I want to "surprise" this hacker...

Printable View

January 7th, 2002, 11:03 PM
Babak-Khan

I want to "surprise" this hacker...

This hacker 62.21.5.89 (who has a broadband connection) has tried to anoy me for sometime now. :mad:
I have used NeoTrace and Retina 4.7.1 to get information about his internet supervisor and about his system (OS, open ports etc.)
But although I mailed the traceroute AND the Log file from my firewall to the abuse-section at the network his using nothing has happend and I still get intrusion attempts from him/her.
What I want to do now is to my self contact the so called hacker (e-mail or maybe send a message directly to his computer :fpissed: ) and I was wondering if this can be done???!?!?!
I REALLY appreciate any help!:) :) :hello: :
January 7th, 2002, 11:33 PM
Conf1rm3d_K1ll

I ran a trace myself. I think it's Negative!

rofl
January 7th, 2002, 11:58 PM
KorpDeath

If I were you I'd load LaBrea and let it deal with your little problem. it'll slow his connection until there isn't anything left, but it'll use a limited amount of your bandwidth(whatever you specify).

www.hackbusters.net

It works perfectly, I have about 45 machines tarpitted right now, and I'm using .05% of my total bandwidth. not bad. Plus it reduces the effect of heavily infected networks by about 80%.
January 8th, 2002, 02:22 AM
VanEck

Before you go ahead and do anything illegal in retaliation, I would suggest simply contacting the fellows ISP, preferably vie telephone and demand they do something about it. If you are persistent, something will be done about it. They can either terminate this users account because chances are he is doing other questionable actions, or other options, such as simply block his traffic to you, etc.
January 8th, 2002, 02:29 AM
VanEck

Also, I forgot to mention that you own ISP can take care of the problem as well. Contacting his ISP may not even be necessary. I would definitely not suggest trying to "surpirse" this individual however. Chances are, you will only provoke and encourage him to pester you with his "lameness" even more. Or just make yourself liable for legal action or termination of your own internet access.
January 8th, 2002, 04:23 AM
Ouroboros

McAfee Visual Trace Version 3.25 Results
Target: 62.21.5.89
Date: 1/7/02 (Monday), 9:17:31 PM
Nodes: 23

Node Data
Node Net Reg IP Address Location Node Name
23 1 - 62.21.5.89 WARSZAWA c5-89.icpnet.pl

Packet Data
Node High Low Avg Tot Lost
23 3677 3677 3677 1 0

Network Data
Network id#: 1
This is the RIPE Whois server.
The objects are in RPSL format.
Please visit http://www.ripe.net/rpsl for more information.
Rights restricted by copyright.
See http://www.ripe.net/ripencc/pub-serv...copyright.html

inetnum: 62.21.0.0 - 62.21.99.255
netname: ICPNET-1
descr: Internet Cable Provider
descr: Multisiec Poznan
country: PL
admin-c: WS4912-RIPE
tech-c: WS4912-RIPE
tech-c: PW2853-RIPE
status: ASSIGNED PA
notify: [email protected]
mnt-by: ICP-MNT
changed: [email protected] 20000321
source: RIPE

route: 62.21.0.0/17
descr: PL-ICP-1
descr: Poznan
origin: AS13110
mnt-by: ICP-MNT
changed: [email protected] 20000322
changed: [email protected] 20000418
changed: [email protected] 20000427
source: RIPE

person: Wojciech Strzelecki
address: ICP
address: ul. Owsiana 17
address: 61-666 Poznan
address: Poland
phone: +48 61 8280132
fax-no: +48 61 8280152
e-mail: [email protected]
nic-hdl: WS4912-RIPE
remarks: admin-c of pl.icp
notify: [email protected]
mnt-by: ICP-MNT
changed: [email protected] 20000201
changed: [email protected] 20010826
changed: [email protected] 20010827
source: RIPE

person: Piotr Wierzejewski
address: ICP
address: ul. Owsiana 17
address: 61-666 Poznan
address: Poland
phone: +48 61 8280132
phone: +48 61 8280152
fax-no: +48 61 8687363
e-mail: [email protected]
nic-hdl: PW2853-RIPE
remarks: tech-c of pl.icp
notify: [email protected]
changed: [email protected] 20000201

Registrant Data
_____
Visual Trace Copyright ©1997-2001 NeoWorx Inc

There ya go...

Ouroboros
January 8th, 2002, 12:07 PM
Babak-Khan

Thanx guys!

Thanx everyone :thumbsup: , I really appreciate all your help!!
Specially VanEck for your suggestion of thinking before acting; i.e. taking contact with my own ISP.
I e-mailed
[email protected]
and got this answer:

Thank your for your report.
We will take the appropriate action.

W.S.

