Dealing with Intruders?

drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside. The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"

just forget it

[Anonymous Coward]

ignorance is bliss!

DMCA

[Amiga Lover]

Use the DMCA to... I don't know, scare them or something. Mention RIAA and MPAA to their ISPs too.

Skript kiddiez

[robogun]

I haven't seen any similar increase in activity. Does your firm have enemies? For instance, does your first name rhyme with Carl?

I tried to log in as root..

[Anonymous Coward]

on my University's network more than once. I ran Linux and I got into the habit of logging in as root, and sometimes I'd try to log in without thinking just after starting a telnet session. I didn't receive any notice from the U, but in this post-9/11 hellmouth, I'm sure I'd have been reported to the FBI as a potential terrorist.

Letter

[Pinkfud]

Write in sloppy block letters: Ve know who you are. Do it vun more time und ve get NASTY!

Not a cease-n-desist gnome...

[AngstAndGuitar]

You might consider sending a handwiten letter and use your own name, that would seem a bit more human. Also, most large companies will send polite-but-firm letters, so just threaten bodily harm to them and their pets, that should sound pretty un-corporate. I suppose only the first sugesstion is really a good one, but I like the second one more, so I'm not going to remove it from my comment.

Do what Mr Burns does...

[Anonymous Coward]

Nothing beats the personal touch of hired goons...

I swear I won't do it again!

[teamhasnoi]

Just don't tell my mom! She'll take away my Compaq, or make me install SP2!

Re:Not a cease-n-desist gnome...

[raam]

Dear Blankety-blank:

Hi. I'm real, real sorry to take your time. I mean, if you don't have time, I understand, and, after all, I don't want to sound like a corporate gnome ]:-) :))). I know you're a real nice hacker, not one of those Russion mob nut-jobs...ah, oops, didn't mean to call names! Anyway, I was just wondering if, if it's not too much trouble, if you could not hack me. I understand that you are a person and have needs, but, and if this bothers you and I sound like a gnome, just let me know(! :) :O :>>), I was wondering if you would help a brother out. Thanks, and if this offends you in any way, please send it back to me and, as you can, guess, I will certainly roll it up and put where any spineless dork might. Thank you so much. Thank you, thank you. You are too kind. Thank you.

Sincerely,

D.U. Fus, the Administrator
Tepid Water Suppositories, inc.

And the problem is...

[Anonymous Coward]

...the attempted intrusion detection package.

It's wasting your time.
It makes you worry.
It makes you ask silly questions on slashdot.

The solution is to trash it, you don't need it, Linux is unbreakable anyway.

Re:DMCA

[Anonymous Coward]

Tisk tisk, using the DMCA for something usefull is unpatriotic.

Call their parents

[Monkelectric]

True story: About 8 years some friends and I were getting o3ned DAILY by a hacker. One of these friends had a buddy in IBM's security division, who somehow got us a name and phone # of our hacker. We felt like asses when we found out we were getting beat down by a 15 years old. But we called his dad, explained what was going on, and that we knew where he lived. Problem SOLVED :)

I'm sorry...

[schnits0r]

I didn't know that I was that big of a problem to your company, I shall stop. Sorry for any inconveinience.

Hack them back!

[Numen]

Whatever they're doing to you have a go back at them... chances are their system isn't as secure as yours.

At the very least it's more fun than writting an e-mail!

normal for this time of year

[phek]

It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.

As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.

Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:

packetstorm security [packetstormsecurity.org]
Security Focus [securityfocus.com]

Tactical nuke

[kinema]

I'm surprised nobody has suggested this before but I would recommend a tactical nuclear strike against the intruder. I've found that this simple step typically quells the attack.

Re:I had someone trying to brute force ssh..

[Jedi Alec]

heh, sysadmins gotta stick together these days. maybe some sort of world-wide affiliation is required, "Sysadmins against kiddies"...hmm, no, that came out kinda wrong

Re:Tactical nuke

[DiscoDave_25]

George... Is that you?

Re:Somewhat offtopic, but how do people deal with

[Inda]

Post the name and address here as AC.

Re:Create a honeypot

[Anonymous Coward]

Bah, pissing them off is fun. I did that quite a bit in the 90's when I ran an ISP. certian accounts that I nevr logged in as I changed the /bin/sh in the passwd file to /bin/biteme and had a nice 10 line c program that simply flooded the screen with profanity ended with, "go away loser" and then exited logging them off cince there is no shell. It took no input so no buffer overflows are possible.

