Results 1 to 4 of 4

Thread: triangulation of user

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    115

    triangulation of user

    needless to say, when something is happening in real time where you need to isolate a user/unknown with statistical information to pinpoint to the cause, what do you use? since all alot of things could be considered "evidence" during an IH (incident handling), how or what have you used to triangulate the root cause?

    example: p2p abuse
    router log
    firewall log
    web log
    network monitor tool

    w0rm3y

  2. #2
    Best bet, Is to grab his ip. then see if you can Nslookup it. that way you can get a ISP then you would report him with that information. In real time anything really goes. If i were being hacked, i would just use basic command programs like netstat, and nslookup, finger. Programs i would suggest is a packet sniffer.. that way you can might beable to grab a Source MAC address from the unknown user..
    Im Chris Bartholomew - 18 Years old

    TSeNg
    questions? Cxbartholomew@yahoo.com

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Anything that can help you with the IP address is going to be useful, so firewall logs, router logs etc...Once you have the IP you can do do a NSLookup, run a traceroute etc...You could use an app such as Visual route which will attempt to ge the geographical location of the users. Netstat can also be of use to see who is connecting to your box.

    You won`t be able to grab the MAC address though as the MAC in the ethernet packet will be that of the last network device the packet passed through, not the attackers machine.

    If you are really concerned then I`d suggest looking into using an Intrusion detection system as well (Snort is about the best freeware one) which will record the IP address of the attacker and what they are doing.

    However be aware that the attacker might not actually be coming from his own IP address so you may be chasing a dead end.
    Quis custodiet ipsos custodes

  4. #4
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    I think there is just a few stupid kids that will attack from a computer link personnaly to them.
    Logs can help to
    - tackle the attack & know what is compromised
    - locate remote infected puter as zombie or a cybercafe from where illegal stuff are launched.

    Backtracking somzone is almost impossible without the full cooperation of every single ISP orld wide.
    [shadow] SHARING KNOWLEDGE[/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •