Re: hacker tracking
On Mon, 19 Jun 2017 08:00:30 -0700 Mike McClainwrote: > On Sun, Jun 18, 2017 at 08:05:41PM -0500, John Hasler wrote: > > The hits are coming from bots running on cracked computers. The > > botnet operators control them through several layers of indirection. > > > > I suspect that a majority of the Windows boxes in the world may be > > under the control of botnets. > > -- > > John Hasler > > jhas...@newsguy.com > > Elmwood, WI USA > > Hi John, > If I understand correctly you're saying that for someone with my > limited knowledge and abilities, this is an exercise in futility since > most IP addresses I collect will not be those of hackers but rather > of those already hacked. I don't think your abilities matter, nobody can look at an IP address and divine the real origin of the problem. Almost all (you should hope 'all') of these probes will be coming from dumb software running on the hacked machines, and occasionally reporting back to base. > Since you've brought that idea to my attention it makes sense to > me but is somewhat depressing. But even a basic firewall will keep out the rubbish. As long as you're not a high-profile target, you can expect not to come to the attention of any real hackers. I used to keep a log of this stuff, with a simple script to count the port accesses per day, just out of curiosity. A sudden increase in connections to a port usually meant a new vulnerability found in one of the applications which used it. But my current router seems to have no logging and definitely no syslog ability, so I haven't been doing it for a while. On the whole, unwanted visitors are invited in these days, with offers or appeals to human wants. Also, poorly defended web servers can have dangerous links embedded in the pages. And more recently, the Internet of Things has been spreading rudimentary web servers with poor security all around the world... just stay alert. -- Joe
Re: hacker tracking
On Sun, Jun 18, 2017 at 07:26:01PM -0700, John Conover wrote: > Hi Mike. You are running stateful NAT, (stateful Network Address > Translation on your modem/router,) right? Also, your modem/router > should not be responding to ping(1)/icmp/ident packets since you do > not allow remote/external access. Might try: I'm not up on the term but my firewall drops packets from anyone with whom I didn't initiate the connection. Is that 'stateful NAT'? > https://www.grc.com/x/ne.dll?bh0bkyd2 I've been checking my firewall with grc.com ever since I felt the need for a firewall and grc.com says I'm fully stealthed. > for starters to find out, (or better, nmap(1) if you have access to an > external shell account.) Nope no such account but thanks for sharing your ideas. > John > -- > John Conover, cono...@rahul.net, http://www.johncon.com/ Mike -- "Why fit in when you can stand out?" - Dr. Seuss
Re: hacker tracking
On Sun, Jun 18, 2017 at 08:05:41PM -0500, John Hasler wrote: > The hits are coming from bots running on cracked computers. The botnet > operators control them through several layers of indirection. > > I suspect that a majority of the Windows boxes in the world may be under > the control of botnets. > -- > John Hasler > jhas...@newsguy.com > Elmwood, WI USA Hi John, If I understand correctly you're saying that for someone with my limited knowledge and abilities, this is an exercise in futility since most IP addresses I collect will not be those of hackers but rather of those already hacked. Since you've brought that idea to my attention it makes sense to me but is somewhat depressing. Oh well, knowledge is power. Thank you for enlightening me. Mike -- "Why fit in when you can stand out?" - Dr. Seuss
Re: hacker tracking
Hi Mike. You are running stateful NAT, (stateful Network Address Translation on your modem/router,) right? Also, your modem/router should not be responding to ping(1)/icmp/ident packets since you do not allow remote/external access. Might try: https://www.grc.com/x/ne.dll?bh0bkyd2 for starters to find out, (or better, nmap(1) if you have access to an external shell account.) John Mike McClain writes: > I must admit to being surprised at the quantity of attempts to > hack into my computer. It only took a couple of days before I started > rotating those logs to keep the size down. I'm getting from 20,000 to > over a million hits a day on a computer that's only online 3-4 hours a > day and often much less. > . . . > > I suspect I'm not the only one who is interested in this exploration > and hope some of you can share tips to carry it further. > -- John Conover, cono...@rahul.net, http://www.johncon.com/
Re: hacker tracking
The hits are coming from bots running on cracked computers. The botnet operators control them through several layers of indirection. I suspect that a majority of the Windows boxes in the world may be under the control of botnets. -- John Hasler jhas...@newsguy.com Elmwood, WI USA
hacker tracking
First let me say that according to my IDS I haven't been hacked. I don't have a website or run any servers for off site access. Just an individual with an ATT internet connection. All the flack in the news lately about Russian hacking and Putin's denials got me curious and I enabled my firewall to start logging dropped incoming packets. I must admit to being surprised at the quantity of attempts to hack into my computer. It only took a couple of days before I started rotating those logs to keep the size down. I'm getting from 20,000 to over a million hits a day on a computer that's only online 3-4 hours a day and often much less. By doing 'whois' lookups on the source IP of the dropped packets I've built a database of the IP, country, inetnum/route and hit count. Now as I go through yesterday's log most hits fall into previously seen routes greatly reducing the number of 'whois' lookups. Using the same program to read the logs, compile the database and pull various relations from the data I've seen some surprising things. These are the countries most often showing up in the logs: mike@/deb73:~> perl/hackers.pl -s | awk '$1>100' hitcount, country, numIPs 646 US 373 636 CN 513 562 IE 6 153 RU 107 143 FR 40 108 IN 83 In order, the 2 letter codes detailed in ISO-3166 equate to: the United States, China, Ireland, Russia, France and India. Notice that Ireland which has third highest hits has only 6 unique IPs. mike@/deb73:~> perl/hackers.pl -c IE CountryRoutes(IE), numHits 86.40.0.0/15, 1 87.198.0.0/16, 1 91.230.47.0/24, 560 The most hits from Ireland come from a single route. mike@/deb73:~> perl/hackers.pl -r 91.230.47.0/24 routeIPs(91.230.47.0/24), numHits 91.230.47.3,13 91.230.47.37, 24 91.230.47.38, 522 91.230.47.4,1 It would seem likely that all of these are from the same person and in fact the packet info logged includes the MAC address which verifies that this is all one hacker. Browsing the logs has shown be that the MAC address can be spoofed. One day I was getting hit every 6 seconds by IP address that spread across the range of the IP block while the MAC address varied by a character or 2. I'd appreciate a pointer to an algorythm that would compare 2 strings (MAC addresses) and give a congruity percentage. I've gotten hit by one source address that the RIR in Brasil is unassigned. I'm totally bewildered by this as I can see no way any hacker could ever ger a response. Perhaps there was something in the rest of the packet that could have given them access? Only the header of the packet gets logged so I'll never know. There are several IPs from Japan that 'whois' doesn't return a inetnum/route for. I suspect I'm not the only one who is interested in this exploration and hope some of you can share tips to carry it further. Thanks, Mike -- Your talent is God's gift to you. What you do with it is your gift back to God.