ACK! -- CONTINUED

[Aaron]

It's funny this should come up now.

At 5:30 this morning I got paged by two of my customer's machines
complaining about unauthorized processes running.  Sure enough, they were
hidden.

I spent the early morning moving data to backup servers, reloading the two
infected servers and then transfering back.  Someone must be on a rampage.

I'm moving through all our dedicated servers (at least the ones I have root
passwords on file for) looking for any other instances as we only have IDS
on the managed boxes.  Some of our customers have massive security on thier
boxes... and.... some don't... :(

Aaron

----- Original Message -----
From: "Bradley Miller" <bradmiller at dslonramp.com>
To: <kclug at kclug.org>
Sent: Saturday, April 19, 2003 10:52 PM
Subject: Re: ACK! -- CONTINUED

> At 08:18 PM 4/19/2003 -0700, you wrote:
>
> >I'm just curious, what tipped you off that the box was
> >compromised? Were there any obvious signs, or did you
> >catch something in your logs?
> >
> >Kurt
>
> Since there is alot of people asking, I'll give you the details:
>
> Actually discovered it purely by accident.  I have one server that is
> bouncing up and down, why I don't know.  I decided to restore my database
> backup onto one of my other servers and start running it as my secondary
> server in the interim.  While there I accidently hit the down arrow to
> recall a previous command, and saw a peculiar instruction.  I looked in
the
> bash history file and sure enough, I found the intruder.  They installed a
> "toolz" file to compromise the system and then a "clean me up" script to
> remove all traces of their activity.  Unfortunately for them, and
> fortunately for me, I could see where they were keying the server to
> respond to with all the info.
>
> Now -- earlier today and this week, I've spent HOURS on the phone with
> Interland.  Communitech's servers went to Atlanta, Georgia a month ago or
> so.  I CANNOT RECOMMEND INTERLAND  -- THEY ARE WAY TO BIG FOR DECENT
> CUSTOMER SUPPORT!!!!  I just signed a contract earlier this week for two
> new servers over at Netstandard . . . I can only hope they go in fast
> enough to curb this problem.
>
> Want to hear some really funny stuff?   I had snooped around and found
> where this little *%#$#'s IP was from, since they left some "traces" in my
> system.  I do an ARIN lookup and find the ip range is totally owned by one
> ISP.  I call up the ISP and get the runaround that to get the info, I'll
> need the police department to call.  I call up the local police
department,
> explain the situation, call them back and then they tell the officer they
> can't do anything without a subpoena.  The officer can't do anything
> because my servers are in Atlanta, Georgia, so technically the crime has
> been committed there.  Now what are the odds that I'll get a cop in
Atlanta
> to investigate this?  The ISP told me that they would probably just warn
an
> individual if they found proof.  WARN THEM?  If I walk in to a liquor
store
> and walk out with a bottle of booze and a freakin' bag of money (without
> paying), how is it any different than doing the same to a server?     But
> the ISP won't let me see the freakin' security camera -- because it would
> be a privacy issue?   Give me a break!
>
> -- Bradley Miller
>
>
>
>
>