Hello All,
Is it possible to identify a hacker who is attacking your computer repeatedly if he masks his IP? If so, how can this be done?
Thank you.
Printable View
Hello All,
Is it possible to identify a hacker who is attacking your computer repeatedly if he masks his IP? If so, how can this be done?
Thank you.
Is this the victim or the hacker asking?
Hehe!! Good question! ;)Quote:
But now I wanna know too! :)
I would consider myself a victim, I'm taking care of a bunch of servers at a college...
It just sounds like a very weak social engineering attempt....and i'm not even that paranoid. OR am !?Quote:
If so, how can this be done?
Why does social engineering keep coming up on these threads? What purpose would it serve here, and why do we care? Just curious, I've never seen this brought up on a forum before...Just seems like a normal newbie question to me. And speaking of newbies...
I wouldn't mind knowing this myself. Is this a software solution, or is it possible to do without any tools to assist you if you know well enough what you're doing? And why would you want to know this? I presume to block the invading IP once you discovered, or report it to its appropriate ISP, correct?
First off...I'm making the assumption that this is your home Internet connection they are attacking and NOT a company connection. If it is a company connection - stop and go see your IT department NOW!
Attackers can use a proxy server on the Internet to launch attacks. In most cases you wont be able to identify the attacker if they are using this method to mask themselves, unless you are able to have the proxy provider to provide logs (good luck...not likely).
Even if you were to identify the attacker what are you going to do about it? If it identifies an address owned by a company you could contact that company's IT shop. If it identifies a home ISP connection (dialup, DSL, cable) than you would need to contact that ISP...but I wouldn't expect them to assist as they are pretty busy (aka overworked) responding to thousands of security events many more serious than one home user. The good news is that they DO know who has the IP address at any particular date/time.
If you want to contact the ISP they usually have an email address "abuse@isp.com" (ie.; abuse@aol.com). You'll need to provide them with data such as date and time of attacks, IP address of source, your IP address they are attacking. If ISP responds to this incident and determines it's one of their users they might "slap that user on the wrist" but again I dont think they're gonna do this due to lack of time.
I would suggest the best method would be to setup your firewall to block that IP - that's the most effective way to address this IMO.
Good luck.
At my college we are right now discussing HOW we are gonna implement "public" wireless access.
One thing we have looked at is the ability to filter on MAC/IP address, but since you can spoof both, how good is that, unless you still really can tell what MAC/IP is behind the spoofed one??
It would be very interesting to know if there is an "easy" way to figure this out.
(using log files, and then go to the ISP I consider a non-easy way...)
We already have a problem on the regular T1 lines we have though, with people trying to hack in using IP 127.0.0.1...
Any help or ideas on how to track them down and I would be very thankful!
Our duty here persay, is to prevent hackers breaking in, Increase user awareness and help anyone with any computer problems they might have. We do care because if we teach someone how to break into a system, we're contradicting ourselves. (This thread not being the case)Quote:
Why does social engineering keep coming up on these threads? What purpose would it serve here, and why do we care? Just curious, I've never seen this brought up on a forum before...Just seems like a normal newbie question to me. And speaking of newbies...
It would have been a lot easier if listener had given a more detailed explanation of his question...ex: I've been getting hit by the same attacker every day...can I find out who it is, instead of "how can it be done?", giving the impression that he's trying to hide his tracks on an attack. As usual, there can be both sides to the story...different readers get different Ideas on what the issue is...and they post accordingly. To me it sounded like a social engineering attempt to obtain information on how to hide your tracks....I guess to you its something else,:).
listener...follow Ric-O's suggestion...thats pretty much all you can do.
127.0.0.1...?
LOL...they cannot hack through it...they'd be connecting to their own computer.Quote:
127.0.0.1 is a loopback network connection.
If you telnet, ftp, etc... to 127.0.0.1, you are immediately connected to your own machine.
For example, if your system was named "joker", and you attempted to telnet to 127.0.0.1, you would see:
nsai# telnet 127.0.0.1
Trying 127.0.0.1...
Connected to joker
Escape character is '^]'.
Convincing newbies to connect to 127.0.0.1 is a frequent joke on the Internet.
localhost is another name for 127.0.0.1.
EDIT: SOrry for double post, he asked his question while I was answering the other one...o well.
Well.. how they do it, or how successful somebody could be doing it, I have no clue about. But fact remains, we had close to a million hacking attempts on our outside interface on the firewall coming from IP 127.0.0.1.Quote:
Originally posted here by Cybr1d
127.0.0.1...?
