[lug] Reporting an Intrusion

Calvin Dodge caldodge at fpcc.net
Tue Sep 13 10:26:07 MDT 2005


On Tue, Sep 13, 2005 at 09:59:28AM -0600, Bill Thoen wrote:
> I discovered another hack on my old RH9 system last night but this time I
> learned how they got in and where they came from (via an ISP in
> Scottsdale, AZ.) With some help, I think I got the damage fixed and the
> holes patched, so I think I'm OK for now. Apparently there are some dumb
> things you can do with an otherwise perfectly good installation of PHP,
> and I'm pretty convinced that the last hack I experienced was done the
> same way.
> 
> Anyway, now I'm pissed off. I can report the intrusion with evidence from 
> my logs to the ISP, but I'd like to use a little more force. Since 
> breaking into a computer is a federal crime, is there a law enforcement 
> agency I should report this to, like maybe the FBI? Before I go off 

Yes, the FBI is the place to go.

> half-cocked, what's the proper procedure in terms of reporting and 
> collecting evidence so that there's a chance of getting a conviction 
> should I be able to get any authority to do anything about this?

I'm not sure. I imagine saving the web logs and the files the crackers
created (I moved them to /root/quarantine2) would be necessary. I suspect
the FBI might have more guidance on that subject.

I wouldn't hold my breath while waiting for prosecution of the miscreants -
a reverse DNS lookup of the cracker's IP address seems to indicate the
attack originated in Indonesia.  But it's probably worth calling the FBI
to ask if there's any point in getting them involved.

Calvin

-- 
Calvin Dodge
Certified Linux Bigot (tm)
http://www.caldodge.fpcc.net



More information about the LUG mailing list