Re: Attemted Theft of Services via FTP

Subject: Re: Attemted Theft of Services via FTP
From: John Nelson (john@computation.com)
Date: Fri Mar 01 2002 - 15:49:17 MST


Report them to the FBI.  That might get some response.

Any provider that doesn't police or respond to illegal activities on their networks
gets what they deserve.

-- John


Ryan Mesler wrote:
ive reported to road runner that some of their boxes were transmitting nimda
and codered and my boxes got bout 60,000 hits a day from that alone. road
runner didnt do squat.

as for your protection... do NOT allow anonymous FTP. that would be bad. i
had some nightmares with that and my fbsd box.

what you could do is set a cron job that tells your modem to dia (when you
said modem, i assumed you meant dialup-if not, i apologize)l in at certain
times of the day (times known only by you) and stay connected for 15 min. if
it doesnt detect any net activity, it kills the connection. it'll email you
your IP address so you can know what your IP is and then login that way via
ftp or telnet. make whatever changes you need to your box and logout.

this is what i'd done for awhile back when i was working web design. since
you've got a dialup, this might be a good way to ensure higher security ;)

i dunno... just one of t
he many creative things to do with linux :)

as for the punishment of these crackers... get their IPs and get some IRC
bots... you get the idea ;)

R.L. Mesler <Kraylus>
Call me Kray

If at first you don't succeed, call it version 1.0

ICQ: 45088864
AIM: Kraylus
----- Original Message -----
From: "Patrick Callahan" <pac1@tiac.net>
To: <yellowdog-general@lists.yellowdoglinux.com>;
<bltnewuser@basiclinux.net>
Sent: Friday, March 01, 2002 5:23 AM
Subject: Attemted Theft of Services via FTP


I've just started running proftp so I can move files around my internal
network.
I'm connected to the internet by modem. and /var/log/secure contains a few
entries like this.
Probably harmless because they were'nt able to give a valid username and
password. (anonymous logins are deliberately disabled)
Feb 28 07:52:24 localhost proftpd[22095]: localhost.localdomain
([24.90.163.104]) - USER ftp (Login failed): Invalid shell.
[root@localhost src]# ping 24.90.163.104

 Are there any other risks here?  What would have happened next if
anonymous ftp were enabled?
What would you do about 24-90-163-104.nj.rr.com?  Report the attempt to
road runner? Ping of death to 24.90.163.104?  Go to New Jersey and take his
computer away? Civil Trial? Trial at Law?  What settlement or sentence would
you recommend as a Juror?
Someone last year suggested renaming the distro from "Yellowdog" to "Pit
Bull Linux" Motto: "Just try to crack my box!"
I'm thinking of the following warning on the ftp login page:
"Protected by Pit Bull Linux and a false sense of security

If you're going to try to crack this box be sure to bring plenty of dog
biscuits - the ordinary cookies on your hard drive won't do
Sic em Chip!
"

Humor aside, what do you do about attempted cracks like this?

-Pat
-pat

-- 
_____________________________________________________

John T. Nelson
President         |    Computation.com Inc
mail:             |    john@computation.com
company:          |    http://www.computation.com/
laboratories:     |    http://www.computation.org/
_____________________________________________________
"Providing quality IT consulting services since 1992"

This archive was generated by hypermail 2a24 : Fri Mar 01 2002 - 16:06:36 MST