LOL...they cannot hack through it...they'd be connecting to their own computer.
EDIT: SOrry for double post, he asked his question while I was answering the other one...o well.
I thought that would be a very smart way of trying to hack in, cause if the firewall thinks you really are 127.0.0.1 it would normally consider you logged on locally and give you full access, but good thing our firewall guy has denied 127.0.0.1 on the outside interface, only allowing it on the inside interface.
Not sure you understood me right either. The hacker isn't trying to connect TO 127.0.0.1, he is using that as his spoofed IP, and then trying to connect to our stuff...
Thanks for all the input though! :)
(exciting thread! :) )
calm downQuote:
Originally posted here by Cybr1d
It just sounds like a very weak social engineering attempt....and i'm not even that paranoid. OR am !?
we will put this straitjacket gently on you...
yes... easy easy
now you must enter at ambulance... easy
[sound of an ambulance going away]
FYI
These attacks are against my home computer. I have broadband. Insamuch as I am running an online business, they represent an infrigement against my right to run a business. It takes nearly three days for the shop tech to debug my 23,000 files. This represents down time plus expense of debugging my system.
The attacks themselves start with hijacking my browser, then my Stop Sign AV programs are crippled so that I cannot delete the infected files. Then comes the knockout blow. This happens over a period of 5 - 10 days. The last time I couldn't turn my monitor on, or turn off the machine with the front panel button - I had to pull the power cord.
Which raises another issue: are these attacks deliberate and aimed at me to destroy my quality of life and online business, or are they random attacks, meaning the attacker doesn't know me personally, is not a known enemy? Either way, it's criminal behavior and I'd love to be able to stop it.
Thanks for all your replies.
Sounds more like you got coolsearch, sasser, soBig, myDoom and netsky all bundled up together. Do you have a firewall? You might want to invest on a good one if you are running a business. A physical firewall, a software one of the pC and an updated AV seems to do the trick for me...you should try it.Quote:
The attacks themselves start with hijacking my browser, then my Stop Sign AV programs are crippled so that I cannot delete the infected files. Then comes the knockout blow. This happens over a period of 5 - 10 days. The last time I couldn't turn my monitor on, or turn off the machine with the front panel button - I had to pull the power cord.
to the previous question:
127.0.0.1 is not the hacker...its your own computer trying to do something funky...see if everything is set-up properly.
Is it just me or is 127.0.0.1 NOT usable by someone trying to spoof his ip?sounds like you've got something on your system too
although you can send ip packets if source address 127.0.0.1 from outside the box, you CANNOT redirect them back to attacker machine (by icmp redirects or something like).
So you cant get access to a computer with loopback address.
However you can deploy a DoS attack with that
Usually firewalls (like Netfilter) have a permit for 127.0.0.1 for anything, but limited to loopback (lo) interface
Just for be sure (dont come with straitjacket pls), some proxies can act at your computer (installed and running into it). Some ssl-vpn clientless software use java clients to redirect all outbound traffic to 127.0.0.1 to be cautgh by vpn client (its clientless but has a client - figures)
I could be mistaken, but I don't believe it's beyond the pale to recontruct a network packet so that the sender address is 127.0.0.1 or the sender network is 127.0.0.0 so that a firewall or IDS would ignore it, thinking it came from itself. This is one way of doing a TCP reset attack, isn't it? Or what about Blaster?
As I write this, I googled it and came up with the following article from our friends at insecure.org:
http://seclists.org/lists/incidents/2003/Oct/0131.html
I maybe wrong (as usual) but your link brichards99 shows to how to circunvent blaster attack do windowsupdate. Or can be used for DoS. But not for a two way conversation (from outside the box)
Cybr1d:
Yes, I have Zone Alarm Pro. That too was disabled. This is obviously a hacker with high level skills...which is very frightening to me.
cacosapo,
Yep -- that's my bad for skimming through the posts and missing yours. I was only thinking of one-way communication in the form of DoS. Two-way's out of the question, as you say.
....I think you need to relax for a second there...high level skills?barely...a simple virus will do that.Quote:
That too was disabled. This is obviously a hacker with high level skills...which is very frightening to me.
Restart your computer in safe mode, Run your Antivirus Program and see what it finds. Then run Housecall AV (Free from teh net) and see what that finds. As for browser hijacking...run spybot and adaware. Also run theCleaner to see if there is any trojans. Make sure you back up all the important files in case you need to take drastic measures.
