Anybody have any good tales of how they tracked down the script kiddies and secured their systems?
Indeed. I'm currently the administrator of 5 computer for a smalltime norwegian company. Two years ago, the 5 computers were 1, and I wasn't very security aware at all.
I installed SuSE 5.2 (I think it was 5.2, that might be wrong) - and left it happily running the sevices we needed. Including qpopper.. version 2.2 (Those of you that are into security are now starting to moan loudly).
The system ran happily for 2 months. Until December'98. I was/am an operator of the channel #norge on EFNet, which is, well, one of the most attractive channel for takeoverkiddies on EFNet. I had ircii running from the SuSE 5.2 box. The 24.December'98 (!) a Canadian Scriptkiddie with the moniker "j0n" cracked my server, and made an unsuccessful takeover attempt on #norge. My Coadmin which was active on #norge at the time, phoned my parrents (which I was on x-mas vacation at) and asked them to wake me up. The system had been cracked.
I was awoken on 24.December (god, why did the idiot have to chose that date) with the words "We've been cracked, go connect to the net NOW!!". I ran down, and tried to connect to my server. No response. I talked to my buddy via IRC, and he was connected - he had tried to throw out the cracker (killed his shell), but the cracker reconnected.. and rm -rf'ed ..!! TWO MONTHS OF WORK LOST. We were going to buy our tapestreamer in January...!
God was I mad. Well, I got the takeover-attempts log from my buddy, and looked at the hostmasks. I deduced that those too, were cracked systems. So, I contacted the administrators of the different computers (among other Dave Dittrich at washington.edu ,yes, the guy behind all the DDoS analysis). Most of them responded within 24 hours (hey! It was 24th of december, and they were online! We System Administrators are great!:). most of them sent me logs, and ack'ed that the computers were cracked.
Furthermore, a person nick'ed "b0zo" messaged me on IRC, bragging about cracking my system (Fitting nick,btw :). I did a /whois, saw the channels he were on, and joined them. My dialup was smurfed down several times, but I just reconnected. dialups are great that way. ;) (poor ISP ;).
I fired in some "dummy-probes" that relayed everything that was said on the channels to me. And, I questioned the 'b0zo' guy some. I don't remember how, but I found the connection to the 'j0n' guy pretty quick. I think he was on one of the home.com hosts that was connected to my box before they rmf'ed it.
Anyways, he was hanging out on the channel #montreal on EFNet, which I relayed to me via different shellaccounts for an entire month. I contacted the systems he was bouncing to IRC via, most of them cracked. Including but not limited to: mit.edu, hawaii.edu, washington.edu, nasa.gov, nist.gov, harvard.edu, cmu.edu, berkeley.edu, bu.edu, ih2000.net and columbia.edu.
Most of the administrators were really very cooperative. Around 10th-15th of january, me and the admins at nasa.gov and mit.edu were cooperating in tracking him down. We came in contact with a canadian ISP, which were DOS'ed heavily from - i THINK it was mit's machines.
Together with them, we tracked down the cracker. 28th of january 1999 4 RCMP troopers arrested him, and confiscated his computer equipment. He was a 16 year old boy. Apparantly by the name "Jon Fortin" (unconfirmed, canadian government apparantly don't give out the names of that young criminals).
He was sentenced to 250 hours community service earlier this year. The only thing is -- I used about 15 hours a day, 30 days in a row, to track him down. In other words, I used about 450 intense our to track him down, and that bastard did only get 250 hours of community service.
Damn the courtsystem sucks.
The upside of all this, is that I learned a LOT about computer security. I now considered myself a competent security admin. I also knew what it was to truly HATE somebody.
[ Parent ]