VanLUG Email Archive
> Good question. They could have been using a rootkit that did it for
> them, and they really had no clue.
> I say morons, as the cracker (note, not hacker) didn't actually get very
> far on the system. The rootkit came mainly as source, and that machine
> doesn't have a compiler. :)
Morons is a bit of strong term, but probably correct. The folks that
hacked the two systems didn't seem to do much with them. I
checked all the mail logs to make sure they didn't mail any death
threats to someone who would care. There was enough information
in the logs to find almost all the perpetrators.
In the past I would notice the level of attacks/probes increase and
then I would start Emailing their ISPs with log entries. Then
attack/probe activity would drop to almost nothing. A few weeks
later the attacks/probes would slowly start again and increase until I
started Emailing ISPs again. What a boring cycle.
I figure these folks must all communicate in one common forum
somewhere on the Internet. They must pass around lists of blocks
of IP numbers. Otherwise you would expect the attacks/probes to
continue on a regular distributed basis.
I went through the logs for both systems and mailed log entries to
every ISP involved and asked them to police their users. The US
ISPs were all very responsive. One ISP in Sudbury ON responded,
and Sympatico did not. The one Australian ISP, Ozemail responds
real fast - I have dealt with them before. I even tried to
communicate with system admins in South Korea, Japan, and "se"
wherever that is.
pursue action against perpetrators, or run a more secure version of
Unix. Do you guys take action against all attacks/probes?