Re: Hacked using vulnerable FTP daemon.

[Patrick Andry <pandry () wolverinefreight ca>]

Paul Tan wrote:

> Hello experts,
>
>                    I am helping a friend who got hacked last few days. 
> Below is the logs from /var/log/messages, i managed to get the logs 
> from the "last" command too. Is this sufficient info to call their ISP 
> and get that guy?
>
> Rgds,
> Paul
>
> If you need more evidence i can produce eg. rootkits and stuff i found 
> on the webserver.
<snip>

It is sufficient to call the ISP and have them tell the SA's of the 
other boxes that they have been hacked as well( due to the two IP 
addresses involved).  Maybe with their logs you can find them, or find 
the next hacked machine in the chain.
Aside from that, there's no real legal steps that can be successfully 
taken, unless you can prove that the chain of evidence wasn't broken.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com