[SunHELP] Tracking Hacker ?

Jeff Feller sunhelp at sunhelp.org
Wed Apr 25 15:52:11 CDT 2001


Hello again,

Sorry, the title below is my title for BitZ.net which is not even an
exsisting company in the time.  We are searching for funding anyway.  Once
my business is started, security is going to be far more important.  The
place I work now, I have nothing to do with the network.  I simply put a
server on the companies network to act as my "start-up's" mail server and
web server until we get going.  Who knows if we ever will :)

ANYWAY!  I want to thank you all for the helps and hints.. I'm going to
take all your advice.. once I try out all the tools and such I'll probably
format/reinstall anyway.

I appreciate all the help :)


Jeff Feller
Director of Network Operations
BitZ Communications
P.O. Box 157
Surrey, ND  58785

On Wed, 25 Apr 2001, James Fogg wrote:

> My guesses:
> Someone at work runs a packet analyzer (sniffer). With telnet (ie:
> rapeme_im_stupid) running and someone rooting from the Internet you are wide
> open. 
> 
> Or, someone on the internet used a packet analyzer and caught the
> cleartext password for root (if your buddy uses cable/dsl, just shoot yourself).
> 
> They don't appear very sophisticated if they didn't modify the file access time
> for motd. Run SSH exclusively and your console traffic will be reasonably
> secure. You should even run SSH on your routers (Cisco supports SSH, maybe
> others do too).
> 
> Another hint, since you're a Director of Netops, tighten up your security and
> study intrusion methods (or hire someone cluefull). Even a firewall is no
> protection, just a delaying tactic.
> 
> btw... no firewall at work? AND its a communications company (I hope you do
> better for your customers)? My suggestion is get a firewall or get a new job.
> When someone cleans your companies clock the bigdude will ask why it happened.
> You will have no good answer.
> 
> On Tue, 24 Apr 2001, THOU SPAKE:
> > Well, uhhh, no .. unfortunately I have no firewall protecting this
> > machine.  It is a machine I have colocated at my place of work.  It is
> > used as a webserver and mail server - nothing more.  I generally shut off
> > all ports like telnet, ftp, etc but for some reason when I set this one up
> > I didn't - I think it's because the other guy who has root said I was to
> > paranoid and told me to keep telnet open ?  
> > 
> > Nothing was out of the usual for /etc/passwd.  In fact, after this had
> > happened, I also locked accounts that aren't ever used temporarily because
> > if they aren't used - do they need to be active? :)  
> > 
> > I'll check with our system administrator no the log thing, but I'm willing
> > to be we keep no logs on our router.
> > 
> > I'll keep lookin' around perhaps looking for all / any files modified on
> > "Apr 24" at 18:52 or so.. Otherwise, from the looks of it, the ONLY file I
> > see that were touched so far were /etc/motd, /var/adm/messages and the
> > wtmp or utmp files I assume since there is nothing in "last" ... 
> > 
> > Thank you!  I know, I know.. I need to get tighter security on EVERY
> > machine on the net.  The only "SECURE SERVER" is one that is not plugged
> > in :)
> > 
> > 
> > Jeff Feller
> > Director of Network Operations
> > BitZ Communications
> > P.O. Box 157
> > Surrey, ND  58785
> > 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
> 




More information about the SunHELP mailing list