Re: Hacked using vulnerable FTP daemon.

From: Ben McGinnes (ben-mcginnesat_private)
Date: Fri Sep 28 2001 - 17:44:00 PDT

Next message: David Kennedy CISSP: "Re: FBI Virus Alerts"

Previous message: Greg A. Woods: "Re: Syn packets hitting port 80, not webserver"
In reply to: Bojan Zdravkovic: "Re: Hacked using vulnerable FTP daemon."
Next in thread: Paul Tan: "Re: Hacked using vulnerable FTP daemon."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bojan Zdravkovic(bzdravkoat_private)@Tue, Sep 25, 2001 at 03:28:46PM -0400:
> 
> Hi Paul,
> 
> Calling the ISP will help. They won't "get" the guy, only slap his wrist. The
> biggest, ultimate effect of calling the ISP would be sending him a warning
> email.

Depending on circumstance - probably.  They always need at least one 
warning, after which the gloves may be removed (along with the offfending 
account).  Remember, any ISP worth its salt will chase up security and 
abuse issues (it may not be quick enough for the original complaint, but 
it ought to happen).

The reason for this is simple PR; any network which gains a reputation
amongst its peers as being a script-kiddie and spammer haven will quickly
find it's IP ranges blacklisted and it's routes relegated to the "when we
can be bothered" category.

> ISPs will never forward you any personal info, except if you're a government
> investigator. And if an investigator gets involved the damage has to be
> substantial (millions).

True.  The same privacy laws which protect you from your ISP giving 
contact info to anyone who asks will also protect those of a less savoury 
stature.

OTOH, if you're looking for IP ownership information, depending on the 
size of the network you may find that an ISP runs their own whois server.  
In such a case you may be able to track down the appropriate contact 
details for the IP in question and bypass the ISP (if your would-be 
cracker is trying to launch the attack from a static IP/host somewhere).

> Don't talk about evidence, and don't blow things out of proportion, this
> is just a simple mischief, happens to everyone.

Along with all the other weird shit floating around.  Depending on the 
threat level of the attack, sometimes it's generally a waste of time and 
effort trying to hunt them down.  Usually if I see something odd or 
disturbing I'll go a-hunting, but OTOH these days I'm treating all those 
SunRPC and Bind scans much the same as Code Red and the like (mostly 
ignored, occasionally chased if I'm in the mood).

> And patch that ftpd.

Indeed.  WuFTPd is *not* your friend.  From what I've heard NcFTPd *is*, 
though (and I believe the liscense allows for a couple of free 
installations for non-profit organisations/networks).


Regards,
Ben

application/pgp-signature attachment: stored

Next message: David Kennedy CISSP: "Re: FBI Virus Alerts"
Previous message: Greg A. Woods: "Re: Syn packets hitting port 80, not webserver"
In reply to: Bojan Zdravkovic: "Re: Hacked using vulnerable FTP daemon."
Next in thread: Paul Tan: "Re: Hacked using vulnerable FTP daemon."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Sep 29 2001 - 02:08:08 PDT