Security Basics mailing list archives
RE: FTP hack of two web sites
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Sun, 26 Mar 2006 09:57:50 -0500
The reality is that IP addresses you collected don't mean the computers involved are owned by the criminals or where they live. It's tough to prove that. More than likely (unless the hackers are stupid), the intruders only used those hosts as their reflection point (either manually or installed bots), and the IP addresses you have are not the intruder's origination IP address. Instead it's the IP address of somebody's grandparent's cable modem, who have no idea they are involved. In order to catch the real culprits, you'd have to follow (and prove) the trail from entire beginning to end, which is difficult technically, and difficult to do without court orders, and the cooperation of multiple entities. You'll not find too many ISPs that will help you without a court order. Either they don't care, they are so overwhelmed by requests like yours that they will only help out in the serious cases, or, justifiably so, they require a court order to get involved because they are facing legitimate legal issues themselves to help you. Unless you can prove substantial damages, you'll have a hard time getting the authorities involved in a way that provides an actual criminal charge. And remember, when you get the legal authorities involved, if they want, the can take your computers (as evidence) and lots of other stuff that you may not want. Once the authorities are involved, it's not your investigation anymore. However, far more likely is that fact that the authorities will do nothing to help you other than take your report and wish you luck. If the attackers live in other legal borders (which is highly likely) then you have to involved multiple legal authorities, and that significantly complicates the case. I've been involved with fighting malicious hackers for twenty years, and only rarely, in very significant cases with significant human and financial resources dedicated, has it ever led to someone actually being charged. And when they get charged, the charges usually don't account to anything (probation, etc.). There's a reason millions of dollars every day are being stolen by malicious hackers and nearly all of them are getting away with it. The reality is that 99.999999% of hacking goes un-prosecuted. Most people, close the hole that allowed the exploit (you had to make a mistake). Learn from the lesson, and move on. Roger ******************************************************************* *Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger () banneretcs com *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ******************************************************************* -----Original Message----- From: backdropman1 () yahoo com [mailto:backdropman1 () yahoo com] Sent: Wednesday, March 22, 2006 4:04 PM To: security-basics () securityfocus com Subject: FTP hack of two web sites Seeking any advice on what to do or how to proceed on an FTP attack which left me the IP address of the hacker in my Logs? So far I have given the IP address to their ISP but I have no idea what if anything the ISP did. It would fall under one of these sections od 18 USC 18usc1030 18usc2520 18usc2510 Any help would be greatly appreicated and thanks in advance. ------------------------------------------------------------------------ --- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- FTP hack of two web sites backdropman1 (Mar 24)
- Re: FTP hack of two web sites Gaddis, Jeremy L. (Mar 27)
- <Possible follow-ups>
- RE: FTP hack of two web sites Roger A. Grimes (Mar 27)