Home page logo
/

nanog logo nanog mailing list archives

Re: Tracking cracker, help?
From: Joe Shaw <jshaw () insync net>
Date: Tue, 29 Jul 1997 09:07:10 -0500 (CDT)


The sad thing is, until you have a court order, the other ISP isn't
necessairly obligated to help you.  There is no law stating that they
have to turn logs over to you.  It's usually up to the other admins, but
every time I've had this problem, we've gotten really good responses from
the offenders provider.  

I don't know who you spoke with, but you might try going to an owner if
you only spoke to an admin.  Owners tend to take attacks coming from their
sites a lot more seriously than admins do, and would probably be a much
better point of contact.  I'm sure given the fact that your business is
severely effected by these attacks and that it would be greatly
appreciated if he'd/they'd help you out before the story broke the news
(what hurts a business more than bad publicity?) and you'd really like him
to cooperate fully.  After niceness hasn't worked, you could always
threaten with a civil suit of some kind...  

Just remember to be nice before you start playing hardball.

Regards,
Joe Shaw - jshaw () insync net
NetAdmin - Insync Internet Services
"Learn more, and you will never starve." - Paraphrase of Lee

On Mon, 28 Jul 1997, Dave Rand wrote:

I'm tracking down an individual that has attacked both my personal site, as
well as one of my customers' sites.  In this particular attempt, when his
'normal' site was blocked by IP address, he immediately started to use
dial-up sites all over his local area, then ranged further into the US.

On my system, he had installed a password sniffer.  I suspect that this was
a common mode of operation for him.

Naturally, I logged all of the attempts at the router level.  I emailed the
logs to the origin ISPs, and (with one notable exception) was met with huge
indifference.  In the queries, I am asking only for a confirm/deny of the
user's name - I am not asking the ISP's involved to release the name of the
dialup users.  That, of course, will come later.  Right now, I'm just trying
to confirm that the same individual is launching the attacks.

A police report has been filed, and a restraining order will be served
tommorow.

What's a better way to ask for, and obtain log information in a timely
fashion?  Wait 6 months for a court trial, when everyone has purged their
logs?

Clues would be appreciated.

-- 
Dave Rand
dlr () bungi com
http://www.bungi.com




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]