20.10 Be Sure You Found the Attacker Naturally, you will want to stop the attacker from causing further harm to your systems and anyone else's. You probably want him punished as well and you might want to hand him a bill for your costs in finding and repairing the damage. You probably have the IP address of the system used to violate yours. Without this or similar identifying information, you probably do not have any clues as to who attacked you. However, if the cracker is good, the account on this machine was broken into and used without the knowledge or consent of its owner. Thus, your hunt is just beginning. First you need to determine whether the cracker is the SysAdmin of this system. There is no absolute way to determine this. If the system belongs to a company, university, government agency, or similar organization, it is unlikely that the SysAdmin is guilty. | I know of two cases of a SysAdmin seriously abusing his power. One was in 1979 when he used the root account at University of California at Berkeley's research UNIX system to access my student account and make a copy of my lock program. It allowed you to lock your terminal against someone else either doing bad things with your account or logging in and claiming the (public) terminal. The SysAdmin then claimed authorship of my program and incorporated it into the distribution of Berkeley UNIX with his name as author. It took 10 years before he admitted his plagiarism and I received recognition for this program as one of my contributions to Berkeley UNIX. The other SysAdmin abuse I know of was where an NT SysAdmin at a Southeastern U.S. bank did some bad things with the bank's network and was shown the door. Certainly, there are more cases but they are unusual. |
If the system's owner is a registered user of an online service such as AOL or EarthLink, he might be a cracker but likely is not. Most people use such easy-to-guess passwords that most accounts can be cracked with little effort. (A possible exception to this is AOL's "throwaway" free introductory account offer that is very popular with crackers.) If the subscriber is connected via a dial-up line (PPP or ISDN) then, other than cracking the ISP, a cracker would have to crack the system by finding a port with a service on it (such as telnet) and crack that service either by finding an exploit or by cracking a password. If the subscriber is using a cable modem, the cracker's job becomes much easier. This is because cable modem service operates like a large LAN with many subscribers on one "LAN segment" and they can sniff each other's traffic. This makes sniffing for passwords trivial. One cable modem subscriber was shocked to find 150 other subscribers on his segment. (A smart cable modem subscriber will use ssh or HTTPS for all confidential work!) The point of all this is that it certainly is a judgment call on your part when deciding whether the person "owning" the account you traced the intrusions to actually might be the perpetrator. Certainly, decisions have a higher likelihood of being correct when enough data is supplied. | Recently I heard the very loud sound of bombs exploding, which is the sound my system generates when someone is trying to break in. I ran to my connected laptop to see what was the matter. The automatically generated e-mail that also is generated upon break-in said that some account in another state was trying to break in and my safe finger request to his system provided me with his name, e-mail address, and even phone number. I thought that the account was compromised and being used by a cracker because I did not expect a cracker to be so stupid as to provide all of this information about himself. I sent him a polite e-mail saying that his account had been used to try to get into my system (via FTP as I recall) and that his account might have been compromised. He asked for more details so I supplied some logs. He claimed that he had not done anything wrong. Although some people might try an anonymous FTP and think that it is acceptable, I consider it equivalent to twisting the knob on someone's front door to see whether it is unlocked. I am not sure which side of the law either of these falls on but I do not like either one. This illustrates the difficulty of determining whether an account's rightful owner is the cracker or whether the account had been cracked. Had this person not admitted to the attempt at cracking, I would have believed it if he had claimed he had no knowledge of the attempted cracking. I sat down the next day and created the blockip script (discussed in "Adaptive Firewalls: Raising the Drawbridge with the Cracker Trap" on page 559 in Part II) which gets called by TCP Wrappers due to an entry in the /etc/hosts.allow configuration file. |
Some good questions to answer are the following: How long has this account (or fully qualified host name) been in existence? As discussed elsewhere in this book, AOL free starter account CD-ROMs frequently are used by crackers as "throw away" accounts that are untraceable. What does a search of this account and host name on the Web and Usenet News groups turn up? Try dropping his e-mail address or real name or host name into a search of Usenet News groups or use google.com, altavista.com or your favorite search engine to search the Web. Within a few minutes you will know all about this person. What does an inquiry of his SysAdmin, ISP, or boss reveal? Do be careful of legal issues here, such as invasion of privacy, and proceed with the assistance of your agency's Legal or Human Resources Department. Does the severity of the situation warrant hiring a private detective to conduct an investigation? The $200 $3000 could get you lots of insight.
Frequently, it is advisable to contact the SysAdmin of the system that you have traced the cracking attempt to rather than contacting the user whose account appears to have been used. This assumes that the SysAdmin is more reliable than either the user or the cracker who has compromised the user's account. The SysAdmin can copy and save log files that the cracker might not have destroyed and offer them to you for analysis or analyze them for you. (He may not want to hand them over to you, a complete stranger.) |
