Prosecution is very rarely successful. There are so many different ways to lose a case, and it's likely that: a) evidence hasn't been handled properly b) the attacker is likely to be under 18 c) the "cost" is under the FBI's (or your country's equivalent) minimal damage required to start prosecution, particularly if extradition is required d) the logs are all over the place wrt to time and timezone, and a good lawyer will be able to squirm their way through that one e) most countries do not have extradition agreements for this type of offense; the attacker must be using your host for something that is truly offensive to the voters to get the bureaucracy to move for you. Things to look for are kiddie porn and bomb making recipies. As these occurances are rare (most s'kiddies are just using you as a base for further attacks, not as storage), forget it. Remember, if you don't have good evidence handling procedures and terrific untampered verbose logs, the s'kiddies lawyer will be able to disassociate their client from the activity and it's very unlikely anything will come of it. The cost of mounting a civil case in the US (and most other countries) is prohibitive, even though it is more likely that it will succeed than a criminal case. In most countries, what you're asking them to penalise their clients for is not a crime, and you'll be wasting your valuable time. Hypothetically, if I was notified of someone from another country hacking into a host I control, the best bet is to simply take it off the net, take an offline copy, reformat, reinstall and harden. There's no way I can recover the cost. If someone asked me to continue hosting the attacker, there's no way I'd agree to that. It's too risky for not much value. However, if my hypothetical breached hosts are posing a clear and present danger to other hosts on the Internet and *I* could get my ass sued for continuing to allow the attacker access, hell yes I will IMMEDIATELY pull the (network) plug. The risk reduction and denial of yet another compromised host will reduce the attacker's range of hosts to conduct further attacks from my network. This should be the aim of each and every one of us. If you want to do some offline browsing of the attacker's modus operandi, by all means take an offline dd or a Ghost of the disks, but don't allow a compromised host to stay alive. And check all your other systems to make sure that they are not compromised either, and ensure that you have the latest patches installed to prevent re-infection. Andrew -----Original Message----- From: Yotam Rubin [mailto:yotamat_private] Sent: Sunday, 10 June 2001 06:39 To: incidentsat_private Subject: How to stop a consistent cracker. Greetings, I have recently had the displeasure of reporting approximately 6 security incidents to various .edu's. The contacted .edu's have been compromised by by one ^0wn^, a paradigmic script kiddie. His recent victims include (I do not maintain a full account of actions) humphrey.ocean.washington.edu, news.waterford.org, ns0.street.tv, SIDHE.MIT.EDU, rahul.engr.CSUFresno.EDU and auction2.csc.ncsu.edu. This must come to an end. The problem is that none of the contacts were willing to pursue the matter legally, I advised everyone *NOT* to remove the compromised box. Some replied and tried to explain their motives, and some simply ignored me and removed the host (A good example for this is the admin of humphrey.ocean.washington.edu) How can one stop this malicious user? Is it even possible when nobody is willing to cooperate? Even while writing this letter, this guy is DoS'ing me from 152.15.21.19. Regards, Yotam Rubin
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 22:51:06 PDT