Re: Hacked using vulnerable FTP daemon.

From: Ben McGinnes (ben-mcginnes@iname.com)
Date: 09/29/01


Date: Sat, 29 Sep 2001 10:44:00 +1000
From: Ben McGinnes <ben-mcginnes@iname.com>
To: incidents@securityfocus.com
Subject: Re: Hacked using vulnerable FTP daemon.
Message-ID: <20010929104400.B9489@mail.enternet.com.au>


Bojan Zdravkovic(bzdravko@siac.com)@Tue, Sep 25, 2001 at 03:28:46PM -0400:
>
> Hi Paul,
>
> Calling the ISP will help. They won't "get" the guy, only slap his wrist. The
> biggest, ultimate effect of calling the ISP would be sending him a warning
> email.

Depending on circumstance - probably. They always need at least one
warning, after which the gloves may be removed (along with the offfending
account). Remember, any ISP worth its salt will chase up security and
abuse issues (it may not be quick enough for the original complaint, but
it ought to happen).

The reason for this is simple PR; any network which gains a reputation
amongst its peers as being a script-kiddie and spammer haven will quickly
find it's IP ranges blacklisted and it's routes relegated to the "when we
can be bothered" category.

> ISPs will never forward you any personal info, except if you're a government
> investigator. And if an investigator gets involved the damage has to be
> substantial (millions).

True. The same privacy laws which protect you from your ISP giving
contact info to anyone who asks will also protect those of a less savoury
stature.

OTOH, if you're looking for IP ownership information, depending on the
size of the network you may find that an ISP runs their own whois server.
In such a case you may be able to track down the appropriate contact
details for the IP in question and bypass the ISP (if your would-be
cracker is trying to launch the attack from a static IP/host somewhere).

> Don't talk about evidence, and don't blow things out of proportion, this
> is just a simple mischief, happens to everyone.

Along with all the other weird shit floating around. Depending on the
threat level of the attack, sometimes it's generally a waste of time and
effort trying to hunt them down. Usually if I see something odd or
disturbing I'll go a-hunting, but OTOH these days I'm treating all those
SunRPC and Bind scans much the same as Code Red and the like (mostly
ignored, occasionally chased if I'm in the mood).

> And patch that ftpd.

Indeed. WuFTPd is *not* your friend. From what I've heard NcFTPd *is*,
though (and I believe the liscense allows for a couple of free
installations for non-profit organisations/networks).

Regards,
Ben






Relevant Pages

  • Re: Do not call
    ... Am I supposed to monitor the number on call display and see if is a friend of family calling? ... It is not there for people from around the world to be calling me all the time to sell me stuff I don't want, and especially not for them to be claiming to be calling on behalf of MicroSoft or my ISP and trying to get me to hand over control of my computer to them. ... I used to get it and I set my mail reader to dump it in the junk mail folder. ...
    (rec.food.cooking)
  • Re: Oh well......
    ... ISP Posting Host Number, its dam hard to trace exactly who the spoofer ... " their IDs. ... You and Don are the ones doing all of the name calling and insulting. ...
    (rec.boats)
  • Re: I had 3.5MB broadband - now nothing!
    ... I can tell they are getting fed up with me calling but it's ... Samknows is very handy, but is a best efforts site, only as good as the ... he gaps, even if samknows told you you could get 24Mbps ADSL2+ from WBC ... it wouldn't help you persuade your ISP of anything. ...
    (uk.telecom.broadband)
  • RE: How can I get my doris7@roadrunner.com set as the email-Outloo
    ... ANOTHER SURE FIRE WAY IT WILL BE RESOLVED IS KEEP CALLING THE ISP THAT YOU ... with Roadrunner set up as the e-mail address in my MicroSoft Office 2003. ...
    (microsoft.public.office.setup)