ACK! -- CONTINUED
Bradley Miller
bradmiller at dslonramp.com
Sun Apr 20 03:52:34 CDT 2003
At 08:18 PM 4/19/2003 -0700, you wrote:
>I'm just curious, what tipped you off that the box was
>compromised? Were there any obvious signs, or did you
>catch something in your logs?
>
>Kurt
Since there is alot of people asking, I'll give you the details:
Actually discovered it purely by accident. I have one server that is
bouncing up and down, why I don't know. I decided to restore my database
backup onto one of my other servers and start running it as my secondary
server in the interim. While there I accidently hit the down arrow to
recall a previous command, and saw a peculiar instruction. I looked in the
bash history file and sure enough, I found the intruder. They installed a
"toolz" file to compromise the system and then a "clean me up" script to
remove all traces of their activity. Unfortunately for them, and
fortunately for me, I could see where they were keying the server to
respond to with all the info.
Now -- earlier today and this week, I've spent HOURS on the phone with
Interland. Communitech's servers went to Atlanta, Georgia a month ago or
so. I CANNOT RECOMMEND INTERLAND -- THEY ARE WAY TO BIG FOR DECENT
CUSTOMER SUPPORT!!!! I just signed a contract earlier this week for two
new servers over at Netstandard . . . I can only hope they go in fast
enough to curb this problem.
Want to hear some really funny stuff? I had snooped around and found
where this little *%#$#'s IP was from, since they left some "traces" in my
system. I do an ARIN lookup and find the ip range is totally owned by one
ISP. I call up the ISP and get the runaround that to get the info, I'll
need the police department to call. I call up the local police department,
explain the situation, call them back and then they tell the officer they
can't do anything without a subpoena. The officer can't do anything
because my servers are in Atlanta, Georgia, so technically the crime has
been committed there. Now what are the odds that I'll get a cop in Atlanta
to investigate this? The ISP told me that they would probably just warn an
individual if they found proof. WARN THEM? If I walk in to a liquor store
and walk out with a bottle of booze and a freakin' bag of money (without
paying), how is it any different than doing the same to a server? But
the ISP won't let me see the freakin' security camera -- because it would
be a privacy issue? Give me a break!
-- Bradley Miller
More information about the Kclug
mailing list