I want to "surprise" this hacker...

[Ouroboros]

Yep...just tried to help, and I just like playing around with that program

Ouroboros

[protocool]

can i play to your wargames!

[nietzsche]

I host a webserver and quite a few routers here at home. As I work professionally with routers, I've come to understand that packet-level filtering, while great and granular, is not everything.

A couple days ago, I decided to check my access_log and secure_log on my webserver ... I was getting *plenty* of script attempts. Nothing that would do anything against me, but annoying nonetheless. I wrote to root@<isp> and abuse@<isp> and waited ... and waited ... and waited. I then found a template that went something like this:

> I would like to know if anyone has come up with a formal
> message to send to the netblock owners, something that may
> hold up in court if ever need be.
>

email:

abuse@XXXXX - Without prejudice I submit to you this Unsolicited Commercial E-Mail is from your user XXXX. UCE is unappreciated because it costs my provider (and ultimately myself) money to process just like an unsolicited FAX. Please look into this. Thank you.

general:

Without prejudice: I suspect you are the culprit of blah blah blah


It seems that this would be the best way to go.

HOWEVER ... I am working on a Perl script (Perl wizard I am not!) to:
* Auto-ban the offending IP from my network (both from the box and write a DENY entry to my border router,
* Post their IP and the corresponding attack attempt text to a "wall of shame" on my webpage,
* Send an e-mail to "abuse@<ISP>",
* Activate a hold-down timer on above such that if a response isn't had w/in 48 hours, it'll e-mail "abuse@<ISP>" AND "abuse@<1 hop closer to myself from ISP>" ... continue working down the line until it hits abuse@localhost ...

And I would imagine that this *should* stop quite a few script kiddies and/or rootkit'ers from impacting my network. Of course, this all depends on writing the proper heuristics to catch them in the first place!

Anyway - what someone said initially, not to do anything illegal against them, is correct. I'm sure that ISP's have better (and more granular!) logging facilities than someone on a Windows box. And I'm sure they'd be happy to utilize this if a user, say the next user who picked up that IP from the DHCP server ... or the REAL owner of the IP that was spoofed, complained about YOU hitting their box. Much better for you to give the offending ISP a copy of the associated logs, tell them to cross-reference time with their RADIUS server, and be done with it.

Hopefully this will help someone.

~N~

[nietzsche]

Admins can also be really pissy. I just had one write me back - he took my "I'm looking to ban your user from my network" as "I will attack your user". <sigh> I guess I'll never never ever try to help out trib.com again.

Anyway - definitely don't look to attack the cracker/hacker/guy who's had his box rooted - it'll end up badly.

~N~

[VanEck]

Yes, I suppose the key is to be polite yet persistent at the same time when dealing with ISP's. Let them know you know your stuff, and you just want their coporation in dealing with a pest. Just do not do anything that would aloow them to hold you liable for anything.

[Babak-Khan]

Your program idea in Perl seems to be an great idea nietzsche!!

HOWEVER ... I am working on a Perl script (Perl wizard I am not!) to:
* Auto-ban the offending IP from my network (both from the box and write a DENY entry to my border router,
* Post their IP and the corresponding attack attempt text to a "wall of shame" on my webpage,
* Send an e-mail to "abuse@<ISP>",
* Activate a hold-down timer on above such that if a response isn't had w/in 48 hours, it'll e-mail "abuse@<ISP>" AND "abuse@<1 hop closer to myself from ISP>" ... continue working down the line until it hits abuse@localhost ...

I would be very glad if you send me any news about the development of your Perl script!!!

[nietzsche]

Your program idea in Perl seems to be an great idea nietzsche!!

Thanks, I think so too.

I would be very glad if you send me any news about the development of your Perl script!!!

Heh - I'll keep everyone informed and make it available; there's an obvious need for it, as I'm finding. HOWEVER, I am neither a professional software engineer NOR someone with loads of time. But I do hope to have something done by the end of the week - after that, school starts up again and development time will be reduced.

Anyway - I'll keep everyone posted on this if/when it gets done!

~N~

[Babak-Khan]

I dont want to brag, but I do no some about perl programing so if you don't mind I would like to TRY to maybe enhance and develop your Perl since you will not have much spare-time for it!!

[nietzsche]

I'd happily accept aid. Seeing as how I've not worked at all with Perl before the weekend. I'll roll something crude to teach myself about Perl a bit and do the bare minimum ... and then I'll turn it loose to be modified, improved, etc.

[voodoo4chaos]

Contact your ISP and get all inbound traffic from his IP address blocked. They should do it. I have done it myself.