Tracking cracker, help?
I'm tracking down an individual that has attacked both my personal site, as well as one of my customers' sites. In this particular attempt, when his 'normal' site was blocked by IP address, he immediately started to use dial-up sites all over his local area, then ranged further into the US. On my system, he had installed a password sniffer. I suspect that this was a common mode of operation for him. Naturally, I logged all of the attempts at the router level. I emailed the logs to the origin ISPs, and (with one notable exception) was met with huge indifference. In the queries, I am asking only for a confirm/deny of the user's name - I am not asking the ISP's involved to release the name of the dialup users. That, of course, will come later. Right now, I'm just trying to confirm that the same individual is launching the attacks. A police report has been filed, and a restraining order will be served tommorow. What's a better way to ask for, and obtain log information in a timely fashion? Wait 6 months for a court trial, when everyone has purged their logs? Clues would be appreciated. -- Dave Rand dlr@bungi.com http://www.bungi.com
What's a better way to ask for, and obtain log information in a timely fashion? Wait 6 months for a court trial, when everyone has purged their logs?
Clues would be appreciated.
-- Dave Rand dlr@bungi.com http://www.bungi.com
Official fax to the company on letterhead with a Cc list that includes law enforcement, phone calls, asking if you may have the person that you are speaking with on the phone for their name and position to include in your reports, etc, etc, etc. This sort of thing is frankly a severe pain, and many ISP's are tired of people crying wolf (a fairly common thing is for people who think that they are security experts to demand instant trackdowns of the person who just did an expn command to their sendmail server, etc). What you have to do is clearly and quickly get the point across that you are not clueless, and that the person doing legwork for you isn't wasting their time. Different methods work for different people (or their managers ... usually a last resort though). At the worst, you can only document lack of response. --------------------------------------------------------------------------- Andrew W. Smith ** awsmith@neosoft.com ** Network Engineer ** 1-888-NEOSOFT ** "Opportunities multiply as they are seized" - Sun Tzu ** ** http://www.neosoft.com/neosoft/staff/andrew ** ---------------------------------------------------------------------------
The sad thing is, until you have a court order, the other ISP isn't necessairly obligated to help you. There is no law stating that they have to turn logs over to you. It's usually up to the other admins, but every time I've had this problem, we've gotten really good responses from the offenders provider. I don't know who you spoke with, but you might try going to an owner if you only spoke to an admin. Owners tend to take attacks coming from their sites a lot more seriously than admins do, and would probably be a much better point of contact. I'm sure given the fact that your business is severely effected by these attacks and that it would be greatly appreciated if he'd/they'd help you out before the story broke the news (what hurts a business more than bad publicity?) and you'd really like him to cooperate fully. After niceness hasn't worked, you could always threaten with a civil suit of some kind... Just remember to be nice before you start playing hardball. Regards, Joe Shaw - jshaw@insync.net NetAdmin - Insync Internet Services "Learn more, and you will never starve." - Paraphrase of Lee On Mon, 28 Jul 1997, Dave Rand wrote:
I'm tracking down an individual that has attacked both my personal site, as well as one of my customers' sites. In this particular attempt, when his 'normal' site was blocked by IP address, he immediately started to use dial-up sites all over his local area, then ranged further into the US.
On my system, he had installed a password sniffer. I suspect that this was a common mode of operation for him.
Naturally, I logged all of the attempts at the router level. I emailed the logs to the origin ISPs, and (with one notable exception) was met with huge indifference. In the queries, I am asking only for a confirm/deny of the user's name - I am not asking the ISP's involved to release the name of the dialup users. That, of course, will come later. Right now, I'm just trying to confirm that the same individual is launching the attacks.
A police report has been filed, and a restraining order will be served tommorow.
What's a better way to ask for, and obtain log information in a timely fashion? Wait 6 months for a court trial, when everyone has purged their logs?
Clues would be appreciated.
-- Dave Rand dlr@bungi.com http://www.bungi.com
The appropriate behavior, methinks, is to trap the requested information (if it all seems like a reasonable request), file it for yourself, and to inform the other side that you will turn it over when summoned by a court (or whatever makes you comfortable.) That's what the telcos do with phone numbers such as someone making a harassing call to you right this moment (eg, you call them on another phone), I think the term is "wire record", they trap the info and file it appropriately and await a proper (legal) request. It seems reasonable. -- -Barry Shein Software Tool & Die | bzs@world.std.com | http://www.std.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989
What's a better way to ask for, and obtain log information in a timely fashion? Wait 6 months for a court trial, when everyone has purged their logs?
Clues would be appreciated.
Well, you've taken the first strep in reporting it to the police. You should now explain to them that log entries might be purged as normal routie, and get them to have the courts serve them with subpoenas for the log information. Steve Mansfield steve@nwnet.net NorthWestNet Network Engineer 425-649-7467
participants (5)
-
Andrew Smith
-
Barry Shein
-
dlr@bungi.com
-
Joe Shaw
-
Steve Mansfield