Announcement

**TheCotMan** · June 14, 2004, 18:18

Originally posted by wembley

[clip]
What I want to know is, how should I deal with this transgression?
[clip]

Reformat, rebuild, reinstall, improve security, do not retaliate.

Check your audit trails to make sure this was not used as a jump point for other machines.

Retaliation will make you "look bad" and can lead to an arms race and escalation and the defender [may eventually] run the risk of DDoS when there are many attackers, or fairly skilled, but small numbers of attackers. Choosing to "fight back" by corrupting or trojaning software can also put you in jail (if in the U.S.) depending on what you do.

The easiest path for you, and least work, with least risk for yourself seems to be to learn from the mistake and move on. The cost of retlaiation includes *not* learning something else or improving yourself over the same time.

[Added content above in [ ] and below]

From TAoW: (paraphrased) Do not start a battle if you cannot win. If you cannot win a battle, focus on defense or look to postpone engaging until you can win.

**grok** · June 14, 2004, 19:59

I agree with thecotman. Personally, after I've imaged more machines I can count in one day, I get bored/tired/depressed, whatever, I still try and make sure that that machine can't be easily comprimised. I'm basically afraid a comprimised box could lead to a 'launch point' for that person to attack other boxes.

I'd personally reimage the machine, and report the person to their ISP, most ISP's that I know of today have a very low tolerance for that kind of service abuse. Even if their ISP could care less, as least if you harden it, chances are they won't be back.

After you reinstall the OS, harden it to the best of your ability, and then create an image of that clean install, so that if it happens again, you're just an image install away from a clean box. Review your logs, collect, regroup, and fix whatever allowed the comprimise.

From my limited experience, unless you have somthing somone explicitly wants (besides just gaining control of the box) most people will bypass your box if they find out the basic, well-known exploits have been patched. I bet by keeping the software packages up to date and changing the default passwords it'll be alot longer before you get rooted again....unless you have a neighbor that likes to fuck with you.

**astcell** · June 14, 2004, 21:05

When you say "outside the DMZ" I take it you mean that it is on the Internet on the other side of your Firewall? That is the Wild West my friend. I don't expect a box to last a day out there.

**dataworm** · June 15, 2004, 03:32

Not sure if it justified for this case, but I like to use the Baseball bat technique for spammer and spyware author... Just talking about it may do the job :D No need to actually do it...
In case of hacking, what could be usefull is to make fake picture of script kiddie beaten up , so that once the said hacker break on your computer and find those, he might want to stay away of your computer :)

**phobal** · June 15, 2004, 07:44

you know you're lame when you go to a computer security conference forum looking for help to retaliate some 'lamer' who sodomized your ass.

**highwizard** · June 15, 2004, 11:03

Originally posted by phobal

you know you're lame when you go to a computer security conference forum looking for help to retaliate some 'lamer' who sodomized your ass.

But Phobal, you're Bi... Doesn't that mean you enjoy getting your ass sodomized? If so, you can't really use it as an insult.

**ch0l0man** · June 15, 2004, 13:34

to late you already made big stink, it was your fault, not kind of. you parked your car in watts and left the keys inside, what did you expect.
so they turned you box in to a warez ftp, did you not notice your disk space being eaten up by the uploading of warez.
calling the man, blah! just let it go and move on.

**kallahar** · June 15, 2004, 16:29

By leaving your box basically open to attack you pretty much deserve whatever they hit you with. If you want security then you need to lock you stuff down and not *ever* do idiotic things like making the password the same as the username and picking a username as "user". Secure your stuff first, then think about retribution.

**wembley** · June 15, 2004, 18:09

Well, like I said, this box had nothing of value, just a few pictures, etc, and some WWW programs that I wanted access to from outside the firewall. While it was kinda my fault for leaving a username user with PW user, I was looking for creative ways to deal with the people who got in.

The theory is that if someone "haxx0red" my box outside the firewall, they wouldn't do anything to any of the stuff inside my firewall where the important stuff lives....

-Wembley

**TheCotMan** · June 15, 2004, 18:18

Originally posted by wembley

The theory is that if someone "haxx0red" my box outside the firewall, they wouldn't do anything to any of the stuff inside my firewall where the important stuff lives....

This is probably not a good idea to put into practice. If your external box gets "owned" then they will likley have a high-bandwidth jump point from which to launch other attacks [against your other machines.] Also, if this host is used by authorized users to gain access to hosts behind the firewall, then MiM or key-grabbing tools or other password retention programs can be used to leverage this exposed system access to include control of other machines behind your firewall.

[Edit: added content above- in [ ] which was omited in first round. ]

**kallahar** · June 16, 2004, 08:29

It's not what's *on* the box that's valuable, it's the box itself. Remember that *you* are liable for what goes on on machines that you own, and on the network connection that you pay for. Having a box rooted and turned into a warez server puts you at huge legal risk if, say, the RIAA comes knocking. Who knows, you could be one of their next 1000 lawsuits.

**spahkle** · June 17, 2004, 00:44

Originally posted by wembley

While it was kinda my fault for leaving a username user with PW user

No, it was completely your fault that the user name and password were set to the same values [user].

Originally posted by wembley

I was looking for creative ways to deal with the people who got in.

As for dealing with people who broke into your system and then staged Warez and attacks off of your box, suck it up, start over and learn from the experience (and *ahem* make backups of the "evidence" in case any form of prosecution occurs

) .

Rebuild your box, place it in a dmz behind a firewall with appropriate security measures in place. If it's just website/ftp access you require, NAT/PAT those services through your firewall. Use SFTP and HTTPS. After the box is rebuilt, run tripwire and then re-run tripwire periodically to verify the box has been hacked. Your boxen have already been demonstrated vulnerable. The same people who hit the first time may very well come back looking for more. Don't give it to them.

While you're at it, if you are an enterprising individual, you could visit The Honeynet Project and create a REAL "sacrificial lamb" [as stated in your first post]. Watching what happens to your box configured as a honeypot could be a valuable learning experience.

hth

**spahkle** · June 17, 2004, 00:55

Originally posted by wembley

What I want to know is, how should I deal with this transgression? I don't really want to make a big stink, I'm really not interested in prosecuting the persons who used my server. I just want to get the idea across that I don't really appreciate people using my server without my permission. I have log files of the IP addresses that connected to and used my server.

I could, of coure, re-open the user/user account on my server, but corrupt the warez files on the system so people spend hours downloading garbage.... Or, I could program the system to drop the connection after 99% of the file has been downloaded, and not allow reconnect transfers.....

Originally posted by phobal

you know you're lame when you go to a computer security conference forum looking for help to retaliate some 'lamer' who sodomized your ass.

If you notice, Wembly at no point requested assistance in "retaliating" against the people who did this action. He asked for ideas in how to respond to a system intrusion. The majority of responses have been "rebuild/restore, learn, protect yourself better in the future."

Your response didn't make much sense to me. I have to ask, why wouldn't he ask his question (a valid question otherwise the admins would have moved it to /dev/null by now) in this forum? I realize we can't all be l33t like yourself with visions of self-grandeur looking down our nose at anybody who posts to the forum... but help us troglodytes out. Help us see the error of our ways for treating his request with the seriousness it merits.

Announcement

Best way to deal with someone breaking into my machine?

Best way to deal with someone breaking into my machine?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment