Results 1 to 9 of 9
-
08-25-2007, 07:50 PM #1Newbie
- Join Date
- Mar 2007
- Posts
- 13
Help Needed Dealing With A Persistent Hacker
I was checking my business server's IIS errors logs when I ran across the following error:
2007-05-19 08:21:10 00.000.000.00 2243 00.000.000.000 80 HTTP/1.1 GET
/w00tw00t.at.ISC.SANS.DFind 400 - Hostname -
Additional information about the those responsible for the hack attempts are as follows
(retrieved from domaintools.com):
CustName: ----------------(hidden by me)
Address: Private Address
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2005-08-27
Updated: 2005-08-27
Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.
Has anyone here had any similar experiences?
What do you think AT&T Yahoo's response will be?
Is there anything else I can do or should not do?
I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.
-
08-26-2007, 12:14 AM #2Web Hosting Master
- Join Date
- Mar 2002
- Location
- Orlando, FL
- Posts
- 12,207
Send email to abuse@ whoever the IP belongs to. Follow their instructions. Be prepared to send them raw access logs.
-
08-26-2007, 01:07 AM #3Web Hosting Master
- Join Date
- Jun 2006
- Location
- NYC / Memphis, TN
- Posts
- 1,454
I am guessing you removed the IP. I would recommend if it is a dsl/cable residential connection then ban the subnet for the time being while it is being resolved.
Or at least filter that single IP at your router. Send an email to abuse with all of the information you can find and cross your fingers that they get to it in a timely manner.≈ PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
≈ PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
≈ Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915
-
08-26-2007, 01:46 AM #4Newbie
- Join Date
- Aug 2007
- Posts
- 11
It's easy to get around IP banning, simply by proxies as you stated. webmasterworld.com also has some material on how you can protect yourself from hackers. You can't just put the user agent in htaccess file? VoidEYE is another hacking tool to find vulnerabilities, so I put
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [NC,OR]
-
08-26-2007, 02:47 AM #5Newbie
- Join Date
- Mar 2007
- Posts
- 13
The IP in question also leads to an Under Construction page residing on... IIS? So this appears to coming from another web server.
-
08-26-2007, 07:05 PM #6Junior Guru Wannabe
- Join Date
- Aug 2007
- Location
- Brighton, UK
- Posts
- 66
I wouldn't worry too much about anyone scanning your server with "hacking" tools as long as you're confident you've applied all the recent patches etc.
As a web hosting company we get hundreds of scans by such tools every week - our servers are kept secure so they never find a way in. It's the actual serious hackers who you should be worried about - the ones who have more tricks in their arsenal than a bunch of Windows programs they downloaded from a 31337 warez website.
We don't even bother taking any action against people who scan our systems with security tools, if we did we'd have to employ someone just to sit there all day writing e-mails to abuse@ addresses - I just see them as a reminder to make sure the servers are fully patched. There's not much point trying to block them either - if they're not smart enough to use a proxy or some other technique to get around your ban, they're probably not smart enough to get into your server anyway.
Try not to let the media's hysteria about hackers worry you
-
08-27-2007, 12:24 AM #7Newbie
- Join Date
- Mar 2007
- Posts
- 13
Thanks Kieran, I get wannabe hackers trying to get in all the time too and I realize how many there are out there but I'm concerned about it being a personal issue since it's coming from a local IP.
It's a long story, but I had a client a while back with an extremely over-inflated ego, which I no choice but to deflate. So now I'm thinking this local IP and subsequent attacks are failed attempts at retaliation.
Background:
A few months after I had started working with this guy I find out he's heavily medicated with psych drugs, which according to him, cause him to "completely lose his self-control and temper". Later, I learn this heavily medicated client has a closet full of guns and ammo. A few months later he had put me in a position in which I had no choice but to end all of my business relations with him.
So, I am really trying to find out whether this is some random wannabe hacker or a heavily medicated and disgruntled former client trying his best at some sort of e-retaliation.
-
08-27-2007, 05:47 AM #8Junior Guru Wannabe
- Join Date
- Aug 2007
- Location
- Brighton, UK
- Posts
- 66
Ah, now I understand your concern.
We've had trouble with persistent people who get a chip on their shoulder for some reason or other but as we're an internet-only company we never meet our customers face-to-face so the threat is a little less real than what you describe.
On the occasions when I have contacted ISP abuse addresses, I've rarely got a response of any kind. I think most probably have some kind of policy to say that they do nothing until they receive above a certain number of independent complaints. Some ISPs seem to just direct abuse notifications straight into the bin. I can't speak for ATT+Yahoo as I have not dealt with them myself.
As a web host, when we receive abuse complaints we act on them immediately, partly because it's the right thing to do, partly because it's required of us by our dedicated server provider. Our investigations are pretty basic - if one of our customers is accused of doing something that is either illegal or against our ToS, we have a look through their files and our log files for evidence of the abuse. If we find any; we close their account, if we don't, we wait for further complaints.
I think you'll have a hard time getting anyone to investigate your problem until a security breach actually occurs. That's not to say that attempting to gain unauthorized access isn't illegal in itself (depending on where you live), but that actually gaining access and using it to cause harm is significantly more illegal.
The ISP themselves may investigate, but the worst they're likely to do will be to close the customer's account, in which case you'll probably just piss him off further and he'll go to another ISP and start again.
I'd say that unless a breach occurs, there's no point keeping a forensic copy of your server - nobody will want to see it until there's actually a breach. Just make sure your system is well backed-up so that if a breach does occur, you can recover your business without touching the original server.
The other thing I'd say is that if you feel yourself to be in physical danger you should notify your local police department irrespective of whether a hack attempt is successful or not. For now I think the best thing to do is to protect your server(s) but otherwise do nothing to avoid the risk of antagonising this person further. It's easy to get drawn into disputes with people especially when there is a previous history but it sounds to me like this guy is best left to forget about you and find a new target for his anger.
-
08-27-2007, 06:25 PM #9Junior Guru Wannabe
- Join Date
- Aug 2007
- Posts
- 57
99% of these scans come from compromised systems; someone clicked the trojan from an e-mail, a web site, etc, or a server was running vulnerable software (where the "hack" succeeded), and it installed itself and is now scanning for more vulnerable servers.
In other words, viruses, worms and trojans, with emphasis on worms for server IP's and viruses/trojans on home user IP's. Just read up on the nasties of recent years like "Code Red".
More than likely, the IP is a coincidence, you just have heightened paranoia. As Kieran said, make sure your server is up-to-date and protected... chances are, there's nobody at the keyboard, when these log entries are being generated.