On Mon, 7 Jan 2002, Babak Rasolzadeh wrote:

> I received an attempted hack from your user 62.21.5.89 Please discipline the individual(s)
> Thank you for your attention in this matter.
> Sincerely: Protected user
>
> TRACE ROUTE:
>
> Target: 62.21.5.89
> Date: 2002-01-07 (Monday), 17:48:19
> Nodes: 11
>
>
> Node Data
> Node Net Reg IP Address Location Node Name
> 1 1 - 62.5.50.246 56.133N, 13.417E babak-khan
> 2 1 - 62.5.48.1 Unknown
> 3 1 1 62.5.0.76 Unknown bb-62-5-0-76.bb.tninet.se
> 4 1 2 62.5.0.17 STOCKHOLM sto-int-cust-k33274-e0.telenordia.se
> 5 2 - 195.163.111.197 Unknown
> 6 2 2 194.213.69.106 STOCKHOLM tni-sto1-ri01-ge01-00.telenordia.se
> 7 3 3 195.219.88.1 Unknown if-3-0-0.bb1.stockholm.teleglobe.net
> 8 4 3 195.219.14.99 Unknown if-3-0.core1.stockholm.teleglobe.net
> 9 4 3 195.219.14.226 Frankfurt am Main if-0-0-0.bb1.frankfurt2.teleglobe.net
> 10 5 3 195.219.64.62 Frankfurt am Main ix-4-1-0.bb1.frankfurt2.teleglobe.net
> 11 6 - 62.21.5.89 WARSZAWA c5-89.icpnet.pl
>
>
> Packet Data
> Node High Low Avg Tot Lost
> 1 0 0 0 1 0
> 2 0 0 0 1 0
> 3 56 56 56 1 0
> 4 9 9 9 1 0
> 5 45 45 45 1 0
> 6 32 32 32 1 0
> 7 37 37 37 1 0
> 8 29 29 29 1 0
> 9 62 62 62 1 0
> 10 93 93 93 1 0
> 11 ---- ---- ---- 2 2
>
>
> Network Data
> Network id#: 1
> BT Ignite Nordics
> Norra Stationsgatan 69
> SE-113 84 STOCKHOLM
> SWEDEN
>
> Network id#: 2
> Telenordia AB
> Box 6681
> 11384 STOCKHOLM
> SWEDEN
>
> Network id#: 3
> 3900 Skyhawk Drive
> Chantilly Virginia 20151
> USA
>
> Network id#: 4
> 3900 Skyhawk Drive
> Chantilly Virginia 20151
> USA
>
> Network id#: 5
> 3900 Skyhawk Drive
> Chantilly Virginia 20151
> USA
>
> Network id#: 6
> ICP
> ul. Owsiana 17
> 61-666 Poznan
> Poland
>
>
>
> Registrant Data
> Registrant id#: 1
> See Registrant Pane for registrant contact information.
>
> Registrant id#: 2
> See Registrant Pane for registrant contact information.
>
> Registrant id#: 3
> Registrant:
> Teleglobe Inc. (TELEGLOBE2-DOM)
> 3900 Skyhawk Drive
> Chantilly, VA 20151
> US
>
>
>
>
> Log File:
>
> Date: 1/7/2002 Time: 17:41:21
> Rule "Default Block NetBus Trojan horse" blocked (62.5.50.246,NetBus(12345)). Details:
> Inbound TCP connection
> Local address,service is (62.5.50.246,NetBus(12345))
> Remote address,service is (62.21.5.89,1475)
> Process name is "N/A"
>

--

-------------------------------------------------------------------
Wojciech Strzelecki
Administrator sieci komputerowej
ICP Poznan

Once again: I really appreciate it :hello:
I will post news about this matter a.s.a.p.
Take care
January 8th, 2002, 01:32 PM
nakoka

This hacker is come from Borland. The machine name is "c-89.icpnet.pl"
January 8th, 2002, 01:48 PM
Tomsan

Quote:

Originally posted by Ouroboros
McAfee Visual Trace Version 3.25 Results
Target: 62.21.5.89
Date: 1/7/02 (Monday), 9:17:31 PM
Nodes: 23

........

Registrant Data
_____
Visual Trace Copyright ©1997-2001 NeoWorx Inc

There ya go...

Ouroboros

you make it sound like you did something usefull...
everybody can do this, and Babak-Khan allready did this.
he wanted to email the man in personall!!!!!!

:george:
January 8th, 2002, 02:15 PM
Babak-Khan

Thnx Tomsan!

I know u r absolutelu ringht LOL...but I guess Ouroboros only tried to help.. although it wasnt like :wow: hehe...
January 9th, 2002, 02:32 AM
Ouroboros

yep

Yep...just tried to help, and I just like playing around with that program;)

Ouroboros
January 9th, 2002, 02:39 AM
protocool

can i play to your wargames!
January 9th, 2002, 03:59 AM
nietzsche

I'm going through the same thing ...

I host a webserver and quite a few routers here at home. As I work professionally with routers, I've come to understand that packet-level filtering, while great and granular, is not everything.

