Break-In Attempt -- Now What?

[Charly Baker]

On Tuesday November 30 2004 11:00 am, Peter King wrote:
> Yesterday someone tried to break into my system (behind a firewall with
> only port 22 open for ssh), apparently running some sort of kit: a few
> thousand attempts in about seven minutes, most trying for "obvious"
> names (web server root admin and so on). I caught this about two hours
> later while reviewing my logfiles, which, in addition to faithfully
> logging all the break-in attempts, also snagged the intruder's IP
> address.
>
> Two hours later? Well, what the hell, I thought, and ran traceroute on
> it. And there it was: the computer from which the attacks had been
> launched was up and running on the net somewhere (I think Korea but it
> wasn't entirely clear from traceroute).
>
> So, why not? I ran nmap against it, with a no-ping scan and OS
> detection.
>
> Lo and behold, a Linux 2.4.7 system with a spate of wide-open ports,
> including ftp (!). I tried it, and it permitted anonymous ftp, though
> apparently chrooted: I couldn't discover anything about its identity.
> Also imap, pop3, ssh, and a few filtered ports (irc and the netbios
> suite among them).
>
> Okay, NOW WHAT?
You're the philosopher, so even if you could hack this guy, you should be able 
to figure out whether or not you should.  If his ISP is responsible, then 
report him, in any case black hole him and move on. 

Charly Baker
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml