LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Alan Kennington <akenning@topology.org>
To : James Mclean <james@adam.com.au>
Date: Thu, 26 Apr 2001 11:35:08 +0930
Re: Trojan? Cracker?
On Thu, Apr 26, 2001 at 12:47:10AM +0000, James Mclean wrote:
>
> I am waiting patiently for the cracker to return, But even if I do get his IP
> and report it to the sysadmin at his end, what can he do?
James,
For most of 1999 and 2000, I used to report all hack attempts to
network administrators.
(See http://www.topology.org/attacks/ for details.)
After the first year, the attacks were so frequent that I didn't bother
to document them on my web site.
But now in year 2001, there are so many probes (like about 4 per hour),
I just don't even bother to report anything any more.
Most of them come from Korea or China anyway.
I made 3 reports to a German ISP recently, and got 3 identical
replies saying that they woudl give a warning to the user.
I knwo for a fact that German ISPs don't consider that they should
get involved in this. So anything goes.
However, if your perpetrator is:
A. In the USA, or
B. Operating out of a hacked corporate machine,
then you will get a good response.
In case A, they'll generally remove the user.
In case B, they'll wipe the disk and start again.
That's my experience anyway.
In your case, you seem to have a purposeful manual attack,
maybe not an automated probe.
If so, then it may be in categories A and B above.
If you run "dig -x" and get "krnic" or something, you ust
have to ignore it.
With all those infected machines out there with the lion worm etc.,
the net is awash with random probes.
You can't do much about it.
It's like a continuous rain falling on your roof.
You just haev to keep the roof in good repair.
I.e. just firewall out any access to vulnerable ports.
With a linux machine, there's absolutely no reason why
you can't firewall every single last machine.
(I know that isn't "the" right way to do it.)
But writing firewall scripts is a good intellectual exercise.
Cheers,
Alan Kennington.
--------------------------------------------------------------------
name: Dr. Alan Kennington
e-mail: akenning@topology.org
website: http://www.topology.org/
city: Adelaide, South Australia
coords: 34.88051 S, 138.59334 E
timezone: UTC+0930 http://www.topology.org/timezone.html
pgp-key: http://www.topology.org/key_ak2.asc
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page