A couple days ago, I decided to check my access_log and secure_log on my webserver ... I was getting *plenty* of script attempts. Nothing that would do anything against me, but annoying nonetheless. I wrote to root@<isp> and abuse@<isp> and waited ... and waited ... and waited. I then found a template that went something like this:

> I would like to know if anyone has come up with a formal
> message to send to the netblock owners, something that may
> hold up in court if ever need be.
>

email:

abuse@XXXXX - Without prejudice I submit to you this Unsolicited Commercial E-Mail is from your user XXXX. UCE is unappreciated because it costs my provider (and ultimately myself) money to process just like an unsolicited FAX. Please look into this. Thank you.

general:

Without prejudice: I suspect you are the culprit of blah blah blah

It seems that this would be the best way to go.

HOWEVER ... I am working on a Perl script (Perl wizard I am not!) to:
* Auto-ban the offending IP from my network (both from the box and write a DENY entry to my border router,
* Post their IP and the corresponding attack attempt text to a "wall of shame" on my webpage,
* Send an e-mail to "abuse@<ISP>",
* Activate a hold-down timer on above such that if a response isn't had w/in 48 hours, it'll e-mail "abuse@<ISP>" AND "abuse@<1 hop closer to myself from ISP>" ... continue working down the line until it hits abuse@localhost ...

And I would imagine that this *should* stop quite a few script kiddies and/or rootkit'ers from impacting my network. Of course, this all depends on writing the proper heuristics to catch them in the first place! ;)

Anyway - what someone said initially, not to do anything illegal against them, is correct. I'm sure that ISP's have better (and more granular!) logging facilities than someone on a Windows box. ;) And I'm sure they'd be happy to utilize this if a user, say the next user who picked up that IP from the DHCP server ... or the REAL owner of the IP that was spoofed, complained about YOU hitting their box. Much better for you to give the offending ISP a copy of the associated logs, tell them to cross-reference time with their RADIUS server, and be done with it.

Hopefully this will help someone.

~N~
January 9th, 2002, 05:59 AM
nietzsche

To add to what I said before ...

Admins can also be really pissy. I just had one write me back - he took my "I'm looking to ban your user from my network" as "I will attack your user". <sigh> I guess I'll never never ever try to help out trib.com again. :(

Anyway - definitely don't look to attack the cracker/hacker/guy who's had his box rooted - it'll end up badly.

~N~
January 9th, 2002, 08:43 AM
VanEck

Yes, I suppose the key is to be polite yet persistent at the same time when dealing with ISP's. Let them know you know your stuff, and you just want their coporation in dealing with a pest. Just do not do anything that would aloow them to hold you liable for anything.
January 9th, 2002, 10:39 AM
Babak-Khan

Cool idea nietzsche!

Your program idea in Perl seems to be an great idea nietzsche!!

Quote:

HOWEVER ... I am working on a Perl script (Perl wizard I am not!) to:
* Auto-ban the offending IP from my network (both from the box and write a DENY entry to my border router,
* Post their IP and the corresponding attack attempt text to a "wall of shame" on my webpage,
* Send an e-mail to "abuse@<ISP>",
* Activate a hold-down timer on above such that if a response isn't had w/in 48 hours, it'll e-mail "abuse@<ISP>" AND "abuse@<1 hop closer to myself from ISP>" ... continue working down the line until it hits abuse@localhost ...

I would be very glad if you send me any news about the development of your Perl script!!!:) :)
January 9th, 2002, 06:26 PM
nietzsche

Perl script

Quote:

Your program idea in Perl seems to be an great idea nietzsche!!

Thanks, I think so too. :)

Quote:

I would be very glad if you send me any news about the development of your Perl script!!!

Heh - I'll keep everyone informed and make it available; there's an obvious need for it, as I'm finding. HOWEVER, I am neither a professional software engineer NOR someone with loads of time. But I do hope to have something done by the end of the week - after that, school starts up again and development time will be reduced.

Anyway - I'll keep everyone posted on this if/when it gets done!

~N~
January 9th, 2002, 07:18 PM
Babak-Khan

Perl Script

I dont want to brag, but I do no some about perl programing so if you don't mind I would like to TRY to maybe enhance and develop your Perl since you will not have much spare-time for it!!:)
January 9th, 2002, 08:10 PM
nietzsche

Perl script

I'd happily accept aid. Seeing as how I've not worked at all with Perl before the weekend. ;) I'll roll something crude to teach myself about Perl a bit and do the bare minimum ... and then I'll turn it loose to be modified, improved, etc.
January 9th, 2002, 10:07 PM
voodoo4chaos

Contact your ISP and get all inbound traffic from his IP address blocked. They should do it. I have done it myself.
January 9th, 2002, 10:57 PM
nietzsche

Sure ...

I *could* do this ... but, remember, I want to *dynamically* do something like that - i.e. go out to my border router and add a deny entry for the offending IP.

I *could* do this upstream ... but I can do it myself (and I can post the IP to a "wall of shame"!), so I'd rather not bother the upstream ISP about this. :)

Good suggestion, though - if it were more than just script kiddies / rootkit kiddies, then I think I'd go your route. However, as it is, they don't seem to be well versed, so I don't *think* it's a big deal yet. ;)