wanna be hackers

smrtmny2 · 12-07-2004, 08:57 PM

I'm not sure if this is proper place to ask this, if not I'm sorry in advance.

We have been getting increasing attempts to hack into one of our servers. We constantly do whois searches, track down the host masters of the offending IP's and email according to their guidelines, though they rarely respond back.

The problem is it appears to be the same guy over and over. When I notify the guys in charge, the attacks will increase, sometimes as many as 5 or 6 times a day. Other times just once or twice a day. Always the same guy. Always a different IP address, I assume through proxy servers.

It gets wearing dealing with the same unscrupulous character.

We installed special software that stops that person from accessing after so many tries and then blocks that IP. But his constant attacks are bothersome nonetheless.

I know there are many skilled contributors on this blog. Are there any words of wisdom from any of you as to how to handle this problem? Is there a way to track this guy down once and for all?

People like this are destructive and lack any integrity in my eyes. Any suggestions? Or are parasites like this just part of the package?

littleFella · 12-07-2004, 09:16 PM

would honeypots be of use to you guys?

imaginemn · 12-07-2004, 10:04 PM

If you are running Microsoft IIS on your Web servers, you can download and use two free tools Microsoft has developed to secure your servers: Network Security Hotfix Checker (HFNetChk) and IIS Lockdown Tool. HFNetChk checks the servers for missing IIS patches, while the IIS Lockdown Tool turns off "unnecessary features" that attackers could exploit for attacks. Because HFNetChk produces its results in raw text format, another free tool, Hotfix Reporter, converts them into HTML with links to the missing patches and additional information. You should run these tools on your test systems before applying them to your production systems to avoid any unexpected results.

For Apache users, you won't find any tools equivalent to HFNetChk or IIS Lockdown Tools for your servers. One possible reason is that most of the vulnerabilities you'll face are on the application level (e.g., PHP) rather than on the Apache server itself. But you can still refer to the Apache Security Tips for Server Configuration page or try using a tool like Snort.

Building a complete solution to manage your Web server security will take some time, but it doesn't have to cost money with the open source tools currently available. By learning how to apply and use these tools, you not only will gain a better assessment of the risks your Web servers or even your corporate network are facing, you probably also will learn what a malicious Internet user can do to your systems with these same tools. Armed with the data from your scanners, IDS, and server-monitoring tools, you will know yourself and your enemy better, thereby having better knowledge about what you should improve and what you should monitor closely.

imaginemn

smrtmny2 · 12-08-2004, 08:11 AM

Thanks imaginemn and littleFella. Honeypots? Interesting article, I'll go back and read it more in depth.

We run Linux servers using Apache. We also installed Port Monitor, Process resource manager, Brute Force Detection software and hardened the /tmp and /dev/shm against hacker attacks, along with quite a few other installs.

I was hoping there was a piece of software that could be used to attach to this guy like a marker.

He has not been successful, but his increase in attacks angers me. If people like this used their time for creative instead of destructive purposes, the world would be a better place.<end of rant>

Crichey · 12-08-2004, 04:40 PM

Quote:

Originally Posted by smrtmny2

If people like this used their time for creative instead of destructive purposes, the world would be a better place.<end of rant>

LOL. Dream on. It would be nice though, wouldn't it? Good luck getting rid of him. Probably some 13 year old kid with too much time on his hands.

habber · 12-10-2004, 12:20 PM

"Always the same guy. Always a different IP address, I assume through proxy servers."

How do you know if its the same guy if the attacks are allways attempted from diffrent ip's?. Many many hackers may be using the same list of proxy's also.

Also, you do not mention what the nature of these attempted attacks are. Chances are your site was posted on a hacking forum and is being checked by multiple hacker/crackers. However if it is just one person attempting the attacks it shouldnt be hard to find him/her. Just keep checking those anonomus proxys until one of them spills the real ip (happens all the time).

My guesse is, when you contact the actual ISP of the attacker, the attacks will stop. Contacting proxy servers is almost useless, they are notoriously un-helpfull, which may be why hackers use them.

"I was hoping there was a piece of software that could be used to attach to this guy like a marker."

Wow, like a legal version of a trojan you mean?. I am unaware of anything like this, thank the gods.

I hope everything works out for you smrtmny2. Watch those access logs closely.

Dingodilelover · 12-27-2004, 07:37 PM

Actually, he is not a hacker, he is a CRACKER. A hacker is good and creates things; crackers destroy them.