To Catch a Hacker

On the ISP-Security list in January, JPM asked for guidance in tracking down a hacker:

"Our ISP was hacked by an individual who did numerous Denial of Service (DoS) attacks, totally ruined our mail server, hacked other ISPs from the server, and took out our router configuration. The bash history survived. Everything is almost back to normal, but we need help finding this guy. What do we do next?"

One respondent expressed doubt about the surviving bash history:

[MBH wrote] "You wouldn't trust a binary left by the attacker, don't trust a log - it could be a fake left there to mislead you, or the log might show six Trojans planted while three others were left out of the logs."

[RP agreed, adding this point] "The problem with a bash log is that while it tells you what they did, it probably doesn't give you any info on where they were from or who they are. If they used the FTP to get to anything, that is a good clue and should be in the history as an 'arg.'"

Plenty of respondents had suggestions about what action to take:

[GMAN wrote] "I'd suggest installing Psionic Software's Port Sentry. It'll detect Portscan and can block all traffic from the hacker's IP address."

[DR suggested] "Your best bet would be to start the server over from scratch."

[JL wrote] "Unless you want to totally lock down your box, I suggest writing a quick script using md5sum(1). Then exchange all of your suid binaries for ones that you know are absolutely safe, and take a checksum of them. Have it run at boot or at various times during the day so you can feel a little bit safer."

One respondent suggested taking more radical action:

[MBH opined] "Trying to fix a hacked system destroys confidence in the system evidence if the case ever goes to court. The best plan is to pull out the hard drives, replace them with new ones, reinstall, and try to get your systems back online. It is important to figure out what went wrong, but step lightly during your post mortem on the routed systems."

A number of respondents stressed the need to read up on security issues:

[Validus wrote] "To help prevent future attacks, read all the CERT advisories you can. They are quite aware of the newest exploits and attacks that many hackers use."

[RW countered] "While CERT advisories are great sources of information, they're usually a bit old by the time they're issued; a couple of weeks can be a long time in this situation. Subscribe to SecurityFocus.com's Bugtraq list."

[Ed. Note: Security Focus offers a number of online security-related tools, articles and information.]

A number of respondents were in favor of contacting the authorities:

[RP wrote] "If you can identify the system, contact the system administrator to let them know they are being used. They may be able to track the hacker on their outgoing ftp logs. Or hand the information to the FBI. "

[JL replied] "Contacting the FBI will be a waste of time. If this hacker had half a clue he'd have used loadable kernel modules to hide his activities."

[TJ countered] "Contacting the FBI about a hacker that cracked into ISP's and is doing DoS attacks against others is a waste of time? That's not what the local FBI office told me when I contacted them about security breeches at more than one site. They're very interested."

—End