Re: hacker tracking

2017-06-19 Thread Joe 
On Mon, 19 Jun 2017 08:00:30 -0700
Mike McClain  wrote:

> On Sun, Jun 18, 2017 at 08:05:41PM -0500, John Hasler wrote:
> > The hits are coming from bots running on cracked computers.  The
> > botnet operators control them through several layers of indirection.
> >
> > I suspect that a majority of the Windows boxes in the world may be
> > under the control of botnets.
> > --
> > John Hasler
> > jhas...@newsguy.com
> > Elmwood, WI USA  
> 
> Hi John,
> If I understand correctly you're saying that for someone with my
> limited knowledge and abilities, this is an exercise in futility since
> most IP addresses I collect will not be those of hackers but rather
> of those already hacked.

I don't think your abilities matter, nobody can look at an IP address
and divine the real origin of the problem. Almost all (you should hope
'all') of these probes will be coming from dumb software running on the
hacked machines, and occasionally reporting back to base.

> Since you've brought that idea to my attention it makes sense to
> me but is somewhat depressing.

But even a basic firewall will keep out the rubbish. As long as you're
not a high-profile target, you can expect not to come to the attention
of any real hackers.

I used to keep a log of this stuff, with a simple script to count the
port accesses per day, just out of curiosity. A sudden increase in
connections to a port usually meant a new vulnerability found in one of
the applications which used it. But my current router seems to have no
logging and definitely no syslog ability, so I haven't been doing it
for a while.

On the whole, unwanted visitors are invited in these days, with offers
or appeals to human wants. Also, poorly defended web servers can have
dangerous links embedded in the pages. And more recently, the Internet
of Things has been spreading rudimentary web servers with poor security
all around the world... just stay alert.

-- 
Joe

Re: hacker tracking

2017-06-19 Thread Mike McClain 
On Sun, Jun 18, 2017 at 07:26:01PM -0700, John Conover wrote:
> Hi Mike. You are running stateful NAT, (stateful Network Address
> Translation on your modem/router,) right?  Also, your modem/router
> should not be responding to ping(1)/icmp/ident packets since you do
> not allow remote/external access. Might try:

I'm not up on the term but my firewall drops packets from anyone with
whom I didn't initiate the connection. Is that 'stateful NAT'?

> https://www.grc.com/x/ne.dll?bh0bkyd2

I've been checking my firewall with grc.com ever since I felt the need
for a firewall and grc.com says I'm fully stealthed.

> for starters to find out, (or better, nmap(1) if you have access to an
> external shell account.)

Nope no such account but thanks for sharing your ideas.

> John
> --
> John Conover, cono...@rahul.net, http://www.johncon.com/

Mike
--
"Why fit in when you can stand out?"
- Dr. Seuss

Re: hacker tracking

2017-06-19 Thread Mike McClain 
On Sun, Jun 18, 2017 at 08:05:41PM -0500, John Hasler wrote:
> The hits are coming from bots running on cracked computers.  The botnet
> operators control them through several layers of indirection.
>
> I suspect that a majority of the Windows boxes in the world may be under
> the control of botnets.
> --
> John Hasler
> jhas...@newsguy.com
> Elmwood, WI USA

Hi John,
If I understand correctly you're saying that for someone with my
limited knowledge and abilities, this is an exercise in futility since
most IP addresses I collect will not be those of hackers but rather
of those already hacked.
Since you've brought that idea to my attention it makes sense to
me but is somewhat depressing.
Oh well, knowledge is power.
Thank you for enlightening me.
Mike
--
"Why fit in when you can stand out?"
- Dr. Seuss

Re: hacker tracking

2017-06-18 Thread John Conover 

Hi Mike. You are running stateful NAT, (stateful Network Address
Translation on your modem/router,) right?  Also, your modem/router
should not be responding to ping(1)/icmp/ident packets since you do
not allow remote/external access. Might try:

https://www.grc.com/x/ne.dll?bh0bkyd2

for starters to find out, (or better, nmap(1) if you have access to an
external shell account.)

John

Mike McClain writes:
> I must admit to being surprised at the quantity of attempts to
> hack into my computer. It only took a couple of days before I started
> rotating those logs to keep the size down. I'm getting from 20,000 to
> over a million hits a day on a computer that's only online 3-4 hours a
> day and often much less.
>
.
.
.
> 
> I suspect I'm not the only one who is interested in this exploration
> and hope some of you can share tips to carry it further.
> 

-- 

John Conover, cono...@rahul.net, http://www.johncon.com/

Re: hacker tracking

2017-06-18 Thread John Hasler 
The hits are coming from bots running on cracked computers.  The botnet
operators control them through several layers of indirection.

I suspect that a majority of the Windows boxes in the world may be under
the control of botnets.
-- 
John Hasler 
jhas...@newsguy.com
Elmwood, WI USA

hacker tracking

2017-06-18 Thread Mike McClain 
First let me say that according to my IDS I haven't been hacked.
I don't have a website or run any servers for off site access.
Just an individual with an ATT internet connection.

All the flack in the news lately about Russian hacking and Putin's
denials got me curious and I enabled my firewall to start logging
dropped incoming packets.
I must admit to being surprised at the quantity of attempts to
hack into my computer. It only took a couple of days before I started
rotating those logs to keep the size down. I'm getting from 20,000 to
over a million hits a day on a computer that's only online 3-4 hours a
day and often much less.
By doing 'whois' lookups on the source IP of the dropped packets
I've built a database of the IP, country, inetnum/route and hit count.
Now as I go through yesterday's log most hits fall into previously
seen routes greatly reducing the number of 'whois' lookups.
Using the same program to read the logs, compile the database and
pull various relations from the data I've seen some surprising things.

These are the countries most often showing up in the logs:
mike@/deb73:~> perl/hackers.pl -s | awk '$1>100'
hitcount, country, numIPs
646 US 373
636 CN 513
562 IE 6
153 RU 107
143 FR 40
108 IN 83
In order, the 2 letter codes detailed in ISO-3166 equate to:
the United States, China, Ireland, Russia, France and India.

Notice that Ireland which has third highest hits has only 6 unique IPs.
mike@/deb73:~> perl/hackers.pl -c IE
CountryRoutes(IE),  numHits
86.40.0.0/15,   1
87.198.0.0/16,  1
91.230.47.0/24, 560

The most hits from Ireland come from a single route.
mike@/deb73:~> perl/hackers.pl -r 91.230.47.0/24
routeIPs(91.230.47.0/24),   numHits
91.230.47.3,13
91.230.47.37,   24
91.230.47.38,   522
91.230.47.4,1
It would seem likely that all of these are from the same person and
in fact the packet info logged includes the MAC address which verifies
that this is all one hacker.

Browsing the logs has shown be that the MAC address can be spoofed.
One day I was getting hit every 6 seconds by IP address that spread
across the range of the IP block while the MAC address varied by a
character or 2. I'd appreciate a pointer to an algorythm that would
compare 2 strings (MAC addresses) and give a congruity percentage.

I've gotten hit by one source address that the RIR in Brasil is
unassigned. I'm totally bewildered by this as I can see no way any
hacker could ever ger a response. Perhaps there was something in the
rest of the packet that could have given them access? Only the header
of the packet gets logged so I'll never know.
There are several IPs from Japan that 'whois' doesn't return a
inetnum/route for.

I suspect I'm not the only one who is interested in this exploration
and hope some of you can share tips to carry it further.

Thanks,
Mike
--
Your talent is God's gift to you.
What you do with it is your gift back to God.