Ip spoofing

Wild: I'm assuming you are the "victim" here, If I'm wrong please tell me....<s>

Quote:

---

Ok say this person was spoofed whats the chance of them find the right User name and Password the 1st attempt to enter my site to start deleting files ??

---

You may be making a _huge_ assumption as to how this person entered your system.... There are many exploits that result in admin/root on a system immediately.

Quote:

---

Also can this spoofing use a FTP program to delete these files with out the real ip address showing its self on the main log as this person did use a FTP program to delete all these files
according to this log.

---

If your FTP server is not set up correctly I can bounce my attack on someone else off you, legitimately and without having to "crack" your box, and the resultant victim will see you, and only you, as the attacker.

Quote:

---

So whats the chance of all this in a 18 minutes i must add.

---

It took that long... I'm a little surprised.... ;) Seriously, access was made, a determination of what was being logged took place, (though not perfectly), logs were "cleaned" and a web site defaced in 18 minutes...... that's not bad.... hardly a novice, no expert either, but 18 minutes is a pretty short time when you have to explore an unfamiliar system.... So I'd suggest that the person you have had "cut off" was _probably_ not the culprit... Though I will happily admit to being wrong....

I'd love to see a _sanitized_ version of the log files..... Can you manage that? Just replace the attackers IP/DNS and your IP/DNS information with something innocuous like Attacker and Victim.... Do a search and replace on the pertinent information and post it here please.

This is all very exiting stuff!

I have a few observations/questions which don't seem to have arisen from the thread yet?

1. I am inclined to agree that whilst "spoofing" is possible, it is highly improbable, particularly for this sort of activity. One of the main objectives of spoofing is to gain trust, rather than hide identity, although it is also used by spammers to hide their ID.

2. There is mention of finding a correct User ID and password etc. in 18 minutes, and destroying a website. How do you know that this is the attackers first visit? If your security lets anyone wander around your site and delete files, they could have had weeks to find user profile files and crack them? Then launched their attack. Whose profile and password were used? The point I am making is I might create a valid account (sorry we have no info. on the nature of the site and its access procedures) and then use that as a part of my attack vector? It would appear totally unrelated, but save me all the preliminary effort of cracking a UserID and password. If this is just a site with a single webmaster/owner ID, then what about the security on the machine that is used to maintain the site.......it would only take a simple keylogger?....................

3. A "zombie" attack using "botware" sounds quite likely, but we have no information about the machine that was used for this attack. What about if the attacking machine was PHYSICALLY compromised? A scenario might be that kid brother skiddie loads software he has been given, then uses it to cause damage. If it has been in anyways well-crafted it would have some basic anti-detection algorithms in it, like deleting obvious log files?

4. What is the relationship between the person who claims to have been spoofed and the website/webmaster/group in question? Most murders involve people who know eachother? If the person claiming to be spoofed is a total stranger, I would say that they are almost certainly innocent of the attack, at least.............as for their security :rolleyes:

5. Are we sure that the "attacking machine" was the attacking machine. Could it be that the supposedly spoofed person has been careless with their internet details, and someone just used their account? The only people who would know that would be the ISP, from the line that was used to connect? I very much doubt if they would bother to check that, unless specifically asked to?

6. Do the victim and alleged attacker use the same ISP? The attack could be totally automated? Network aware malware might find the website via the ISP address block/subnet? Every malware has a first victim, so this could be something new?

7. Motivation?.................who really hates you enough to want to trash your website? and why?

Just a few thoughts

Cheers

Nihil: If the chap has 18 minutes of logfiles this was a manual attack rather than an automated bot/worm/script..... Unless the attacking machine is an 8086..... ;)

18 minutes is a long time to hold your breath but is isn't long to dig around an unfamiliar machine and do a good job of deciding what is running and what are log apps. It's all very well saying "oh it's a windows box - delete the .evt files" but I have boxes where if you do that you just took the "bait", because my event logs are somewhat cosmetic. The real event logs are already on a different box that only accepts connections on one port - so you had better have a crack for that app too if you want my logfiles to go away.

