[1874] in linux-security and linux-alert archive
[linux-security] Re: What are some programs to use to trace spoofers?
daemon@ATHENA.MIT.EDU (seifried@seifried.org)
Mon Jun 15 04:56:54 1998
Date: Sun, 14 Jun 1998 17:18:43 -0600 (MDT)
From: <seifried@seifried.org>
To: Jim Conner <j_conner@earthlink.net>
cc: linux-security@redhat.com
In-Reply-To: <199806140949.CAA25398@ireland.it.earthlink.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
> ALL,
>
> Our Primary DNS has been broken into twice in the last week. The first
> time it happened I noticed the hacker used named for means of gaining
> entry. This guy was good at hiding his/her tracks so we reinstalled the OS
> and left a minimum install to see if it was done again. We logged all
> goings on from a secure remote machine. We got the hacker's IP address and
> even some of what he/she did on the box. But the IP was spoofed. I heard
> there was a way to trace a spoofed IP ( I know tracing can't be done after
> the fact). Any ideas? And what are some good programs out there to do so?
Gotta trace it up one link upstream at a time while it is in progress. aka
it is damn near impossible (try getting ahold of an ISP who knows where
when the local time at that ISP is 3am ;).
> There is a chance that the hacker attempted a connection to see if the box
> was still up before he/she spoofed the IP. I have logs of someone
> telnetting to the box a few minutes before the actual attack with a valid
> domain name. Any ideas anyone?
>
> Jim
Run named chrooted (http://www.seifried.org/dns/), use tcp_wrappers on the
machine to finger/identd anyone connecting via telnet/pop/anything,
possibly set up another machine running sniffit/tcpdump or NFR
(www.nfr.com, but it's free), to log everything that happens. Possibly
setup a program to watch for the hack attempts and firewall off the ip's
that are being spoofed, to make his life a bit harder. Also make sure you
are running the latest greatest (most secure hopefully) version of
everything, the OS, named, etc, and if possible turn off as much as you
can.
I do not see why someone would telnet to a machine to see if it is up, an
nslookup localhost target.for.the.attack.com would tell you if it is up
and running named (which is what is being exploited). He might keep coming
back if he thinks he has found an easy target, OTOH if he has any sense he
won't, by the third time you'd think the remote end has done something to
fix the problem. =)
-seifried
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null