SLUG Mailing List Archives
[SLUG] (was: snooping / detective work.)
- To: Del <del@xxxxxxxxxxxx>
- Subject: [SLUG] (was: snooping / detective work.)
- From: Paul Robinson <p_d_robinson@xxxxxxxxxxxxxxxx>
- Date: Sun May 6 17:00:02 2001
- Cc: slug@xxxxxxxxxxx
Yeah I guess it would be a waste of resources. It would still prove to be a
worthwhile setup to detect any future attempts though wouldn't it? I seem
to recall reading on the snort site that the optimum setup is to have 1
snort running outside the firewall and one inside the firewall.. that way
you can see who's attempted what and you can also see who got through with
On a side note I was looking at gateway and dell for potential ready made
firewalls. They both seem to offer easily configurable purpose built
machines (eg gateways micros server or dell's power web server). Are there
any problems with these servers? I am worried that they may not be fully
configurable and updatable and was wondering if anyone has had any
experience with these sort of servers. Is it better to just get a regular
pc and set it all up manually?
We kind of need a quick solution as productivity is suffering due to the
effect that the compromise has had (DOS effects when the person assumes the
identity of another machine on our network)
Again, thanks in advance,
At 01:32 PM 6/05/2001 +1000, Del wrote:
> What I'd like to be able to do before I set up said firewall is
> set up a sort of packet sniffer box in between the internet and one of the
> servers that this person is using. Hopefully to find out who they are and
> what they are doing.
Right answer, wrong problem.
Who they are is a relayed attack through some other compromised machine
somewhere else, probably in Brazil, Pakistan, Greece, or Saudi Arabia.
That compromised machine is probably relaying data from a third machine
which in turn relays from a fourth ... etc. You may have to involve
Interpol in a search for the real hacker, or at least CERT.
What are they doing? Probably going around the internet seeing how
many m4ch1n3s th3y can 0wn3d l1k3 y00r s0rry 4rs3 b3cuz th3y 4r3
1337 d00d! If you're really lucky they might actually do something
useful with your machine, like D0S M1cr0s0ft!!!
It's not worth your trouble. Besides, who cares?
Find out how they got in. My guess: Because you didn't have a firewall.
End of answer. Once you have that answer, find out how to keep them out.
I think you can guess the answer to that one.
Believe me, tracking hackers back to home base is just not worth it.
Besides, once your hacker is kicked out of his dial-up account for h4x0ring
your b0x, they'll just use one of the other 500 or so accounts they managed
to get off the phreakers mailing lists. If it's really important that you
track the guy down because there's some kind of industrial espionage issue
going on and you want to prosecute, then call in the experts to do it.
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug