[H-GEN] FTP login by wtmp?

[Hilton Travis]

[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]

Hi Geoff,

> Anyway, what _really_ annoys me is the lack of action from the ISP through
> which our little script-kiddie attacked. The ISP was ihug.co.nz.
> A detailed email was sent to their abuse team on August 17 (Tuesday), with
> a follow-up the next day. I tried calling the ISP in NZ to talk to a
> sysop, but nobody would put me through. I still don't even have
> acknowledgement from ihug.co.nz that they have received the email, let
> alone any indication that they are investigating the complaint. In
> desperation I tried to get in contact with their Australian operation, and
> at least got an acknowledgement from them (but no further investigation).
> I have sent a further follow-up today (as a result of further access
> attempts), but I am not holding my breath.

This seems like, to me, that the ISP in question seem unperterbed that their
users (or remote users) are using their network to carry out computer
crimes.  After reading the article
http://www.securityfocus.com/templates/forum_message.html?forum=2&head=32&id
=32 where they also have had illegal access to some of their associates
through ihug.co.nz, it seems that yours is not the only successful illegal
access from this ISP.  I would not be taking this lying down - I would get
in contact with the Australian Federal Police and report it to them
(although they will probably say they have better things to do) and the
relevant law enforcement authorities in NZ.

> Now...I do not work for an ISP, so I am not aware of the pressures and
> priorities that are experienced by the sysops, but on the surface, this
> looks pretty piss-poor. Is it unreasonable to expect some sort of response
> to a complaint of this nature, especially when it could indicate that the
> ISP may have been compromised themselves? If it was a complaint about a
> simple portscan, or an attempted telnet access then I would not be too
> concerned about a lack of response, but this is different.
>
> If I had an account on this particular ISP, I would be checking
> my invoices _very_ carefully!

If I had an account with ihug.co.nz (or ihug.com.au) I would have terminated
it already, and still be checking my accounts and machine carefully!

> I would be interested in the general perspective from the point of view of
> an ISP Sysop...

I am not an ISP sysop, but if I were, I'd be investigating your report VERY
carefully to see where the perpetrators came from.

> Is this something that should be taken seriously by an ISP?

YES.

> Is it reasonable to expect a response to such an abuse report, and if so,
> what would be the maximum time for the response?

YES.  1 day maximum, I'd suggest.

> Is there now so much noise generated by people reporting abuse that there
> simply is not enough time to investigate and respond any more?

There shouldn't be any excuse for not actioning a genuine illegal access.
Especially since they have been the known final point of contact for
another, well publicised attack.

> Is there anything else I can do to get their attention (within reasonable
> bounds, of course)?

I'd speak to the Australian Federal Police (or whoever looks after illegal
computer accesses in Oz) and the relevant authorities in NZ.  If you were
attacked and noticed, imagine the number of people who were attacked and do
not know about it!

Regards,
Hilton


--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.