Trying to figure out a hacker...
Dear Suser's, Yesterday morning, I experienced my very first attempt of a hacker trying to sneak into my system. I have a SuSE9.1 fully patched, acting as a web server for a small comany. The user tried to ssh into my box, but since I have disabled keyboard interaction and only work with public keys, the hacker didn't have too much of a chance to play around... I have his IP and ran a tracepath on it. After node 19 which I got some IP indication I ended up with the following messages: 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply 31: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 Can someone help me out here? Can someone explain why I see "no reply" in this tracepath?? Any good ideas how I can find who this person is via IP?? Thanx. Chris
The Thursday 2004-09-16 at 10:23 +0300, Chris Roubekas wrote:
Can someone help me out here? Can someone explain why I see "no reply" in this tracepath??
I'm not familiar with tracepath, try traceroute. However, the man page says this: tracepath6 is good replacement for traceroute6 and classic example of application of Linux error queues. The situation with tracepath is worse, because commercial IP routers do not return enough information in icmp error messages. Probably, it will change, when they will be updated. For now it uses Van Jacobson's trick, sweeping a range of UDP ports to maintain trace history. That's probably the reason of the empty information for most nodes.
Any good ideas how I can find who this person is via IP??
Whois command? -- Cheers, Carlos Robinson
Hi Chris, With any traceroute utility, all you are doing is discovering the path of how a packet would travel from YOU to a specific IP. It does not however, tell you where your hacker came from. But, the IP itself says a lot about the hacker. There is a good chance that he/she is not operating from that IP, but is rather using a compromised server/switch. SOMEBODY is responsible for that IP, and I am sure they would want to know about it if a hacker was using it, since it is a liability for them. Simply do a whois on that IP (not the resolved DNS name) to discover who is responsile for that IP, then you can contact that responsible party and let them know that hacker activity has been seen coming from that IP. Be prepared to give full details about the type of intrusion, time of day, how frequent, and what kind of actual damage has been caused by this. I have been securing networks for quite some time, and I have to tell you that sometimes it is more hassle than it is worth to chase the one-offs. If you have a persistant problem, that is when I would follow the instructions that I have provided above. Your best defense is just to make your network as informidable as possible, and try not to bring too much attention to it. And make sure nobody has compromised YOUR systems, because as you can see, it brings attention to your networks. Hope this helps! Best Regards, Art Perry On Thu, 16 Sep 2004, Chris Roubekas wrote:
Dear Suser's,
Yesterday morning, I experienced my very first attempt of a hacker trying to sneak into my system. I have a SuSE9.1 fully patched, acting as a web server for a small comany.
The user tried to ssh into my box, but since I have disabled keyboard interaction and only work with public keys, the hacker didn't have too much of a chance to play around...
I have his IP and ran a tracepath on it. After node 19 which I got some IP indication I ended up with the following messages:
20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply 31: no reply Too many hops: pmtu 1500 Resume: pmtu 1500
Can someone help me out here? Can someone explain why I see "no reply" in this tracepath??
Any good ideas how I can find who this person is via IP??
Thanx. Chris
Arthur Perry Linux Systems/Software Architect Lead Linux Engineer CSU Validation Group Celestica, Salem, NH aperry@celestica.com
participants (3)
-
Arthur Perry
-
Carlos E. R.
-
Chris Roubekas