School Trouble

[Madseel]

Alright, thanks. So now to catch them. What are some good programs other than the one that you gave me to catch them doing what they are doing?

[ammo]

Well, how about you honeypot them:
Remove the actual Sub7 server, and run netcat listners on port 27374 (or wichever port they're binding to) and pipe everything to a log file... There was a thread recently about exactly how to do this (ok, searched for you: http://www.antionline.com/showthread...092#post609514 ) ... This will a) collect evidence of the connections and b) might slow them prevent them from executing new servers since netcat will already have binded to that port...

Instead of logging commands, you could also try to give them a good scare as suggested in the thread I'm refering to: send them a send back a scary message saying everything was logged & etc... You could also use that batch file to send a message to the network admin/teacher in charge with "net send computer_name message" so he/she can know when they connect...

Ammo

[Madseel]

Thanks. But how can you set up netcat to run when the computer restarts? The computers are restarted every day and i dont want them to know it was me catching them.

[ammo]

Script it in a batchfile which you'll launch in autoexec.bat (this is also mentionned in the liked thread)

Ammo

[Madseel]

ok thanks a bunch

[ammo]

No problem, hope it helps...

Ammo

[Madseel]

New question. Would this be enough to use as evidence, or is more needed?

[ammo]

Well, it might not reveal the identity of the culprits per-say, but, for example, by using the "-vv" switch when launching the listener (ie: nc -L -p 27374 -ebatchfile.bat -vv), it will output the ip address and hostname of the remote host when connecting, which you will log if you redirect the output to a file (nc -L ... >> logfile.log ). You didn't mention if those guys are connecting to the sub7 from the school or from home; if they connect from school, you might be able to catch them in the fact if, for example, in the batch file you send a notice (net send) to the admin, who quickly checks the logged IP and finds out what computer that is and just go get them. Otherwise, if it's an external IP, well, you'd have to deal with the ISPs of the offender(s) or maybe even get authorities involved.

Ammo

hum, just noticed -vv doesn't show up when using the -d (detach from console/dameon mode)...

Ammo

[avenger_jcc]

best bet for monitoring them is run VNC on each box and get your screen shot remotely, then go nail them red handed. Thats what Id do.

[Maverick811]

Originally posted here by avenger_jcc
best bet for monitoring them is run VNC on each box and get your screen shot remotely, then go nail them red handed. Thats what Id do.

This is a good idea, but if you run VNC there is an icon in the system tray that changes to black from white when a remote connection has been established. If these guys are smart, they'd recognize that and be able to determine what is going on (the fact that they are being monitored).

Now this is a great idea if you are able to hide that icon from the system tray - does anybody know if you can?