ACK! -- CONTINUED

Paul Taylor paul at kcnetcare.com
Sun Apr 20 08:55:08 CDT 2003 

The FBI WILL NOT help you unless you have solid evidence that a cracker
caused more than $2,000 (or $5,000) worth of damages. I can't remember
whether it was 2 or 5 though.

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net] On Behalf Of Zscoundrel
Sent: Sunday, April 20, 2003 1:26 AM
To: Bradley Miller
Cc: kclug at kclug.org
Subject: Re: ACK! -- CONTINUED

Contact the FBI.  This is an INTERSTATE jurisdiction, and unless the ISP

starts to cooperate, they are guilty of colusion because by not 
cooperating, they are protecting the perpetrator.

Bradley Miller wrote:

> At 08:18 PM 4/19/2003 -0700, you wrote:
>
>> I'm just curious, what tipped you off that the box was
>> compromised? Were there any obvious signs, or did you
>> catch something in your logs?
>>
>> Kurt
>
>
> Since there is alot of people asking, I'll give you the details:
>
> Actually discovered it purely by accident.  I have one server that is 
> bouncing up and down, why I don't know.  I decided to restore my 
> database backup onto one of my other servers and start running it as 
> my secondary server in the interim.  While there I accidently hit the 
> down arrow to recall a previous command, and saw a peculiar 
> instruction.  I looked in the bash history file and sure enough, I 
> found the intruder.  They installed a "toolz" file to compromise the 
> system and then a "clean me up" script to remove all traces of their 
> activity.  Unfortunately for them, and fortunately for me, I could see

> where they were keying the server to respond to with all the info.
>
> Now -- earlier today and this week, I've spent HOURS on the phone with

> Interland.  Communitech's servers went to Atlanta, Georgia a month ago

> or so.  I CANNOT RECOMMEND INTERLAND  -- THEY ARE WAY TO BIG FOR 
> DECENT CUSTOMER SUPPORT!!!!  I just signed a contract earlier this 
> week for two new servers over at Netstandard . . . I can only hope 
> they go in fast enough to curb this problem.
>
> Want to hear some really funny stuff?   I had snooped around and found

> where this little *%#$#'s IP was from, since they left some "traces" 
> in my system.  I do an ARIN lookup and find the ip range is totally 
> owned by one ISP.  I call up the ISP and get the runaround that to get

> the info, I'll need the police department to call.  I call up the 
> local police department, explain the situation, call them back and 
> then they tell the officer they can't do anything without a subpoena.

> The officer can't do anything because my servers are in Atlanta, 
> Georgia, so technically the crime has been committed there.  Now what 
> are the odds that I'll get a cop in Atlanta to investigate this?  The 
> ISP told me that they would probably just warn an individual if they 
> found proof.  WARN THEM?  If I walk in to a liquor store and walk out 
> with a bottle of booze and a freakin' bag of money (without paying), 
> how is it any different than doing the same to a server?     But the 
> ISP won't let me see the freakin' security camera -- because it would 
> be a privacy issue?   Give me a break!
>
> -- Bradley Miller
>
>
>
majordomo at kclug.org
>

More information about the Kclug mailing list