Ip spoofing

[Hydro]

"Sometime on Wednesday evening someone 'spoofing' my IP address went into Wild =SOD='s Webserver and deleted all of his files. As a result my main ISP account has been suspended

does this sound plausible -- i thought that maybe that this person was guilty but thought id check it out

[skiddieleet]

I don't know about spoofing the ip address, but they could have taken control of the computer and used it to attack the web server and delete the files. Why do you ask?

[Tiger Shark]

Possible to carry out the entire attack on a spoofed IP? Yes.

Probable.... Not really.....

I would suggest you take a close look at your box and it's security.... You were probably used as a "proxy"/"zombie".

Since your ISP has seen the logs of the attack taking place from your IP ask them for a log of all incoming connections to your IP at that time...... If there are incoming connections to your machine during the attack period you have grounds to have them reinstate your connection - if you fix your machine and it's security. If they have no logs - Change ISP anyway.... If they refuse - change ISP anyway.

[Hydro]

this fella insists that he is innocent although several think he is not -- it has actually become an interesting read -- the person in question noted that he was spoofed and that he had nothing to do with it although the logs of the server show that his ip number was systematically deleted accept for one (a hidden log) My question to him was if the hacker spoofed his ip why would he bother erasing the tracks -- it wouldnt belong to him anyway. this person refused to answer the question so i thought id get another persons perspective

thank you for your time I can link the site where this is going on if youd like to read

[S3cur|ty4ng31]

Yes it is totally plausible, if the circumstances for deleting the files did not require your ip to receive any information back. It would be a little difficult but if the server was configured improperly and sequence numbers could be determined then it could be done.

Or you could have been compromised by the attacker and he did everything from your computer. You dont have a proxy running right?

And if I did hack from a compromised machine I would still try to delete all your logs just in case the 'compromised computer' had logs and eventually you could get back to me. Erasing logs is mandatory for any good hacker to prevent any kind of back tracing wether you came from another computer or one at the public library.

[Tiger Shark]

Just because the "attacker" deleted the server logs from a machine he uses as a zombie doesn't mean crap. If you spent the time to build something you aren't going to risk it being torn down willy-nilly... You want it to stay.... so you delete logs so you can use the resource again.....

As far as this being a spoofed attack..... NOT.... He deleted multiple logs with no feedback and only missed the "hidden" one.... Nope.... He had feedback.... The "attacking" machine is compromised..... If it isn't..... You'll never catch the guy..... He is Uber L33t but he never types that way.....

The computer owner is innocent.... He's hacked and he doesn't know it..... But he's innocent.

[Hydro]

so it wouldnt really matter then that they deleted it -- that wouldnt suggest a guilty conscious on the part of the person suggesting he did not actually hack the site and that instead his ip was spoofed

[Tiger Shark]

If he is guilty then he should quit "whining"...

If his IP address is all over the log files he may, quite probably be innocent..... The percentage of his innocence, worldwide, is higher than his pergentage of being guilty.... But his IP is on the log files and he can do little to prove his innocence....

My honest suggestion to him, since he doesn't seem to know what he is doing...... Reformat the whole system, (ok.. have someone competent do it for him....), reinstall and find a new ISP _after_ he has put appropriate security devices/software in place.....

[Wild]

Hi all,

I Thank Hydro for his post and intrest in this matter too

As Hydro said this person said his ip was spoofed ??
After i receaved a complete log from my Hosting company I reporting this ip to there ISP

Since then this person i has now claimed his ip address has been spoofed ??

Ok say this person was spoofed whats the chance of them find the right User name and Password the 1st attempt to enter my site to start deleting files ??

Also can this spoofing use a FTP program to delete these files with out the real ip address showing its self on the main log as this person did use a FTP program to delete all these files
according to this log.

So whats the chance of all this in a 18 minutes i must add.

Would be very greatfull for any help on matter

Wild.

[phishphreek]

I think you are confusing what spoofing really is...

spoof Last modified: Tuesday, February 25, 2003

(v.) To fool. In networking, the term is used to describe a variety of ways in which hardware and software can be fooled. IP spoofing, for example, involves trickery that makes a message appear as if it came from an authorized IP address. Also see e-mail spoofing.

Source

As Tiger Shark pointed out, it is possible that his ip was spoofed, but not probable.

What Tiger Shark is suggesting that this "attacker's" machine was broken into first, and then the real "attacker" then used the supposed "attacker's" machine as a launch pad to cause damage to the other machine.

If the person was smart enough to kill the logs... then I'd hope they'd also be smart enough not to do it from their own machine.

In other words, his machine was used as a zombie.

zombie Last modified: Tuesday, February 05, 2002

(1) A computer that has been implanted with a daemon that puts it under the control of a malicious hacker without the knowledge of the computer owner.

Source

To really find out, you'd need to get a hold of the machine that was used for the attack.
Then you can perform a forensic analysis and see if that machine had been broken into, has trojans on it, examine logs, etc.

If this person claims he was spoofed... then he might not even know what it is. I'd be very difficult to "spoof" a whole attack. Not impossible... just highly improbable.