Re: compromised network - followups

[root <root () Virtual Linux-Sec net>]

hi ya carvey

just some comments to add yo yours..

On Wed, Dec 31, 2003 at 05:08:15PM -0000, H Carvey wrote:
 
> > Also, is there any legal action I should take (i.e. Do I alert any authorities)? 
>
> In the US, the Attorney General has mandated that a financial loss of $5000 must be demonstrated in order to involve 
> the FBI.  In reality, that number is much higher.  

we justified $5K of damages and the fbi was involved faster than you can blink ...
        - it also happened the crackers was playing/sniffing gov't traffic which helped

- result after about a week of "attacks" ...
        ( the crackers never got into our the servers.. just lots of attempts )

        - the isp lost control of about 200 servers since they continued to allow the
        crackerts to play with their servers and attack users ( like us )

        - the cracker supposedly lost control of about 25 machines

        - i dont know the all details ... its probably still investigate or they've settled
                - i have other things to do... just like that they are investigating the cracker

        - i just called the fbi on the phone, hey Mr FBI Agent, the cracker from ip# 1.2.3.4 is
        online right now, have fun ...  and here's my logs for the past 5 minutes ...

> Even if you are in the US, you've already said that you've "locked down both servers and routers"...in essence, 
> you've destroyed your crime scene.  

yyp .... reinstalll is the worst possible thing to do ...
        ==
        == get a security dude involved if you want to catch the crackers
        ==

> Two things...
>
> 1.  I hate to be blunt about this, but if you don't know what you're doing, why are you doing it?

comment...
sometimes people learn how to do things by mmaking mistakes ???

-----------

- at least the original poster was willing to say he was "cracked" 
        - whether thats true or not is a separate issue

        - and fed law ( in the usa ) states that the cracked entity must disclose
        to all their clients of said activity and resulting activities they did
        and any lost personal info .. etc..etc..etc... ie.. you're up the creek


imho.... just re-iterating ...

=== reinstalling a cracked server is the worst things to do
=== restoring from backups is the 2nd worst possible things to do 
        - and depending on the number of machines you have, that can take
        months or years to properly clean up the (insecure) network 


have fun
alvin

---------------------------------------------------------------------------
----------------------------------------------------------------------------