Methods for finding the nasty people..

[Matty_Cross]

Hey everyone,
I was just wondering what methods people use for tracking down users who have done or attempted to do bad stuff..

So share your knowledge people.. How do YOU track down that stupid script kiddie that tried to Sub7 you??

[valhallen]

Any decent firewall will be able to log attempts made by peps to gain access through certain ports or there are programs speacily designed to act as trojans sitting on the default ports and waiting for peps to connect - these progs shoul also be able to log any attempts made.....simply note down the date/time and ip of the person attempting to amke the connection and email them off to your isp - they should be able to take it form there.

Either that or they'll ignore it - well thats wht they usually do

[cheez_cake]

I have only hunted one person down on the internet, but i'm in the process of finding two others.

The best way to start is to create another online identity (do this ahead of time if you use yahoo to have backups since if you check the profile of the individual you can see when it was last edited, looks best if it was atleast a month or so before). This is the best way to gain someone's trust and then to extract information from them... so essientally best orchestrated while you pretend to be someone/thing you are not...

Another catch that many may not think of is to back up your "location", visit (for example: http://www.canada.ca) if you create an i.d. here with an email, your email with be @yahoo.ca
Thus backing up your story and location.

Other methods of mine are better left unsaid, but asking someone their password is the best way to get it!!!!!

[imperialjustice]

quickest route is neotrace, then call your isp...OR..TPfirewall is useful as alternate, since by default it lists source/port...

[cheez_cake]

for some reason calling the ISP doesn't do anything for me, I'd rather hunt them down and gain their trust (from another computer with a different ISP than my own) and after doing so, let them know that I know who they are and what they are doing. This will give them the benefit of the doubt to stop, also if they are doing the same thing to your computer under the alias as to your previous computer then you will know that they are truly malicious.

[Pooh-Bear]

Uhm, but what if the perp is using a proxy?

[Matty_Cross]

In that situation, it depends on what type of proxy they are using...
if the perp is using say the proxy of another ISP, and they do something really nasty.. you can get the server logs from the ISP...

If they are using the WinGate proxy of an unknowning user, there is a lot less of a chance that you will be able to get any more information....

I'm sure that there are other methods for find out info when the perp is using a proxy... any other suggestions??

[Vorlin]

If you're on *nix, you'll have system logs to sift through (home-grow your own perl/awk/sed script to rip out IPs/FQDNs/etc) and then use some of the following to figure out what's up:

neotrace - heard it's good, dunno, never used it

nmap - available at
http://www.insecure.org , kicks MUCH ass...provides stealth port scans and OS fingerprinting by the TCP/IP stack.

traceroute - standard for most *nix boxes, tracert for winblows.

VisualRoute - http://www.visualroute.com , also a very good geographic traceroute/ping/whois/etc...they also have something called VisualLookout but I dunno what that does.

netstat - common on most boxes nowadays, allows you to see all open ports and the connecting IPs they're from (this works if they're still on your system through some connection).

If they're from a proxy, you can find out who the proxy is signed to through nslookup/whois and contact them with proof of tampering from your system logs.

Disclaimer: most of this is already regurgitated, just throwing in my mostly useless advice on some things.