A bunch of script kiddies last night decided to launch a denial of service attack on one of my servers. It brought down the entire system for about an hour. They were stupid enough to use their home computer to commit the attack on their Comcast cable connection. Well mommy and daddy won't be too happy when their account gets cancelled.
So right now I am preparing to send the log file to the authorities so they can handle it. However, the log file is rather large (8MB) and I want to eliminate all the IPs that don't relate to the DoS attacks to make it easier for them to read it. What's the easiest way to do this? I really don't want to have to delete the IPs line by line.
I wouldn't think an edited log file is a good thing. If I were you I would ask my lawyer first and then follow his advice. In the absence of real legal advice I would probably burn the entire log onto a disc and send it certified mail to the authorities as well as to Comcast.
Just be aware of the fact that the IPs you are seeing belong to zombie machines and the actual persons behind them most probably don't have any clue what's actually going on. Spamcast have been tolerating compromised machines on their network for quite some time, so that's not too uncommon.
And yes, falsifying your logs isn't a good idea here indeed.
Originally posted by datums Just wondering, If they used their home computers (comcast) why did it last an hour? Why not just deny their traffic?
You should probably send the logs to [email protected] if you are only looking to have their accounts cancelled.
I have had issues with hackers/script kiddies on Comcast in the past. I have both phoned and e-mailed that at that address with no useful reply. E-mail gets an automated response. Phone tells you to e-mail them.