
gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://gtalug.org/pipermail/legacy/attachments/20041130/1adbd0f9/attachment.sig>
More information about the Legacy
mailing list