I am just curious, in these days where every script kiddie with a few spare hours is out cracking into every box in sight, what do you all do when it happens? I know the isolate/reinstall stuff, I am specifically more interested in administrative stuff. Do you log it? Report it to the police? FBI? Who? Basically, I just had a box cracked, and have time to kill before I get access to it to reinstall (Damn cheap colo provider...) and am wondering if I should just reinstall and get on with life, or if I should be covering my ass, since I have things on their that will make me unhappy if they are taken and released to the public domaine (Reg codes for software and the like.) Let me know! Jamie
On Tue, Jun 05, 2001 at 08:38:54AM -0400, Jamie Norwood put this into my mailbox:
I am just curious, in these days where every script kiddie with a few spare hours is out cracking into every box in sight, what do you all do when it happens? I know the isolate/reinstall stuff, I am specifically more interested in administrative stuff. Do you log it? Report it to the police? FBI? Who?
Basically, I just had a box cracked, and have time to kill before I get access to it to reinstall (Damn cheap colo provider...) and am wondering if I should just reinstall and get on with life, or if I should be covering my ass, since I have things on their that will make me unhappy if they are taken and released to the public domaine (Reg codes for software and the like.)
Log what you can, including what software if any you found placed on the box, what was done/modified, and where the cracker(s) came in from if you can find that (as well as how they got in); keep a record of time spent and itemize the costs required to recover. Take this report (it doesn't have to be anything fancy, just something that's legible and easy-to-read), and send it to your local FBI office. If you can, put any software or binaries (or other items) deposited on the machine by a cracker on a CD and include that. Keep in mind you want to modify as little as possible while you do this; mount the disk read-only if you can and remove it from the network. If you really want to get technical, SANS.org or someplace probably has more detailed forensics tips. Basically, do as much computer forensics as you can, include estimates of monetary damages (be realistic), and pass along what you can to the feds. Chances are you won't get anything back from it personally, but the FBI might be able to use your info to link back to some other case they're working on, and it'll be that much more evidence against a person they're already tracking when it comes time to press charges. If you don't have time, oh well, but I'm sure the FBI will appreciate any information you can get them. If you really have time, see if your local field agent(s) want to review the machine personally; though chances are they're not going to insist that you leave the machine with them for months or anything like that. You may be able to report the case to the police as well, but unless you're heavily interested in pressing charges, chances are it'll just be filed and reported up the ladder to the feds anyhow. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) I'd like mornings better if they Founder, the DALnet IRC Network started later. e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
I should've included a disclaimer with that; I don't speak for the FBI or anyone but myself; the below is what I've gotten from experience. None of this is guaranteed, take it with a grain of salt, etc. etc. etc. Call it a "Best Practices" as far as I know. }:> -dalvenjah On Tue, Jun 05, 2001 at 09:54:00AM -0700, Dalvenjah FoxFire put this into my mailbox:
Log what you can, including what software if any you found placed on the box, what was done/modified, and where the cracker(s) came in from if you can find that (as well as how they got in); keep a record of time spent and itemize the costs required to recover. Take this report (it doesn't have to be anything fancy, just something that's legible and easy-to-read), and send it to your local FBI office. If you can, put any software or binaries (or other items) deposited on the machine by a cracker on a CD and include that. Keep in mind you want to modify as little as possible while you do this; mount the disk read-only if you can and remove it from the network. If you really want to get technical, SANS.org or someplace probably has more detailed forensics tips.
Basically, do as much computer forensics as you can, include estimates of monetary damages (be realistic), and pass along what you can to the feds. Chances are you won't get anything back from it personally, but the FBI might be able to use your info to link back to some other case they're working on, and it'll be that much more evidence against a person they're already tracking when it comes time to press charges. If you don't have time, oh well, but I'm sure the FBI will appreciate any information you can get them.
If you really have time, see if your local field agent(s) want to review the machine personally; though chances are they're not going to insist that you leave the machine with them for months or anything like that.
You may be able to report the case to the police as well, but unless you're heavily interested in pressing charges, chances are it'll just be filed and reported up the ladder to the feds anyhow.
-dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) I'd like mornings better if they Founder, the DALnet IRC Network started later.
e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
-- Dalvenjah FoxFire (aka Sven Nielsen) "Thy wit is as quick as the greyhound's Founder, the DALnet IRC Network mouth - it catches." e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
At 09:54 AM 6/5/01 -0700, Dalvenjah FoxFire wrote:
You may be able to report the case to the police as well, but unless you're heavily interested in pressing charges, chances are it'll just be filed and reported up the ladder to the feds anyhow.
Depends on your local police. Here in Austin they are surprisingly interested in prosecuting computer crime. A few months ago I had a client who hacked someone's website and left dirty fingerprints all over the place. In many locales nothing would have ever happened, but the police made an official request for logs, confiscated his computers, collected supporting evidence, and charged him with some sort of crime. I didn't follow up to see what the disposition was, but I suspect that he at least paid a hefty fine. In other areas I've seen the police completely clueless.
The best you can do (if you have a time) is to trace this kids back; found where they store stolen/sniffered information, where they are coming from (I have installed my own trojan on my host to do it); look into the sniffer logs thay (may be) have there and determine which other passwords are compromised and (may be) you'll found their own passwords here. If you have more time and hackers are active - create frauded account on other system, present it to the hackers by their own sniffer, and look where from this account will be used. If you have even more time, create frauded credit card number, make sure they get it, and trace back... And so on. When re-installing system, don't close their backdoor but set up a banner _system is overloaded, try later_ and you'll have a chance to get more information -:). Really, any hackers can be traced to it's roots, but it takes a lot of time to do it. PS. And don't hope FBI or someone other will help; except if there is a real damage. ----- Original Message ----- From: "Jamie Norwood" <jnorwood@adelphia.net> To: <nanog@merit.edu> Sent: Tuesday, June 05, 2001 5:38 AM Subject: Rooted boxen and the law
I am just curious, in these days where every script kiddie with a few spare hours is out cracking into every box in sight, what do you all do when it happens? I know the isolate/reinstall stuff, I am specifically more interested in administrative stuff. Do you log it? Report it to the police? FBI? Who?
Basically, I just had a box cracked, and have time to kill before I get access to it to reinstall (Damn cheap colo provider...) and am wondering if I should just reinstall and get on with life, or if I should be covering my ass, since I have things on their that will make me unhappy if they are taken and released to the public domaine (Reg codes for software and the like.)
Let me know!
Jamie
participants (4)
-
Albert Meyer
-
Alexei Roudnev
-
Dalvenjah FoxFire
-
Jamie Norwood