[99190] in RedHat Linux List
Re: break-in attempt
daemon@ATHENA.MIT.EDU (Nikki Cook)
Thu Nov 12 18:19:07 1998
Date: Thu, 12 Nov 1998 18:18:56 -0500
To: redhat-list@redhat.com
From: Nikki Cook <sunny@mail.suntrix.com>
In-Reply-To: <Pine.LNX.4.05.9811121649431.1999-100000@dweezil.dyn.ml.org
>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
Hi Gregory,
Our procedure is to send pertinent snips of the logs to the admin of the
domain, the uplink of the domain and since we're a company, we forward a
copy to the Computer Crimes Division of the FBI.
We make sure we don't overwhelm the reader, giving just enough NAVCIRT log
information to identify time/date S host.domain.port D host.domain.port.
We respectfully request that the admin pursue investigating the attack that
apparently came from their facility and take all appropriate action to
prevent it in the future. We also ask them to inform us of their findings
and any identification the individual(s) so that we may take
appropriate/necessary legal and/or security measures.
Btw, you'll note, I said "apparently". Word to the wise here, lots can
happen. We had one recent attempt apparently from a MAJOR University.
They verified it came from their domain alright, but the hacker had broken
in, changed their routing tables and made it appear as if it was coming
from a machine that was not online at the time indicated. The admins were
sharp enough to find the processes running, kill them and secure the
machine for further analyzation. They were able to provide us with some
very important information to nail the bas... ummm... person who was
responsible for the attempt so that we could allow them to enjoy the
consequences of their action.
HTH,
Nikki
At 05:02 PM 11/12/98 , you wrote:
>Where should I send logs &c. corresponding to a break-in attempt my
>machine suffered this morning (I mean is there an organization that
>would want to see the files)? The logs clearly indicate scripted
>efforts to get through potential leaks in various daemons that were
>running at the time. I noticed the break-in attempt while it was
>happening, and quickly disconnected my computer from the network. I do
>not believe the attempt was a success, but I'm not sure.
>
>I assembled all the available information in /var/log from the 23
>minutes or so during which the attempt was made and put it in
>chronological order. Anybody wanna volunteer to look over the resulting
>112 kB collection and give me their impression? Thanks,
>
>G.F.
>
>--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
> ___
> /. \ Gregory Fall Phone: 734-913-4662
> \/ / University of Michigan Fax: 734-763-7130
> \ \ 2455 Hayward Street email: gmfall@engin.umich.edu
> __/_/ Ann Arbor, MI 48109 gmf@dweezil.dyn.ml.org
>
>
>--
> PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
> http://www.redhat.com http://archive.redhat.com
> To unsubscribe: mail redhat-list-request@redhat.com with
> "unsubscribe" as the Subject.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SunTrix Com Internet Services
Daytona Beach, Florida
PPP and Shell Accounts (904) 258-5434
WEB Design webdesign@mail.suntrix.com
http://www.suntrix.com
WEBBnet IRC Network
irc.webbnet.org | irc.us.webbnet.org
ftp://ftp.suntrix.com | mail.suntrix.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
