Generally, an attacker would first break into a number of sites, keeping his/her activity on these sites to a bare minimum. After breaking into these sites, this attacker will determine which are the best sites from which to launch further attacks. Good sites would be sites which do limited logging, are located in countries which are known to have uncooperative law enforcement and/or sysadmins, or very liberal privacy laws.

Basically, launch thier simple / benign attacks (attacks which violate few laws and trip few alarms) from home, or a library, or a payphone or something, then find a better place to launch louder attacks from where the sysadmins will have difficulty finding them.

At least that's how I'd do it.

Trojans send packets to the client box when the box containing the server is online ,
right ?. Couldn't you could just use an ordinary sniffer to get the Cracker's Ip ??
Yes. But most people simply don't.