Do the steps above calmly ....and dont panic. Make sure you have your windows patched up....it seriously sounds like one of the worms that have come about lately.
Perhaps you shouldn't be running an online business without taking the necessary security steps first. What type of business are you running?
Good point, so noted.Quote:
We do care because if we teach someone how to break into a system, we're contradicting ourselves. (This thread not being the case)
Geez, sounds like quite a problem you have there. How long have these attacks been occuring, and how frequent are they?
Sorry I have to share this:
Quote:
grhw73: hello
spaztic: Hello
grhw73: i have a question for you
grhw73: i don't know if you could help me or not
spaztic: Right.
grhw73: i need to get into someone's email. do you know how to hack?
spaztic: Yeah, that's easy
grhw73: how?
spaztic: Okay, first you need to get Winamp. Do you have winamp?
grhw73: yep
spaztic: Alright, you also need Solitaire. Have that?
grhw73: yeah
spaztic: Great
grhw73: what do those have to do with hacking into someone's email
grhw73: ?
spaztic: Just listen
grhw73: okay
spaztic: Run Solitaire and try to win a game. If you win the game, open Winamp and press Ctrl+L.
grhw73: okay
spaztic: A box should appear and you should type an address. Let me get it for you...
grhw73: get what?
spaztic: The address
grhw73: email address?
spaztic: No, a different address.
spaztic: The e-mail comes later
grhw73: oh
grhw73: got it. sorry.
spaztic: Type in http://www.spiffyjuice.com/pikz/You%20Suck%20Final.mp3 and press Okay. Don't type in this address before you get into winamp.
grhw73: ok
grhw73: i'm working on winning a game of solitaire
spaztic: Good!
grhw73: can it be any way to play solitaire
grhw73: or doe sit have to be a certain way
spaztic: Alright, listen to what happens, then get up and make yourself a sandwich.
spaztic: You can use 1 card draw if you want
spaztic: Do you have a microphone?
grhw73: no
spaztic: Damn. Hmm
spaztic: Okay, after you listen to what winamp plays, go to Start > Run and type in regedit
spaztic: A new window will open with a bunch of information
spaztic: Double click "HKEY_CURRENT_USER" and go to Display > Settings
grhw73: this won't like crash my computer wil it?
spaztic: Of course not
grhw73: are you sure?
spaztic: Yeah, I do this every Saturday
grhw73: really?
grhw73: to who?
spaztic: You know, random people, to steal their credit card information and make them download gay porn and whatnot.
grhw73: are you serious?
spaztic: Would I lie?
grhw73: yes
spaztic: Good point
grhw73: so are you serious or no?
spaztic: Okay, then opening up Internet Explorer and type in http://www.omgwtf.com
spaztic: Just try it and you'll see
spaztic: After that, go to the website of the person you want to hack.
grhw73: they don't have a website
grhw73: it's just their email address
spaztic: Do they use an web address to check their email? Or like Outlook or something?
grhw73: ummm no it's aol'
spaztic: Ohhhh
spaztic: In that case, you'd better fetch some bacon for that sandwich
grhw73: is it harder to hack into aol?
spaztic: Well, it's a different process
grhw73: oh so I won a game of Solitaire for nothing?
grhw73: lol
spaztic: I'm afraid so
grhw73: oh well.
grhw73: so how does the aol thing work
spaztic: Okay, you can get into an aol account from http://www.aol.com I'm pretty sure.
grhw73: how so?
grhw73: I've tried hitting the Forgotten password link
spaztic: Open it up, I'm pretty sure
grhw73: and all it says is to put in your screen name and it emails it to you
spaztic: Type in their name and password and click Okay and you should be able to get in.
grhw73: no
grhw73: I don't have their password
grhw73: I'm trying to get it
spaztic: You don't have their password?
grhw73: no
spaztic: Man, what kind of hacker are you
grhw73: a beginner
spaztic: You might as well call them up and ask them for it
grhw73: no I doubt that would work
grhw73: so there's no way to get it?
spaztic: You might try bribing them with a toaster or some type of bird
grhw73: I doubt it
spaztic: As far as anything else goes, AOL is fairly inpenetrable
grhw73: what about like a college online account
grhw73: such as owens community college
grhw73: are those easy
spaztic: Owens, nice.
grhw73: nice as in easy or nice as in something else?
spaztic: Nice as in who are you?
grhw73: who am I? who are you?
