Close Call but not Really

So I have a new role. I am “Director of Technology” . I have had this role for some time now. I must say I love it. Not only am I responsible of every aspect of the companies technological foundation. I also get the be the Geek In Charge. I get to work on the networking aspects, get to code in Flash and ASP. The only set back is that I don’t get to work in my true server environment. I am a Linux/Unix geek. So working in a Windows Server environment can get on my nerves at times. Kinda sad on the things I complain about.

One thing that makes me who I am is the fact that everything I know is from experience and self tought. I strongly believe that you can not be the industry that I am if you are have learned everything from a book and know how things whould work in theory. As many of us know things that are meant to work in theory usually don’t work at all. So, I know that that first thing I wanted to do is set up a server that I was going to use just to trick an attacker to think that he is “l33t” or even “1337” so I set up my routing tables and I have all inbound traffic that is not intended to view our website hit my Virtual Server.

I set up a website and started no only the FTP service but my security application. The FTP server is designed to have the basic prompt. Username and Password but with annoymouse turned on. That means if they enter a blank username and a e-mail address in the password field they will get access. Really basic but they are not authorize so they just broke the law. So I checked my logs something I do everyday and I notice someone FTP in my Virtual Server. I looked at what this person did and they simply created directories.

Creating Directories is the first step. They attempt to mask the directories and make a massive directory tree. They do this to attempt to hide the actual content from a server admin. In a large server it may takes weeks or even months at times even years for someone to notice.

Since I know every singles directory and my script runs to tell me of anything changed or added I was informed right away. Looking at the logs I can tell this was someone using a 3rd party program because they did not clear their logs. Someone doing this from the command prompt would clear the logs before closing the connection. So, now I have the persons IP and did a back trace. Now I have the company it came from.

That is the best part of my job. I get to do what I love to do and that is being a total geek.