I was entertained by the more "pissed" hackers that ran into that. espically the ones with so little self control they would email me insults at administrator@myisp (A true sign of a poser-cracker, a real cracker is not stupid enough to start emailing the target.... a real cracker is silent as a mouse.)

go ahead and piss them off, the real ones dont get pissed.

Re:I tried to log in as root..

[Lord Kano]

Only if you are of arabic race or have an arabic name.

Arabic isn't a race. Arabs, technically, are caucasians. They're just curly haired, tanned white people. Not entirely unlike Italians.

LK

Re:Ignoring it == making the problem worse

[Anonymous Coward]

I swear, just like a women to take a technical problem and solving it by nagging someone's ear off

Re:Somewhat offtopic, but how do people deal with

[241comp]

Preferably the job should be outsourced to a 3rd party subcontractor of foreign origin

Ack! Now even slashdot is promoting offshoring!!! Ugh...

Re:Ignoring it == raising criminals

[Anonymous Coward]

You fool! You had a strange woman just walk in and use your bathroom, and you let her get away? Arrrgg!

Re:Abuse@

[caluml]

the minute you set foot on British soil

Northern Ireland, Gibraltar, Hong Kong (not any more), Palestine (not any more), Australia (not any more), Canada (not any more), India (not any more), Malaysia (not any more), Yemen (not any more), Rhodesia (not any more), US (not any more)

Damn. We're getting smaller. When did that happen?

Easy, really

[KlausBreuer]

The online cartoons - once again - show us how the world works. Here you can find the difference between Hollywoods form of dealing with intruders, and The Real Worlds:

Bigger Than Cheese [biggercheese.com]

Prevention Program

[Anonymous Coward]

This is like the kid that walks down the parking lot, checking all the car doors. Private property, which means the company has to call the cops.

If you want to do something, then you can send a letter to the ISP. Otherwise, you have to make like the Brittons; batten down the hatches and hope the Luftwaffe pass you by.

I guess you can go hunting, too. Hack the ISP, grab a ballbat, and send a "cease and desist" request yourself. An ounce of assbeating is worth more than a pound of Congressional Legislature.

How we handle these situations in Finland

[Anonymous Coward]

I once heard a story about a someone who had a (warez) ftp server which someone kept brute forcing. This happened here in Finland, in a small town of about 20000 residents (in which I don't live in, though).

Being a little pissed off as the attacking continued for some time consuming his precious bandwith, he tracked his IP and with some social engineering he found out the attacker was just some high-school script kiddie, along with the information of where he lived. So he went where the attacker lived and left a note on his home door with something like "stop bruteforcing my server or else...".

Suddenly, the attacks stopped :)

Re:I tried to log in as root..

[LearnToSpell]

Most of these people weren't alive before ssh.

Take advantage of being r00ted

[Anonymous Coward]

If they manage to get root on your box, they'll probably do one of several things once you clean up all of the root kit mess.

If they put an irc bot on your server, you can steal their channels. They're practically giving you, someone they don't know, access to their botnet.

If they set up a warez ftp, you can have some fun with them by putting trojans into their files. Since they've already saved you the time of putting warez on your computer, be sure to copy anything good first.

If they're using your machine for DDOS floods, you may be able to hijack their DDOS network, use it against your enemies or competitors, and blame it on some dirty hackers.

If they steal your database of credit card numbers, it's a sign that you should quit your job and find a new career.

There's no porn at http://example.com...

[LordPixie]

You apparently misstyped the URL of your porn server. Please resend.


--LordPixie

Re: "Arabs are white people."

[nusratt]

"Arabs, technically, are caucasians. They're just curly haired, tanned white people. Not entirely unlike Italians."

WTF? Italians are white people? ;-)

Re:Companies don't care.

[whoppers]

As an ex-IRC addict, I learned the ping -t and other commands early on, and that a shell account could really whup up someone on a dialup, which was usually me. One time I did start pinging some dialup guy from a shell, when someone on the shell msg'd me asking what I was doing, I replied "none of your business" he replied "goodbye". Dialup and everything dropped as he was the admin. Oh the days of being young, dumb and full piss and vinegar, glad they're over.

Re:I tried to log in as root..

[thisissilly]

So how did you remotely administer Unix boxes prior to ssh?

Log in as a normal user, and su, of course.