grhw73: I just picked someone random
grhw73: hello?
spaztic: You IMed me asking me how to hack into Owens? It seems like quite a coincidence to me
grhw73: what do you mean?
spaztic: I live fairly close to owens
grhw73: I don't know anything about you
grhw73: oh, I had no idea.. i swear
spaztic: It's not like I go there..
spaztic: I just thought you might be someone I already know
grhw73: oh
grhw73: no I doubt it
spaztic: Trying to PLAY ME cracka
grhw73: I'm not from around here
grhw73: i know someone who goes there
spaztic: "Around here?"
grhw73: yeah
grhw73: around here
spaztic: In any case, close solitaire and winamp and throw away that sandwich
grhw73: okay
grhw73: ...
grhw73: Already did that
spaztic: Go to Start > Run and type telnet.exe
grhw73: okay
grhw73: and
spaztic: Have you done that?
grhw73: yes
spaztic: Okay, what do you see?
grhw73: a black screen
grhw73: like a DOS thing
grhw73: welcome to microsoft telnet client
spaztic: Good, just making sure
grhw73: okay
spaztic: type this:
spaztic: open http://www.owens.edu 80
spaztic: Have you?
grhw73: it says Connect failed
grhw73: on port 80
spaztic: hmm
spaztic: try changing 80 to 21 or 23
grhw73: is there a space between the .edu and the 80
grhw73: or 21 or 23
spaztic: Yes
grhw73: okay
grhw73: then none of them work
spaztic: That's really weird
grhw73: I am typing:
spaztic: I don't know what to tell you. Do you have a firewall or proxy set up?
grhw73: open http://www.owens.edu 80
grhw73: I don't know
grhw73: how do I check that
spaztic: That's correct as far as I know
grhw73: lol
spaztic: You probably don't
grhw73: I'm on a cable modem... does that have anything to do with it
spaztic: Is your computer hooked directly to the cable modem or are you on a network?
grhw73: no, I'm hooked directly to the modem
grhw73: I used to be on a network though
spaztic: Alright, then you're fine
grhw73: but I've recently moved
spaztic: Moved to a new house?
grhw73: yes
spaztic: What color are the walls?
grhw73: a light tannish brown
spaztic: Okay, then you definetly don't have a firewall
grhw73: so what do i do now? nothing?
spaztic: Hmm. Close down telnet and go back to start > run and type command.com
spaztic: That opens up dos
grhw73: OK I see another DOS screen
spaztic: great
spaztic: Type cd\
spaztic: then type:
spaztic: net send 127.0.0.1 Testing
grhw73: does it take a minute for it to do something
spaztic: It shouldn't take more than a couple seconds. Did you get a message?
grhw73: because it hasn't done anything
grhw73: no
spaztic: Did it say bad command or file name or anything?
grhw73: here's what I got
grhw73: An error occurred while sending a message to 127.0.0.1. The message alias could not be found on the network. More help is available by typing NET HELPMSG 2273
spaztic: Wow, that's suprising
grhw73: why?
spaztic: 127.0.0.1 is yourself, it's weird that you don't exist. Are you sure you're not some kind of bot?
spaztic: I know karate.
grhw73: lol
grhw73: no, I don't think so
spaztic: You don't think I know karate?
grhw73: I don't think I'm some kind of bot
spaztic: If you say so, sir
spaztic: Anyway
grhw73: anywa?
grhw73: anyway*
spaztic: owens.edu's IP address is 131.187.253.130
spaztic: Go back into dos and type:
spaztic: net send 131.187.253.130 UN PW
spaztic: Tell me if it says it sent correctly.
grhw73: trying it now
grhw73: were you serious about hacking in to get peoples credit cards and buying gay porn?
grhw73: it said the same thing again
grhw73: an error occurred
spaztic: The gay porn thing was only on someone I really disliked
grhw73: oooo, tell me more!
grhw73: should I try typing that NETHELPMSG 2273 thing?
spaztic: Well, one time in 1st grade he stepped on my foot and dirtied my shoelace, and exactly 10 years later the Packers won the superbowl.
spaztic: No, don't bother
grhw73: anything else I can try?
spaztic: I don't think so, except look out for the cops
spaztic: They can intercept net send requests but usually it's no big deal.
grhw73: ah
grhw73: got it
spaztic: Cause there's so much traffic
spaztic: So who are you trying to HAX0r
grhw73: oh, just somebody who really betrayed me. i want to know what they said about me to someone else
spaztic: Neat. You should send that in to as the world turns or something
ROFLMAO :D :D
Anyways...
back to the point :)... I dont think you have set up zone alarm correctly. Uninstall it, trash it, buy a router and hook it up.
