Re: Large scans in progress...

[Jon Lewis <jlewis () LEWIS ORG>]

On Wed, 13 Sep 2000, Ryan Russell wrote:

> > to the system(which raises the legitimate question -- if I'm investigating
> > the perpetration of a crime[or attempted crime] against myself or my
> > property, am I as culpable as the person who broke into the system and
> > used it for a malicious purpose?

> It's still unauthorized entry even if it was dead simple and you werent
> the first.  The inter-country thing could work to your advantage because
> they can't touch you here, or it could be a disadvantage because a local
> prosecutor could decide that you're in trouble even if the real admin
> later decides he didn't mind.  I believe you could get nailed for
> unauthorized entry because you didn't seem to have authorization at the

I won't argue about this, but I seriously doubt he would get in any
trouble over this (at least if he's within and subject to US law...I
didn't pay attention to the original message and don't know where he's
from) for several reasons.  First, and probably most important, he's not
causing damage.  He didn't break into the system, he didn't backdoor it,
he hasn't caused it to function improperly.  The feds generally won't
pursue you for computer crimes unless there are damages of a certain
minimum dollar figure even if you are a malicious kid breaking into and
generally breaking other people's systems.

And if this was one of the typical hack jobs where root shell's were given
out on TCP connections to some random port, what authorization was
required and how does he know he needs and doesn't have authorization to
make a TCP connection to some random port?

> Too late.  You've already done some minor messing up of the place... a
> couple of access-times have been modified, though that looks
> non-critical here (looks like the files were probably being written to
> constantly?)

He's contaminated the crime scene.  If you notice your neighbor's door is
kicked in and wide open, do you cautiously walk in and see what's up,
ignore it, or stay away and call the police to tell them something looks
wrong?  ok...that's a bad analogy since someone could be in need of help
in the house...but I think you get my point.  He didn't break in, and
didn't intentionally get in the way.  In the vast majority of hacked
boxes, the admins don't even know they've been hacked.  If they do know
and are leaving it alone, they're aiding criminals since more hacked boxes
means more places to scan from, means more hackable boxes will be found
and hacked.

> There's a bash shell running open on port 1?  (Or maybe was.. machine
> isn't pingable right this sec.)

Perhaps someone did them the favor of connecting and running ifconfig eth0
down.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________