I'm not pooh-poohing Wild's seeming determination that the guy who owns the "attacker" is lying but the odds are quite high that he isn't - he may know the term spoofing but he may not understand it - See Phish's post - good explanation.

Also, I wouldn't look too hard at people who know Wild..... On the internet the prinary _assumption_ is anonymity..... and people attack boxes across the world with no idea that it might be their old Aunt Millie's box over there in Hackensack NJ where she emigrated 5 years ago.

Wild.... can you come up with sanitized logs for us..... It would be interesting to see them even if we end up being able to conclude any more than you already have.

It is very easy to spoof the IP. If the ISP has DHCP all you must do is to change your MAC adress and IP adress with the victim's adresses. In windows you can do that by changing the properties of TCP/IP protokol. In Linux just type ifconfig eth0 hw ether MAC_ADDRES up.
ReSpEcT ...

Barove: You better make sure the other box is off when you do that or you will cause errors and the box that is already on that IP keeps the connection while your NIC is disabled 'cos you "came in second". You're also assuming that they both share the same ISP/subnet because you can spoof my address all day and never see a reply because they will be routed to my subnet not yours.

Spoofing attacks are very possible but require a higher level of skill and knowledge or a well written program and a knowledge of the exact program and version you are trying to exploit since the whole attack is blind - you see nothing as the attacker.

Now if you own another box you can spoof to that box's IP and pick up on the replies with a sniffer on that box, (bounce attack or half-blind), but why bother other than for an academic exercise. If you own the other box go ahead and use it - you have to connect to it anyway so the connections could be logged somewhere.

Thx for replys

ok so this person may have been spoofed would this leave any traces on his pc/hd, to say his ip was spoofed ??
Or would it only be on the machine that did the attack its self

Quote:

---

To really find out, you'd need to get a hold of the machine that was used for the attack.

---

Tiger Shark, I thank you for your input here but this is a active case right now would not be right for me to disclose any evidence that i might have hope u understand,
will post the log file like you asked when the time would be more sutable ;)

wild

Wild: Determining whether the "attacker" was the machine used in the actual event would be a whole lot easier if we had the box or if the ISP does complete logging and archives those logs - which they should.

In the long run what you are asking is impossible to determine for a fact without seeing the evidence. Suffice it to say there are a million boxes out there that are there for the taking and many get taken daily. All I can tell you with my experience is that nowadays the chances of the owner of a box that attacks another site being the actual perpetrator are remote.

I would give this guy the benefit of the doubt but request that his ISP monitor his box more carefully. Unless you know him personally and then it is a simple decision on whether you feel you can trust him.

Still looking forward to the logs and any other stuff that you can show.

Another oddity in all of this is that the person who reportedly has had their ip spoofed and the victim of the attack know one another and the site deleted related to a common interest (gaming).

why would a hacker or should i say how would an attacker know that information unless they are known to the two parties or the person claiming to have been spoofed?

that i find very perculiar any ideas there?

Hydro: Easy one..... ;)

Scenario:

1. The victim hosts a Game server.
2. The "attacker" plays there.
3. The real attacker plays there too.

The real attacker is pi$$ed at the attacker and through other means discovers the IP of the "attacker". (easily socially engineered). A quick scan of the machine and a search for an exploit and Bingo... He owns the "attacker". Then, to do the most "harm" he uses the "attacker's" machine to attack the game server thus getting the "attacker" banned and cut off from the internet.

Hardly far fetched at all.... Probably happened a dozen times this year alone somewhere.

However, now you have made it clear that these two know each other.... All bets are off..... Computer security becomes a whole lot more difficult when you bring personal relationships into it. It takes away a lot of the objectiveness if you know that person A can't stand person B and visca-versa while A is accusing B of hacking. It becomes too easy to allow that knowledge and any comments about the two of them that have passed to interfere with the objective process of determining what _really_ happened. It's too easy to find yourself trying to make things fit your preconception of what might have occured - which, with voluminous logs etc., is all too easy to do.

I still would like to see the logs though Wild...... ;)

Tiger Shark yes, i didn't check it ... the victim's box must be down .... and I post a traffic sniffing i LAN :)