ROFLOL
Thanks for staying with this issue.
Starting my puter in safe mode is one of the recommendations Stop Sign made to me in our exchange of emails post-disaster. It will be one thing I do in the future. As to Spybot, I deleted all of that type of software except TDS-3 when I installed Stop Sign, at their request. (In the latest attack TDS-3 was quarantained by Stop Sign) They are the complete packate: AV and anti-trojan. Stop Sign was effective in stopping the No Close virus which crippled my system earlier in the year.
In my scenario, the hacker saw that this strategy wasn't working and came up with a different attack, which proved to be highly effective. Maybe you are right that this is the work of a simple virus released into cyberspace. I really don't know. It's awfully cunning, though.
One think I noticed is that the attacks, which included the No Close virus window, usually came at the same time of day. Does this mean that the hacker is "viewing" me in real time and shooting viruses at me like bullets? If so, would it make sense to avoid that time of day to go online?
My business is with Cafepress.com.
Thanks for your input.
Dude, Cyb, that was awesome. I salute you. ;)
Do it now...not in the future....Quote:
It will be one thing I do in the future
Half hour later I get what you were saying...LOL that wasn't me who did that...I stumbled on that searching for some hacking news on the net :)Quote:
Dude, Cyb, that was awesome. I salute you
Um.. no.. this is a PIX firewall... and these attacks are coming in on the outside interface as 127.0.0.1Quote:
Originally posted here by Cybr1d
to the previous question:
127.0.0.1 is not the hacker...its your own computer trying to do something funky...see if everything is set-up properly.
Well.. I guess they could be using multiple computers.. having this one doing "one-way" attacks... ?
So... with other words.. if they are doing this, there won't be an easy way to back track them?
Only thing is to make sure the firewall denies that kind of access?
Well... lets do a different scenario; what if somebody spoofs an address from a different country or something... would that be any easier to backtrack??
Maaaan!! HAHA!!! Listener, you better be careful following Cybr1ds suggestions!! hehe!!!! :D
Cybr1d: Are you in an IRC chat channel or something?! :)
Oh... I see now that you edited your previous message.. nevermind my IRC question...
I'm writing from a different computer; mine is still in the shop. That's what I mean by "in the future."
Is a router for a stand alone PC? I thought they were for networks. But then, I'm a newbie.
you could use a router for just 1 PC
====Internet..>>>>>>Cable/DSL modem>>>>>>>>Router>>>>>>PC
Cybr1d, that was one of the funniest things I've ever seen! You are henceforth the Chinese h4x0|2 ...known as |2337, or "Reet"
That WASN"T ME :D
Ok...then you are hereby no longer known as |2337.Quote:
Regardless, though, that was worth a laugh and a half!
Cybr1d: So you play CS?? Have you tried Americas Army out yet? That converted me over from CS.. good stuff! :) A little more realistic-team-feeling.. :) (CS is pretty addicting though..heh!)
Yepps.. you would probably see me most of the time with the saw..!
Back on track... what did you think about my last posted question?
Tried it, and hated it. My honor level is at like 27...but hated the fact that I was shooting people and they weren't dying. Maybe i'll host a AA server.
Maaan! You played AAO a lot already then! I'm only level 26! :PQuote:
Originally posted here by Cybr1d
Tried it, and hated it. My honor level is at like 27...but hated the fact that I was shooting people and they weren't dying. Maybe i'll host a AA server.
Favorite maps are Insurgent Camp and Pipeline.
Well.. guess you have to aim better! Hehe!! Head shots does the trick! ;)
Also pretty cool that you can get hurt and keep on bleeding, and also get healed if you can get to a medic...
I think it's on a little more higher/advanced level than CS! ;)
So you don't know what to respond about my, now, next last respond, about Spoofed IP addresses...?
Hey... if you do start an AAO server, let me know so I can show you how a saw is meant to be used! ;)
(what kinda line do you have for your server(s)??)
ask Cheyenne, he has the full details. I know we using 9.6 GB ports and we have 1000 GB of bandwidth. Dual Xeon 2.8 processors.
About the localhost address thingy, I dont know much about it but is it possible that someone has found an expliot on the firewall and downloaded something maliciuos to it e.g a mal version of its firmware? I dunno just an idea i dont know much about it really.