Re: How to stop a consistent cracker.

[Chris Ess <azarin () tokimi net>]

Your listed casualties:
> humphrey.ocean.washington.edu
> news.waterford.org
> ns0.street.tv
> sidhe.mit.edu
> rahul.engr.csufresno.edu
> auction2.csc.ncsu.edu

How do you know that's he hit these machines?  Do you have any particular
proof?

I am very interested in this matter since one of the hosts you have listed
is within the computer science department of NC State University, where I
have many friends and many contacts.

On Sat, 9 Jun 2001, Yotam Rubin wrote:

> The problem is that none of the contacts were willing to pursue the matter
> legally, I advised everyone *NOT* to remove the compromised box.

So all of the hosts have been removed?

How have these hosts been compromised?  I see nothing out of the ordinary
on an nmap but admittedly don't know what to look for.  Both the NCSU box
and the UNCC box (152.15.21.19) run Solaris though and I'm not up on my
Solaris vulnerabilities/exploits.

> How can one stop this malicious user? Is it even possible when nobody is
> willing to cooperate? Even while writing this letter, this guy is DoS'ing me
> from 152.15.21.19.

This IP belongs to vertigo.uncc.edu, a machine with UNC-Charlotte.  Since
it's a Saturday, I could not contact the UNC-Charlotte IT department to
contact them regarding this.

If you'd like a number to call on Monday, which is most likely the next
time they will be reachable, try (704) 687-4285.  Also, you might try
sending an e-mail to hostmaster () uncc edu, but I don't think it will do
much good, but it's the only contact address I can come up with from a
cursory glance.

Keep logs of what is happening to you because you may need it to force the
UNCC admins into action.

I wish you luck.

--CAE  Kujikenaikara!

Sub caelo noctis sto quod stellae mihi spem dant.

"Just a whisper.  I hear it in my ghost."
--Major Matoko Kusanagi, "Ghost in the Shell"