Hi again,
We suspect it is a disgrunted ex-employee who did this,
because after more forensics, this particular cracker had posted some
strong words directed to a particular someone on the company's web
server. He got first in on Sept 22, then proceeded to download some
binaries (eg. su.c bsd.c ftp-god.c remv ,etc....) from a ftp host in
indonesia. He tried to use one of these scripts to remove entries from
utmp. but i managed to get a printout of it. also a long history of
commands he issued. He tried to deface the website with some childish
"So and so wuz here" kinda stuff. Unfortunately for him, luckily for us,
it didn't work out too fine as most content is being cached in a reverse
proxy so i guess no one saw it. he proceeded to post some content on the
company's website directed to the boss of the company. and then altered
the access logs of apache.
Singapore has very very severe laws on crackers. They
have been many crackers that had been sent to jail and given a handful
of whips too. However, i'm not too sure on Cyber Laws in Indonesia. My
friend is not keen on prosecuting this cracker/ex-employee/whoever, but
he just wants to know for sure that it is that guy who did it and then
speak to him about this cowardly act.
Well , maybe i still have to contact the ISPs after all
to see what they can do to help me out on this case.
For those of you who want to see the logs / binarys,
whatever. It may contain some very sensitive information, so i'm not
sure if i should release it because there maybe some not so honorable
folks in this list that want the juicy information in logs to do not so
honorable stuff.... : ) . It will be case by case that i release it, ok?
Hope i didn't cause any unhappiness.
Currently, I'm setting up a new web server to replace
the compromised host. Implemented a firewall, and will review the rest
of his infrastructure. This is my first time doing forensics on an
actual compromised host and it's very exciting. : ) Thank you for all
your advise. Will keep you guys updated.
Rgds,
Paul Tan
Alvin Oga wrote:
>hi ya
>
>calling the isp is good start....
>
>following up is the mroe important than the reporting itself...
>as the script kiddies will keep coming back till they "see a change"
>that makes them work harder to get back in
>
>- make a new server for real people to be using...
> - use scp(ssh) instead of ftp
>
>- if yu had an unpatched ftp daemon.... we'll you've just been hit if
> thats how they got in....vs applying other attacks
>
>- the hacker will be back for that same machine he knows he got in...
> - i say let um ... isolate it...
>
> - get the legal folks to also watch what he is doing
> live and real time ... to make it easier to track um....
>
>- fbi gets interested at $10,000 in damages ...
> - i like it, cause they can go seize the [cr/h]ackers PCs...
>
>for your own action items..
>
> - dont point the finger to the other isps/hackers ...
>
> - tighten your own security...
> - disable all insecure services: telnet, ftp, pop3/imap, ppp
> - see the to do list ...
>
> http://www.Linux-Sec.net ( server Hardening secion )
>
>
> - many things to do after your server been compromised...
> lots of unscheduled extremely important work to do...
>
> http://www.Linux-Sec.net/Tracking/
>
>have fun
>alvin
>http://www.Linux-Sec.net
>
>On Tue, 25 Sep 2001, Bojan Zdravkovic wrote:
>
>>
>>Hi Paul,
>>
>>Calling the ISP will help. They won't "get" the guy, only slap his wrist. The
>>biggest, ultimate effect of calling the ISP would be sending him a warning
>>email.
>>
>>ISPs will never forward you any personal info, except if you're a government
>>investigator. And if an investigator gets involved the damage has to be
>>substantial (millions).
>>
>>Don't talk about evidence, and don't blow things out of proportion, this is just
>>a simple mischief, happens to everyone.
>>
>>And patch that ftpd.
>>
>>-Bojan
>>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 22:49:27 PDT