RE: FTP hack of two web sites

["Roger A. Grimes" <roger () banneretcs com>]

The reality is that IP addresses you collected don't mean the computers
involved are owned by the criminals or where they live. It's tough to
prove that. More than likely (unless the hackers are stupid), the
intruders only used those hosts as their reflection point (either
manually or installed bots), and the IP addresses you have are not the
intruder's origination IP address. Instead it's the IP address of
somebody's grandparent's cable modem, who have no idea they are
involved.

In order to catch the real culprits, you'd have to follow (and prove)
the trail from entire beginning to end, which is difficult technically,
and difficult to do without court orders, and the cooperation of
multiple entities. You'll not find too many ISPs that will help you
without a court order. Either they don't care, they are so overwhelmed
by requests like yours that they will only help out in the serious
cases, or, justifiably so, they require a court order to get involved
because they are facing legitimate legal issues themselves to help you.

Unless you can prove substantial damages, you'll have a hard time
getting the authorities involved in a way that provides an actual
criminal charge. And remember, when you get the legal authorities
involved, if they want, the can take your computers (as evidence) and
lots of other stuff that you may not want. Once the authorities are
involved, it's not your investigation anymore. However, far more likely
is that fact that the authorities will do nothing to help you other than
take your report and wish you luck. If the attackers live in other legal
borders (which is highly likely) then you have to involved multiple
legal authorities, and that significantly complicates the case.

I've been involved with fighting malicious hackers for twenty years, and
only rarely, in very significant cases with significant human and
financial resources dedicated, has it ever led to someone actually being
charged. And when they get charged, the charges usually don't account to
anything (probation, etc.). There's a reason millions of dollars every
day are being stolen by malicious hackers and nearly all of them are
getting away with it.

The reality is that 99.999999% of hacking goes un-prosecuted.  Most
people, close the hole that allowed the exploit (you had to make a
mistake). Learn from the lesson, and move on.  

Roger

*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger () banneretcs com
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
*******************************************************************



-----Original Message-----
From: backdropman1 () yahoo com [mailto:backdropman1 () yahoo com] 
Sent: Wednesday, March 22, 2006 4:04 PM
To: security-basics () securityfocus com
Subject: FTP hack of two web sites

Seeking any advice on what to do or how to proceed on an FTP attack
which left me the IP address of the hacker in my Logs?
So far I have given the IP address to their ISP but I have no idea what
if anything the ISP did.
It would fall under one of these sections od 18 USC

18usc1030

18usc2520

18usc2510

Any help would be greatly appreicated and thanks in advance.

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------