Re: Large scans in progress...

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Tue, 12 Sep 2000, UnixGeek wrote:

> Attack is underway with synscan(which Snort missed specifically, though it
> did flag the scan).  Means of entry is unknown, but it looks similar to
> the ingreslock exploit.  System is RH 6.2.  Output below is from my trip
> to the system(which raises the legitimate question -- if I'm investigating
> the perpetration of a crime[or attempted crime] against myself or my
> property, am I as culpable as the person who broke into the system and
> used it for a malicious purpose?

Quite possibly.  If there is a prosecutor running around somewhere that
has it in for you in your home jurisdiction, this could be enough for them
to make your life suck.

It's still unauthorized entry even if it was dead simple and you werent
the first.  The inter-country thing could work to your advantage because
they can't touch you here, or it could be a disadvantage because a local
prosecutor could decide that you're in trouble even if the real admin
later decides he didn't mind.  I believe you could get nailed for
unauthorized entry because you didn't seem to have authorization at the
time.

> [the thought of killing off all the
> synscans, killing inetd and bailing crossed my mind, to stop the abuse,
> but then that might affect evidentiary proceedings, no?].

Too late.  You've already done some minor messing up of the place... a
couple of access-times have been modified, though that looks
non-critical here (looks like the files were probably being written to
constantly?)

Or maybe you're the original culprit, just trying to cover your ass in a
public forum, because it looked like someone was on to you?  We can't tell
the difference.

> -----------wheee------------
> telnet 62.0.56.66 1
> Trying 62.0.56.66...
> Connected to 62.0.56.66.
> Escape character is '^]'.
> bash# ls

There's a bash shell running open on port 1?  (Or maybe was.. machine
isn't pingable right this sec.)


                                        Ryan