|

Ssh break that claims it was me?

View: New views

4 Messages — Rating Filter: Alert me

	Ssh break that claims it was me? by makkalot :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi all i dont know if it is the right place to write that but didnt know what to do... The case is as follow : I'm a freelancer programmer and work for other people from distance,therefore they give me ssh access to their servers and i fix their stuff. After a few days ago i was hired to fix some django/apache stuff in a server. I fixed all the stuff and got my money.Ok that was the story part here is the message i got from client today : " I know you deleted the svn repo and also trac... I don't know why you chose to go in that route... very bad if you were not happy about something you could have asked for more money... we could have worked together to resolve anything... in any case.. I will report this to RAC form the system logs and we will go from there... I still don't know why you did this!!!! " Ok obviously i didnt do that, becaus i dont have any reason to do so. Is there a way i can prove it wasnt me ? Some fingerprint ssh values? Please any help is appreciated, thanks in advance ... ------------------------------------------------------------------------ This list is sponsored by: Black Hat USA Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. www.blackhat.com ------------------------------------------------------------------------
	RE: Ssh break that claims it was me? by Viktor Larionov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi! Well I would start from simply talking to the client and checking the IP adresses from where the access was granted. I'd bet my pants that the IP-adress is a chinese socks proxy or smth. like this. And of course first of all check that it was really your user who did that. (if the .bash_history file under your home directory is valid, you can easily see all the commands your user has executed for the past time) And of course logs, logs and once again logs, you will definetly find a way of prooving this by just carefully examining the auth logs, .bash_history file, cvs logs, etc. If it's the CVS repo what was deleted, and a busy CVS repo then by means of CVS error logs you can definetly determine the time when it was done. Etc. regards, Vik --- Viktor Larionov snr. system administrator R&D team Salva Kindlustuse AS Prnu mnt. 16 10141 Tallinn ESTONIA tel: (+372) 683 0636, (+372) 680 0500 fax: (+372) 680 0501 gsm: (+372) 5668 6811 viktor.larionov@... ------------ MOTD: Dream Big. Think the impossible. If you can dream it - you can create it. -----Original Message----- From: makkalot@... [mailto:makkalot@...] Sent: Monday, October 27, 2008 1:20 PM To: incidents@... Subject: Ssh break that claims it was me? Hi all i dont know if it is the right place to write that but didnt know what to do... The case is as follow : I'm a freelancer programmer and work for other people from distance,therefore they give me ssh access to their servers and i fix their stuff. After a few days ago i was hired to fix some django/apache stuff in a server. I fixed all the stuff and got my money.Ok that was the story part here is the message i got from client today : " I know you deleted the svn repo and also trac... I don't know why you chose to go in that route... very bad if you were not happy about something you could have asked for more money... we could have worked together to resolve anything... in any case.. I will report this to RAC form the system logs and we will go from there... I still don't know why you did this!!!! " Ok obviously i didnt do that, becaus i dont have any reason to do so. Is there a way i can prove it wasnt me ? Some fingerprint ssh values? Please any help is appreciated, thanks in advance ... ------------------------------------------------------------------------ This list is sponsored by: Black Hat USA Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. www.blackhat.com ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Black Hat USA Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. www.blackhat.com ------------------------------------------------------------------------
	RE: Ssh break that claims it was me? by Viktor Larionov :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Just as a matter of comment. I absolutely agree with Kevin on this, especially as one may propose that the damage caused, may not necessarily be the "unknown hacker"'s deed, but a system administrator fault or error, and eventually a result of his/her "pushing the blame to someone else" attempt. In other words, "the butler" who deed this, may not necessarily be a stranger to this organization. On the other hand, correct me if I am wrong, but as far as I know, it is quite hard to convince federal law enforcements to deal with cyber crimes even in United States. (not talking of other countries) Usually theese investigations take a huge time to start, and enormous efforts to complete with anykind of result. No results guaranteed of course, especially in the light of law officials not being really keen on dealing with cyber crimes. (According to Larry from Spamhaus, 70% of FBI agents are on anti-terrorism cases after 9/11, so I guess you are left with 30% of them on other cases, including cyber crime) This may be a contra argument to Kevin, but it is surely worth to try, you don't lose anything and of course by this you may show the client that you are also interested in investigating the case. Regards and good luck! Vik -----Original Message----- From: Kevin Wilcox [mailto:kevin.wilcox@...] Sent: Monday, October 27, 2008 4:28 PM To: viktor.larionov@... Cc: makkalot@...; incidents@... Subject: Re: Ssh break that claims it was me? 2008/10/27 Viktor Larionov <viktor.larionov@...>: > And of course first of all check that it was really your user who did that. (if the .bash_history file under your home directory is valid, you can easily see all the commands your user has executed for the past time) I would go the opposite route with regards to the .bash_history and logging into the machine again. I would immediately go to a solicitor and the authorities with the email from your client and have the server seized - once it is in control of the authorities, and the sooner the better, I would let their auditors and technicians do the forensics work. Why would I take that approach? Because if you log in to the machine now to start providing log-based evidence then it can be shown that you were on the machine previously, some stuff got deleted, you were sent an email about it, you logged in again and could have been modifying logs/timestamps/etc to cover your tracks. It's usually better to get trusted law enforcement agencies involved very early so that they can be the ones to do the audit on the machine, not the accused party. This is, of course, based off of my understanding of my local, state and federal law, specific to the United States. You may be in an area where the laws are completely different. In either event I would consult a local legal expert. My humble opinion. kmw -- Far better is it to dare mighty things, to win glorious triumphs, even if checkered by failure, than to take rank with those poor spirits who neither enjoy much nor suffer much, because they live in the gray twilight that knows not victory or defeat. ------------------------------------------------------------------------ This list is sponsored by: Black Hat USA Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. www.blackhat.com ------------------------------------------------------------------------
	Re: Ssh break that claims it was me? by makkalot :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Monday 27 October 2008 06:22:05 pm you wrote: > Just for my enthusiasm, were you using a password or a key? Thanks all for replies, i was using password. The info i got from client is that he doesnt really have/understand logs to prove anything :) They just guessed it could be me,because i'm the only person who can use command line there :) They deleted my account from server so i cant check anything. I told him to check the history and other things you told me. Let see what results we will have ,it is very difficult to work with people who dont know anything about their systems. ------------------------------------------------------------------------ This list is sponsored by: Black Hat USA Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. www.blackhat.com ------------------------------------------------------------------------