How Should One Respond to a Network Break In?

Jety asks: "I am the sole IT support for a medium sized residential real estate office. It has a network of one main server, 10 office workstations, and another 40 or so agent's personal computers. I discovered via logs that recently someone made about 50 remote login attempts to the server, guessing at passwords, but it would appear that they were not able to gain access. They did, however, leave an IP address in the logs. It turns out to be an Exchange server for another business in the same city. What is an appropriate response to this sort of failed break-in attempt? How seriously should one react? How should it be presented to management, and should you encourage them to over or under react? Should the other business, whose server was used to launch the attack, be informed? Should you try to surveil them first to learn about who is doing their tech work? With what tone should they be approached and/or accused? What would a suitable response from that company entail?"

Re:Set a trap

those scripts that try to brute-force ssh don't even look at your files. they rm -rf to make more space, and then run an IRC server to trade porn with, and also start trying to break into more machines.

Re:It probably isn't even them

[linzeal]

Unless he lives in a large city I highly doubt your suspicions, if that happened in my town of 30k you can bet all the beans in Boston that some summer intern has gone rogue. I have dealt with similiar things while working for an art gallery in Phoenix. We had our WWW server compromised at a datacenter that we did not control and a trojan was installed in a scratch directory with the name of a popular program for digital art manipulation at the time. One of my friends downloaded and installed it on the main point of sale machine in the front of the shop and it almost immmediately attempted to phone home to a ip address owned by a competing art co-op who had been dissed by us in a play performed at our gallery the month before. It was stopped by Tiny Personal Firewall which was installed on all machines in the gallery.

We did not call the police, instead we found out the format it was sending information in and what it was reporting. So we took the program and installed it on disconnected machine to play with it. It scanned a hard drive for Jpeg, PDF and PSD files and than sent them in a zipped file to the address every night at 3 am. So we had a meeting to decide on what we should send them. We decided to send someone they did not know to photograph inside their gallery when they were not looking. After we had most of their new installation photoed and scanned, FYI this is before digital cameras were cheap.

After that we found out where they lived and took pictures of them leaving their houses in the morning for some who lived nearby, their licence plates and inside of their cars, where they worked some with pictures of them working and sent it to them a few days later. About a week after that we took pictures of someone taking pictures of us from across the street in a car we did not recognize and blew up the image to find the culprit who we told the competing gallery about which promptly took his whole installation including 2 computers synchronizing motion to music (just a program downloaded off the net) and left all of it in the back of the building in central Phoenix in broad daylight. Virtually nothing survived, lol. Some people were pissed we took photos of them and their art but I believe it it legal to do so in public. Correct me if I'm wrong.

Re:Depends

[Johnno74]

A while ago I was setting up a win2k server on my connection at home with an external ip address (yes I patched it before I went online :D).

One of the last things I did was disable FTP, and then on some whim I checked the ftp logs...

Someone (no doubt a bot) had connected to my ftp server with anonymous, created a directory, changed into the directory to make sure it really existed, then deleted the directory and logged out.

No doubt my IP address was now on some list of open ftp servers.

I was very tempted to leave FTP going for a while and see what turned up there, but then I realised I probably wouldn't like what I found so I left it disabled

Re:First and foremost, cover your ass.

File a police report. Costs nothing, covers your ass.
Then tell their ISP, and tell the ISP you filed a police report. Their ISP will deal with it. If it becomes a problem for the ISP, it will be a serious problem with the company.

If you want to be an ass, you could tip the BSA that they're running a pirated copy of Exchange. Anonymously would be best.