Exodus / Clue problems

> >
> > The owner did not allow any further action to the box except to have it
> > removed from the network . So until the owner sends someone in to clean up
> > we won't know anything more.
> >
> 8-( Did Exodus atleast try to do some sniffing of traffic or
> captures at the router or SOMETHING? Or will we never know anything more
> about this?

The way to deal with owners like this is to have a good contact with FBI
folks that investigate this stuff. Believe it or not, FBI is quite
efficient in obtaining evidence :wink:

  My big carrot stick (I'm a veggie, so I don't eat beef) is that if
the person was connected to the box (And it wasn't just a script running)
we could have done more tracing.

  If they weren't, we could atleast try to find out how/what they
were doing and see if there is a new advisory that should be published.

  Now we have to deal with AFTER the fact, instead of IN-PROGRESS.



If they were aware that illegal activity was taking place on that machine and
left it on the network for any reason, they would have been prosecutable as
accessories for any attacks or violations that took place while an 'analysis'
was being done.

Yes, it would have been interesting to take a look. But it would have been
business suicide for them to do so.

  Matt Ghali MG406/GM023JP Currently somewhere between Asia and the US
  "Sub-optimal is a state of mind." -Dave Rand, <dlr@bungi.com>

Who knows if they actually maintained a connection to the box, but
nearly so) setup. Given the volume of the attempts and the number of
sites hit.

  Domains selected for the hit would appear to be automated as well,
perhaps on somthing like domains with a user on this list. This is about
the only quality my systems share with most of those in here. (Small
Alaskan ISP with fewer customers than some of you have employees, and even
my primary DNS got hit (though not MX))