[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Ok. I have been hacked and I have the .bash_h istory that shows how it was done
- Subject: RE: [cobalt-users] Ok. I have been hacked and I have the .bash_h istory that shows how it was done
- From: BSmith@xxxxxxxxxxx
- Date: Fri Feb 22 20:59:19 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Some steps that you can take to track them down ..
find out their IP address. (either by using "last") or looking through your
"message" log.
Do a reverse lookup of their IP address (or network) and contact their ISP.
Figure out the time difference if one exists, and ask to speak to their
Network Admin / Radius Admin.
Ask them to see which user logged on at this time with this IP address.
That will allow them, or you to know
who the actual user was. Make sure they keep that "receipt".
I guess you could call FBI (if it is over state lines), and have them
prosecuted. I am not sure what
they will do.
Now, the fun part. If they were a true hacker, they probably jumped through
a few Unix Shells here and there
prior to arriving at your site. You could go through that hassle of
tracking them that way. But, I am sure
a lot of admins do not want to spend the time working on it, unless they
have been hacked also.
Recommendations, turn off Telnet/Ssh, keep a console connection to the unit,
and figure out a way to write a shell
script to turn on the web admin portion when needed. Say ... That is a good
idea for you Cobalt Engineers. Is that possible????? For us paranoid folk
out here?
You may also consider install IP Chains (if your kernel has support for it),
and block all ports, and then allow
certain ports to come in (80, 53, 21) ... Lock your box tight. That is if
you really want to stop hackers from coming in.
Btw, I just realized, if you want to turn off the remote admin, you can
install the IP chains, and turn off port 81. That would do it. Setup SSH
for a basic NON ROOT user (strange name, stranger password), and port
forward 81 into the box locally. If you want to go through the effort of
securing your box.
God, I love network security :)
Brian Smith
CCNA, NCSA
Network Support Engineer
SOLUSERVE
www.solunet.com
1571 Robert J. Conlan Blvd., Suite 110
Palm Bay, FL 32905
(888)449-5766
fax: (321)-308-7986
-----Original Message-----
From: Gavin Nelmes-Crocker [mailto:cobalt@xxxxxxxxxxxxxxxx]
Sent: Friday, February 22, 2002 1:56 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] Ok. I have been hacked and I have the
.bash_history that shows how it was done
> This is great. I have the complete transcript of what happened. In the
> .bash_history I have where the hacker went to get his tar.gz
> files and how
> he/she used them.
>
> I downloaded all the tar.gz files that the hacker downloaded and
> I have the
> yahoo account he/she used to mail files to. So now what do I do?
Not a very clever hacker then assuming they don't read this list I would
call your local police department and hand the info over in the UK we have a
special computer sqad for this sort of thing. Of course that doesn't mean
anything will get done so you could just ignore it rebuild the server apply
all patches and get back to work.
More interesting for the list is do you have any idea how you were hacked -
was the box fully patched, do you use ssh instead of telnet and was telnet
turned off do you use ssl for the admin pages.
Gavin
_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users