Security Incidents mailing list archives

Re: Hacked using vulnerable FTP daemon.

From: Ben McGinnes <ben-mcginnes () iname com>
Date: Sat, 29 Sep 2001 10:44:00 +1000

Bojan Zdravkovic(bzdravko () siac com)@Tue, Sep 25, 2001 at 03:28:46PM -0400:


Hi Paul,

Calling the ISP will help. They won't "get" the guy, only slap his wrist. The
biggest, ultimate effect of calling the ISP would be sending him a warning
email.


Depending on circumstance - probably.  They always need at least one 
warning, after which the gloves may be removed (along with the offfending 
account).  Remember, any ISP worth its salt will chase up security and 
abuse issues (it may not be quick enough for the original complaint, but 
it ought to happen).

The reason for this is simple PR; any network which gains a reputation
amongst its peers as being a script-kiddie and spammer haven will quickly
find it's IP ranges blacklisted and it's routes relegated to the "when we
can be bothered" category.

ISPs will never forward you any personal info, except if you're a government
investigator. And if an investigator gets involved the damage has to be
substantial (millions).


True.  The same privacy laws which protect you from your ISP giving 
contact info to anyone who asks will also protect those of a less savoury 
stature.

OTOH, if you're looking for IP ownership information, depending on the 
size of the network you may find that an ISP runs their own whois server.  
In such a case you may be able to track down the appropriate contact 
details for the IP in question and bypass the ISP (if your would-be 
cracker is trying to launch the attack from a static IP/host somewhere).

Don't talk about evidence, and don't blow things out of proportion, this
is just a simple mischief, happens to everyone.


Along with all the other weird shit floating around.  Depending on the 
threat level of the attack, sometimes it's generally a waste of time and 
effort trying to hunt them down.  Usually if I see something odd or 
disturbing I'll go a-hunting, but OTOH these days I'm treating all those 
SunRPC and Bind scans much the same as Code Red and the like (mostly 
ignored, occasionally chased if I'm in the mood).

And patch that ftpd.


Indeed.  WuFTPd is *not* your friend.  From what I've heard NcFTPd *is*, 
though (and I believe the liscense allows for a couple of free 
installations for non-profit organisations/networks).


Regards,
Ben

Attachment: _bin
Description:

Current thread:

Hacked using vulnerable FTP daemon. Paul Tan (Sep 25)
- Re: Hacked using vulnerable FTP daemon. Patrick Andry (Sep 25)
- Message not available
  - Re: Hacked using vulnerable FTP daemon. Paul Tan (Sep 26)
- <Possible follow-ups>
- Re: Hacked using vulnerable FTP daemon. Bojan Zdravkovic (Sep 25)
  - Re: Hacked using vulnerable FTP daemon. Jose Nazario (Sep 25)
  - Re: Hacked using vulnerable FTP daemon. Ben McGinnes (Sep 29)