danielhLOUDCLOUD.COM

• Next message: J C Lawrence: "Re: Compromised Box -"
• Previous message: Andrew Blogg: "Re: Compromised Box -"
• In reply to: Andrew Blogg: "Re: Compromised Box -"
• Next in thread: John Crowhurst: "Re: Compromised Box -"
• Next in thread: J C Lawrence: "Re: Compromised Box -"
• Reply: Daniel Harrison: "Re: Compromised Box -"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You could do it that way but just getting an IP address may not be enough. If he
gets on the box and starts IRC'ing, you can get a huge amount of information
about the attacker. If he is a kiddie maybe you'll get lucky and he will do it
from a box that can be easily traced back to him but maybe not. I haven't dealt
to much with the authorities in the past but just giving them an IP address from
a log file probably wouldn't get them to do anything.
Of course this is just my $.02. =)

dan

Andrew Blogg wrote:

> If you want to track and see if an attack happens again on this port, I
> would run something else on that port which simply closes the connection and
> states "Your attempt has been logged" and actually log the IP address date
> and time that a connection was made from.
>
> Then you can have fun with the authorities if you wish.
>
> You could run such a script on that port AFTER you've rebuilt the box,
> because an attacker is unlikely to know that the box has been rebuilt.
>
> Regards,
> Andrew
>

• Next message: J C Lawrence: "Re: Compromised Box -"
• Previous message: Andrew Blogg: "Re: Compromised Box -"
• In reply to: Andrew Blogg: "Re: Compromised Box -"
• Next in thread: John Crowhurst: "Re: Compromised Box -"
• Next in thread: J C Lawrence: "Re: Compromised Box -"
• Reply: Daniel Harrison: "Re: Compromised Box -"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]