[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RaQ2 Hacked within 1 day of being online
- Subject: Re: [cobalt-security] RaQ2 Hacked within 1 day of being online
- From: "Davide Crudo" <dcrudo@xxxxxxxxxxxxx>
- Date: Tue, 28 Aug 2001 21:45:52 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I know this is not directly connected ... but...
It happens quite often that my FTP port is scanned and someone
tries to log-in anonymously... (I've seen that on the log file...)
Some time ago (when I still had the website on a w2k server)... I've
forgotten to disable the anonymous login and the guy uploaded 1.7GB
of data in non-deletable directories (I had to re-format the partition)...
At that point I've contacted the provider where the login attempts where
from... (about 5 different providers)... but no-one answered my request
for information...
How do you usually handle this? where do you find help in tracing hackers?
do service provider MUST provide you with this kind of information only
based on our log files?
Thanks to everyone...
Dave.
----- Original Message -----
From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Tuesday, August 28, 2001 8:23 PM
Subject: Re: [cobalt-security] RaQ2 Hacked within 1 day of being online
> From: "Patrick Agee" <pagee@xxxxxxxxxxxxxx>
>
> > KD - Consider the possibility that this is an inside job. Could one of
> your
> > customers / employees / former employees be doing this?
> > PA - Probably not inside job as I am the only one here with my company,
> > also the ISP where it's co-located has not hired/fired/ anybody new in
> last
> > 8-10 months. IP's show the hits to mine are from Canada and one of my
> ISP's
> > Cobalt's have been hit and IP for theirs shows Europe.
>
> In light of this and other recent posts, my guess would be that the same
> hacker is responsible for both attacks. Since your ISP's box was cracked
> first, the attacker probably sniffed your password from this neighboring
> box, and connected to your server from a completely different server. The
> attacker probably owns both the box in canada and in the one in europe.
The
> speed of the attack suggests that the attacker was running a sniffer on
the
> neighboring server. Generally, when a hacker sets up a sniffer, he will
save
> a bunch of data from the sniffer into a file and come back to check it
> periodically. He probably noticed your login among the sniffer logs
> relatively soon after you connected the machine and telnetted to it. At
that
> point, your server was the next prime target.
>
> If you are really interested in tracing the attack, you need to find out
how
> the ISP's box was cracked, and show the appropriate logs to the
> organizations that run the cracked servers. If those organizations are
> feeling cooperative, you may get somewhere (those organizations would have
> to trace how their boxes have been hacked, and the cycle continues). Oh,
and
> by the way, you'll have to get all of that done ASAP, because most admins
> don't keep logs past a month or so.
>
> Kevin
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>