On Wed, May 17, 2000 at 01:48:56AM -0500, Jim Roland wrote:
> Gee guess what!?! I have the guy's IP address and host names. Sorry, I
> don't remember a guy's name who told me he ran the attachment as root and
> found a file called ".rhosts", but it might be wise to cronicle your
> information, look in your logs (messages and syslogs) and send what
> information you have to Worldcom's Security department (email address noted
> a few paragraphs below). Also, immediately change all your passwords. If
> you were in as root, he did get your shadow file, and encrypted passwords
> *can* be broken. Change them immediately. If the date of your .rhosts
> file is at or just after the time of the attack, delete it.
Ok... Sounds like you are doing some great forensics at this
point, and people should be paying attention as much to what proceedure
is being followed at this point as they might to how the breakin occured.
1) Are your clocks synchronized to ntp? If not, can you testify
to the offset and accuracy of your clocks? Find out or your logs may
not be totally useful to law enforcement.
2) Have you now been in contact with the FBI Computers Crimes
group? If not, do so, NOW. If you don't you are likely to make mistakes
which can render any court admissible evidence useless.
> He actually TRIED to get into my system (failed of course). From my
> messages log, failed attempts to login (remember, since I was not logged in
> as root, he never did actually get the encrypted passwords):
> May 16 16:47:53 ns sendmail[26775]: NOQUEUE: SYSERR: putoutmsg
>(chi-qbu-nvb-vty13.as.wcom.net): error on output channel sending "220 mail.roland.net
>ESMTP Sendmail 8.8.7/8.8.7; Tue, 16 May 2000 16:47:52 -0500": Broken pipe
> May 16 16:47:53 ns syslog: getpeername (wu.ftpd): Transport endpoint is not connected
> May 16 16:48:23 ns nntpd[26781]: access: fopen /usr/lib/news/nntp_access: No such
>file or directory
> May 16 16:49:13 ns login[26785]: invalid password for `UNKNOWN' on `ttyp4' from
>`www2.mediaserve.net'
> May 16 16:49:25 ns login[26785]: invalid password for `UNKNOWN' on `ttyp4' from
>`www2.mediaserve.net'
> May 16 16:49:54 ns login[26785]: invalid password for `UNKNOWN' on `ttyp4' from
>`www2.mediaserve.net'
> May 16 16:50:02 ns login[26785]: invalid password for `issestar' on `ttyp4' from
>`www2.mediaserve.net'
>
> Notice the hostname in the first line of my log snippet above. The
> same/similar IP that the original message came from that tried to launch
> the attack.
>
> We know he's in Chicago, we have his IP on 2 different occaisons, and know
> of 2 systems he's hijacked. The 2nd (mediaserve.net) is in California.
>
> I just got off the phone with UU-Net's (Worldcom's) security department.
> If you have been hit, this is a great way to get this guy shut down
> immediately and probably prosecuted. One complaint won't do it, but lots
> will carry more weight. Their number is 800-900-0241, option 2, then 3,
> then 1. The best thing I can tell you to do is email [EMAIL PROTECTED] It
> would be most considerate to email them first and save calling unless
> you're online at the precise moment he's hacking into your system. Save
> ALL logs and send them to the uu.net address. Plain-text only pasted into
> your message (no attachments--messages with attachments are deleted
> automatically by their system). Logs need to contain:
> Date/Time of incident
> *YOUR* Timezone
Make sure you're clocks are accurate so the can correlate with
other systems. Lock it to ntp or have a frequent known offset check!
> System logs (messages/syslog)
> IP or hostname containing the guy's dialup IP
> and ports attempted.
> FWIW,
>
> -=>Jim Roland
>
> "Never settle with words what you can settle with a flamethrower."
> --Anonymous
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-====---====---====---====---====---====---====---====---====---====---====-
to unsubscribe email "unsubscribe linux-admin" to [EMAIL PROTECTED]
See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
