Page 1 of 4 123 ... LastLast
Results 1 to 10 of 37

Thread: Masked Hacker IP

  1. #1

    Question Masked Hacker IP

    Hello All,

    Is it possible to identify a hacker who is attacking your computer repeatedly if he masks his IP? If so, how can this be done?

    Thank you.

  2. #2
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Is this the victim or the hacker asking?

  3. #3
    Senior Member
    Join Date
    Apr 2004
    Posts
    157
    Originally posted here by Cybr1d
    Is this the victim or the hacker asking?
    Hehe!! Good question!

    But now I wanna know too!
    I would consider myself a victim, I'm taking care of a bunch of servers at a college...

  4. #4
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    If so, how can this be done?
    It just sounds like a very weak social engineering attempt....and i'm not even that paranoid. OR am !?

  5. #5
    Why does social engineering keep coming up on these threads? What purpose would it serve here, and why do we care? Just curious, I've never seen this brought up on a forum before...Just seems like a normal newbie question to me. And speaking of newbies...

    I wouldn't mind knowing this myself. Is this a software solution, or is it possible to do without any tools to assist you if you know well enough what you're doing? And why would you want to know this? I presume to block the invading IP once you discovered, or report it to its appropriate ISP, correct?

  6. #6
    First off...I'm making the assumption that this is your home Internet connection they are attacking and NOT a company connection. If it is a company connection - stop and go see your IT department NOW!

    Attackers can use a proxy server on the Internet to launch attacks. In most cases you wont be able to identify the attacker if they are using this method to mask themselves, unless you are able to have the proxy provider to provide logs (good luck...not likely).

    Even if you were to identify the attacker what are you going to do about it? If it identifies an address owned by a company you could contact that company's IT shop. If it identifies a home ISP connection (dialup, DSL, cable) than you would need to contact that ISP...but I wouldn't expect them to assist as they are pretty busy (aka overworked) responding to thousands of security events many more serious than one home user. The good news is that they DO know who has the IP address at any particular date/time.

    If you want to contact the ISP they usually have an email address "abuse@isp.com" (ie.; abuse@aol.com). You'll need to provide them with data such as date and time of attacks, IP address of source, your IP address they are attacking. If ISP responds to this incident and determines it's one of their users they might "slap that user on the wrist" but again I dont think they're gonna do this due to lack of time.

    I would suggest the best method would be to setup your firewall to block that IP - that's the most effective way to address this IMO.

    Good luck.

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    157
    At my college we are right now discussing HOW we are gonna implement "public" wireless access.
    One thing we have looked at is the ability to filter on MAC/IP address, but since you can spoof both, how good is that, unless you still really can tell what MAC/IP is behind the spoofed one??

    It would be very interesting to know if there is an "easy" way to figure this out.
    (using log files, and then go to the ISP I consider a non-easy way...)

    We already have a problem on the regular T1 lines we have though, with people trying to hack in using IP 127.0.0.1...

    Any help or ideas on how to track them down and I would be very thankful!

  8. #8
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Why does social engineering keep coming up on these threads? What purpose would it serve here, and why do we care? Just curious, I've never seen this brought up on a forum before...Just seems like a normal newbie question to me. And speaking of newbies...
    Our duty here persay, is to prevent hackers breaking in, Increase user awareness and help anyone with any computer problems they might have. We do care because if we teach someone how to break into a system, we're contradicting ourselves. (This thread not being the case)

    It would have been a lot easier if listener had given a more detailed explanation of his question...ex: I've been getting hit by the same attacker every day...can I find out who it is, instead of "how can it be done?", giving the impression that he's trying to hide his tracks on an attack. As usual, there can be both sides to the story...different readers get different Ideas on what the issue is...and they post accordingly. To me it sounded like a social engineering attempt to obtain information on how to hide your tracks....I guess to you its something else,.

    listener...follow Ric-O's suggestion...thats pretty much all you can do.

  9. #9
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    127.0.0.1...?

    127.0.0.1 is a loopback network connection.


    If you telnet, ftp, etc... to 127.0.0.1, you are immediately connected to your own machine.

    For example, if your system was named "joker", and you attempted to telnet to 127.0.0.1, you would see:

    nsai# telnet 127.0.0.1
    Trying 127.0.0.1...
    Connected to joker
    Escape character is '^]'.
    Convincing newbies to connect to 127.0.0.1 is a frequent joke on the Internet.

    localhost is another name for 127.0.0.1.


    LOL...they cannot hack through it...they'd be connecting to their own computer.



    EDIT: SOrry for double post, he asked his question while I was answering the other one...o well.

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    157
    Originally posted here by Cybr1d
    127.0.0.1...?



    LOL...they cannot hack through it...they'd be connecting to their own computer.



    EDIT: SOrry for double post, he asked his question while I was answering the other one...o well.
    Well.. how they do it, or how successful somebody could be doing it, I have no clue about. But fact remains, we had close to a million hacking attempts on our outside interface on the firewall coming from IP 127.0.0.1.
    I thought that would be a very smart way of trying to hack in, cause if the firewall thinks you really are 127.0.0.1 it would normally consider you logged on locally and give you full access, but good thing our firewall guy has denied 127.0.0.1 on the outside interface, only allowing it on the inside interface.

    Not sure you understood me right either. The hacker isn't trying to connect TO 127.0.0.1, he is using that as his spoofed IP, and then trying to connect to our stuff...

    Thanks for all the input though!

    (exciting thread! )

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •