shadowdancer123
Feb 23 2004, 11:18 AM
hi ,
in my windows server, i m getting lots f alerts saying some body is trying to bruteforce my admin account. When i tried tracing that ip i came to know that it's a linux box with nessus installed on it.There is no other information available .Except nessus port no other port is open in that machine .Can someone tell me is there any tool which can help me to track this user ?
Regards
Shadow
JohnDoe69
Feb 23 2004, 11:41 AM
I'm going to assume you have their IP, if you do just do a whois on the ip, you'll probably seen an abuse address, emal that with the IP, Date&Time and the relevant sections of you log.
dragonfly
Feb 23 2004, 01:03 PM
yes just send a message to abuse@ISP.com
(lol lots of hackers here who sends abouse messengers
)
SCVirus
Feb 23 2004, 10:54 PM
get i firewall to completely block their ip, report them to thier isp make a fake password so when they crack it they end up in a nice black hole that machs them.
Steffan
Feb 24 2004, 09:56 AM
Install a honeypot and play with this guy
That's what I would do...
C'ya
Steven
shadowdancer123
Feb 24 2004, 02:58 PM
thanks for all the replies.But i actually want to catch this attacker with this much of limited knowledge.
JohnDoe69
Feb 24 2004, 04:21 PM
Catching the hacker is simple, just take a look at the logs in Control Panel, Admin Tool, Logs (IIRC) and do:
whois ip.addr.goes.here
then send a letter of complaint to the abuse address in the email, for example
...snip....
remarks: for abuse abuse@tiscali.nl
....snip....
DumpZ
Mar 8 2004, 08:44 AM
Well I would doubt it if there's any use to send a mail to abuse@isp.domain. Because most hackers use proxy(chains) or wingates to hack. And i doubt it that the is well try to trace it back to the source
SCVirus
Mar 22 2004, 11:35 PM
well thats a nessus server, that means someones set up there box to let anyone scan from it, or he leaves it running all the time. if the first is true you can get the server shut down and stop worrying for awhile, if the latter is true you have him caught now.
gman24
Mar 23 2004, 12:55 AM
| QUOTE (Steffan @ Feb 24 2004, 02:56 AM) |
Install a honeypot and play with this guy
That's what I would do...
C'ya
Steven |
That would be a good idea, but limited information can be obtained through most of those honeypots you install.
The most information can be obtained through a honeynet. Set aside a piece of the network for him to break into.Seperate that network from the rest of yours. Give the computers write access only to a share on another computer that is secured so it can write logs off the honeynet in case of demolition of the honynet computers, but the data can't be deleted or modified. A safer way is to make a program that sends the information to a comp and a program on that side to process it. Giving the attacker not even write access to any shares. Also run a sniffer for all data on that honeynet.
Your taking a risk, but taking precautions like seperating it from the rest of the network(through a firewall and/or subnet mask as well as other ways) will make it a little harder. This may be a script kiddie, also may not be. Try to make it look as close to the original network from the outside as you can.
Switch the ip of the server getting brute forced if you can, changes might have to be made to the rest of the network. Give a server computer in the honeynet that ip, give it a easy password. You can even leave it unpatched if you want to make it easier for him to break into.
Pretend you don't notice the attack, watch his activities.
Some attackers give away information on compromised computers, contacting friends. Making mistakes thinking they can cover thier tracks because they have control. If the honeypot is discovered, the data is stored safely on a computer out of the honeynet.
This way is a bit more expensive and time consuming though, depends on how bad you want to catch the guy. A honeynet also let's you establish his intentions. No need to prosecute a harmeless guy, costs money.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
