Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacker keeps returning - any chances of getting him? 2

Status
Not open for further replies.

MakeItSo

Programmer
Oct 21, 2003
3,316
DE
Hi friends,

about two weeks ago, I caught a Trojan from somewhere.
McAfee detected it and removed it, no prob - I thought...
As it had detected multiple version of it, which kept popping in, I unplugged the network wire, restarted, HijackThissed, Spybotted, cleared my cache & temp files, you know: the usual jazz.
I also installed an additional software firewall and screwed McAfees security settings up to maximum.
Since then, all's clear; so far, so good.

Two days later however, my jaw dropped when my ftp log files told me that my ftp (running on a dedicated server) had been compromised - using MY logins, and my website "adorned" with a nice, hidden iframe...
[flame]

I closed the ftp service, changed all logins, checked the server (was clean) and restored the website by completely wiping the entire root and uploading my latest, clean package.

Since then, the hacker has returned 6 times so far, trying to get back into my ftp.
Alas, my log files show him with up to 18 different IPs on each try, located in USA, Canada, France, Sweden...
So I don't have a chance to identify him.
Do I?
[ponder]
That's my big question now: at the moment, that bastard does not get in and cannot do any harm. But he does keep trying and you know Murphy's Law: one day he might find a loophole somewhere...
I also don't want him to have a chance to bombard my server with requests until DoS...
Do I have any chance to find out the true origin of these attacks?
I'm already running Peer Guardian on my server now, but the history of PG does not show anything conspicuous at the time of his last attempt, which was yesterday evening.

I would greatly appreciate any advice you can give me.
I want to nail that rat!
[cannon]

Thanks!
MakeItSo

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
yea at the very least youll keep him/her (or the small boy in his garage in china) guessing for a little while. Hopefully they just give up...

btw, i hadnt mentioned it, but i am agreement with you on this...this is most likely either a disgruntled old employee, or else potentially a competitor corporate entity where an ex employee went and gave up some specific info to...


as far as my suggestion to block him off. Personally, I would take the one off approach and just block any IP from accessing that his attack attempts come from. In the grand scheme of things, even if over time you block off 1000 IPs, most if not all of those will be IPs of systems that would have never gone to your website anyways.

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (
 
CanNeverKnowItAll this assertion you are making about my suggested method is wrong.

If you boot from a clean drive, it doesn't matter what infected drives are connected. This is providing the auto-run stuff has been properly locked down, and nothing on the potentially infected drive is actually run or opened by anything but the antivirus software.

I've used this method many times with viruses that couldn't get cleaned any other way. You definitely need to be careful, but it is not an automatic infection.

Also, even a full reformat doesn't wipe away all viruses. There have been instances for firmware based viruses that can't be conventionally cleaned.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top