howto determine souce of hack attempt

howto determine souce of hack attempt

Post by Eric » Sat, 20 Dec 2003 15:31:36



I've got a guy trying to spoof my network, i cant tell what his IP is as it
only appears to be the IP of my router. Somehow he has learned the name of
one of my systems and he is pretending to be that system, of course it
doesnt work but its anoying. I really need some help to track this down so
i can report him to his ISP.
Thanks
Eric
 
 
 

howto determine souce of hack attempt

Post by Michael Fu » Sat, 20 Dec 2003 16:54:03



> I've got a guy trying to spoof my network, i cant tell what his IP is as it
> only appears to be the IP of my router. Somehow he has learned the name of
> one of my systems and he is pretending to be that system, of course it
> doesnt work but its anoying. I really need some help to track this down so
> i can report him to his ISP.

If you have a suspect in mind and you know who their provider is,
then you could ask that provider to investigate the matter.  Otherwise
you'll probably have to do a hop-by-hop trace of the inbound packets,
that is, find out what router is sending the packets to you, then
find out what router is sending the packets to that router, and so
on and so on, until you find the origin.  You'll probably need the
cooperation of several service providers, which you'll almost
certainly never get.  If you can convince a judge that the law is
being broken then you might be able to get a court order, but even
then there are probably all sorts of difficulties if state or
national borders are being crossed.

An alternative method is described in the paper "Tracing Anonymous
Packets to Their Approximate Source" by Hal Burch and Bill Cheswick:

http://www.usenix.org/publications/library/proceedings/lisa2000/burch...

While interesting, the described technique makes certain assumptions
and has problems of its own, and the ability to pull it off is
probably beyond most people.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

 
 
 

1. Apache - Attempt hack attempt?

On one of our Apache WWW servers, we have started to notice lot of
activity where people are starting to access URLs in a strange manner.

For example:

        Normal URL:
                /blah/foo/bar.html

        What they are calling:
                /blah/../foo/../foo/../foo/bar.html

This has been happening from a number of different sites (some of which
are AOL), and I assume they are attempting to hack the site in some
manner (like it is possible to do on NT WWW servers) as this goes on for
up to 5 hours from a single user, calling 1 URL per second.

Is there any way to prevent knobheads like this doing such a thing?
And what are they trying to achieve??

Thanks.
Richard

--
-----------------------------------------------------------------

Beam Software         +61-3-9866-8300 x212      ICQ Pager:1231216
-----------------------------------------------------------------

2. /DEV/HDA ERROR

3. Possible Hack Attempt?

4. RedHat lock files

5. Hack Attempt Foiled by Linux Box??

6. Using mouse under Linux

7. Hack attempt? /_vti_bin/_vti_aut/fp30reg.dll

8. Another Solaris newgroup

9. Hack-attempt

10. Apache log entries - hack attempt ?

11. Logging hack attempts

12. Monitor hack attempts???

13. Hack attempt?