Break-In Attempt -- Now What?

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Nov 30 16:09:59 UTC 2004 

On Tue, Nov 30, 2004 at 11:00:29AM -0500, Peter King wrote:
> Yesterday someone tried to break into my system (behind a firewall with
> only port 22 open for ssh), apparently running some sort of kit: a few
> thousand attempts in about seven minutes, most trying for "obvious"
> names (web server root admin and so on). I caught this about two hours
> later while reviewing my logfiles, which, in addition to faithfully
> logging all the break-in attempts, also snagged the intruder's IP
> address.
> 
> Two hours later? Well, what the hell, I thought, and ran traceroute on
> it. And there it was: the computer from which the attacks had been
> launched was up and running on the net somewhere (I think Korea but it
> wasn't entirely clear from traceroute).
> 
> So, why not? I ran nmap against it, with a no-ping scan and OS
> detection.
> 
> Lo and behold, a Linux 2.4.7 system with a spate of wide-open ports,
> including ftp (!). I tried it, and it permitted anonymous ftp, though
> apparently chrooted: I couldn't discover anything about its identity.
> Also imap, pop3, ssh, and a few filtered ports (irc and the netbios
> suite among them).
> 
> Okay, NOW WHAT?
> 
> I found the computer, and even have limited access to it; apart from
> wanting to take it down as payback, I had and have no clue what to do
> next. The Voice Over My Shoulder told me to give it up and go back to
> rechecking those firewall rules. But I can't help but think if I just
> knew a bit more, I could do something -- like find out the guy's ISP and
> send them a note about cracker attempts.
> 
> Advice? Suggestions? (Other than "Get a life" I mean.)

I suspect most likely you will just discover that the machine you found,
has been successfully cracked, and is being used to try and crack more
machines.  After all, if the "cracker" has any brains they wouldn't be
doing it from their own machine would they?

Lennart Sorensen
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list