Security Incidents mailing list archives
Re: Korea (was RE: ?)
From: robmccau () RADONC DUKE EDU (Rob McCauley)
Date: Sat, 29 Jan 2000 18:23:11 -0500
What you seems to be saying is that if your neighbours house and their door is wide open in the middle of the night, you should just move along. I'd sure stick my head in and ask if everything is allright.
No, not really. If you telnet in and get a root shell you've already established that things are very likely not alright. The door's wide open and apparently forced. Depending on the jurisdiction, what you've probably done is stumbled onto a crime scene. The appropriate thing to do, IMHO, is alert the owners and/or the correct authorities. Poking around someone else's computer systems, on which you are presumably not an authorized user[0], only adds to the work of those who will eventually have to investigate by obscuring the trail, much like going through your neighbor's house after its been robbed might destroy evidence and WILL add evidence that you've been there as well. The prior post indicating that this makes you look like the attacker is correct. Doing this on certain systems, particularly government or military where you're within the jurisdiction of either, is probably a Really Bad Idea. It'd be interesting to know (I don't) if any evidence collected would retain any value if there were a chain of people who could have modified it before the legitimate SA could preserve it. In summary, no, don't just move along. Do make sure your neighbors and/or the authorities if appropriate know there's been a break in as soon as you're able, but don't make their jobs harder by inappropriate "helping". If you want to help, notify them and offer assistance, but let them choose. System owners have a right to control access to their systems, and I don't believe the fact that someone destroyed the technical implementation of those controls removes that right. [0] - I don't buy the argument that an open port is an invitation, especially when the open port is obviously a back door. I hope most here would agree that a root shell back door is almost never placed by the admin. We're not talking about web servers here. Rob -- ------------------------------------------------------------------------------ Rob McCauley Radiation Oncology Duke University Medical Center
Current thread:
- Re: Korea (was RE: ?) Robert G. Ferrell (Jan 27)
- Re: Korea (was RE: ?) R a v e N (Jan 27)
- <Possible follow-ups>
- Re: Korea (was RE: ?) Brooke, O'Neil (Jan 27)
- Re: Korea (was RE: ?) Kim Robert Blix (Jan 28)
- probe backs? was Re: [INCIDENTS] Korea Jose Nazario (Jan 28)
- Re: Korea (was RE: ?) Mark Seiden (Jan 28)
- Re: Korea (was RE: ?) Rob McCauley (Jan 29)
- Re: Korea (was RE: ?) JJ Gray (Jan 28)
- Re: Korea (was RE: ?) David Brumley (Jan 28)
- Re: Korea (was RE: ?) Kim Robert Blix (Jan 28)
- Re: Korea (was RE: ?) Brooke, O'Neil (Jan 28)
- R: Re: Korea (was RE: ?) Raistlin (Jan 30)
- Re: Korea (was RE: ?) Robert G. Ferrell (Jan 28)
- Re: Korea (was RE: ?) Andy Hooper (Jan 28)
- Re: Korea (was RE: ?) Drissel, James W. (Jan 31)