June 1st, 2003 02:04 AM
triangulation of user
needless to say, when something is happening in real time where you need to isolate a user/unknown with statistical information to pinpoint to the cause, what do you use? since all alot of things could be considered "evidence" during an IH (incident handling), how or what have you used to triangulate the root cause?
example: p2p abuse
network monitor tool
June 1st, 2003 09:28 PM
Best bet, Is to grab his ip. then see if you can Nslookup it. that way you can get a ISP then you would report him with that information. In real time anything really goes. If i were being hacked, i would just use basic command programs like netstat, and nslookup, finger. Programs i would suggest is a packet sniffer.. that way you can might beable to grab a Source MAC address from the unknown user..
Im Chris Bartholomew - 18 Years old
June 1st, 2003 09:46 PM
Anything that can help you with the IP address is going to be useful, so firewall logs, router logs etc...Once you have the IP you can do do a NSLookup, run a traceroute etc...You could use an app such as Visual route which will attempt to ge the geographical location of the users. Netstat can also be of use to see who is connecting to your box.
You won`t be able to grab the MAC address though as the MAC in the ethernet packet will be that of the last network device the packet passed through, not the attackers machine.
If you are really concerned then I`d suggest looking into using an Intrusion detection system as well (Snort is about the best freeware one) which will record the IP address of the attacker and what they are doing.
However be aware that the attacker might not actually be coming from his own IP address so you may be chasing a dead end.
Quis custodiet ipsos custodes
June 2nd, 2003 12:06 AM
I think there is just a few stupid kids that will attack from a computer link personnaly to them.
Logs can help to
- tackle the attack & know what is compromised
- locate remote infected puter as zombie or a cybercafe from where illegal stuff are launched.
Backtracking somzone is almost impossible without the full cooperation of every single ISP orld wide.
[shadow] SHARING KNOWLEDGE[/shadow]