On Tuesday 23 August 2005 12:57, Alvin Oga
wrote: personally... i think any hacked machine should be looked
over carefully to be able to answer the following: -
who broke in - how did they get in - why did they
break in ( sometimes there's no answer ) - where they came
from
- obvious thing is to look at log files, but smart
crackers will wipe out or clean the /var/log before they
leave
I do agree with your attitude on this. Unfortunately I do
not see any chance of getting any kind of conviction on this sort of thing if it
originates from another country. In this case the attacker is from Brazil (best
guess, based on litter left by the cracker). We are based in Australia ans New
Zealand. What are the chances of getting the brazilian police to do
anything.
As for the clean up, I discovered a script among this
guy's litter which was a clean-up script to delete his log entries. I managed to
alter this script slightly to do the opposite next time he tries it. I do not
think there will be a next time for this guy though. He was only interested in a
spam relay for a while. These guys are typically just script kiddies that try to
make some bucks sending spam from otherpeoples machines.
Cheers,
Andreas
