CATCHING A HACKER
CATCHING A HACKER
-
How To Catch A Hacker -
By
Jehanzeb
I
just wrote this guide to give you some tips of which you may not have heard yet.
Hopefully, it won't come to a hacker getting in, but if it does...
Tip
1: Hackers cover their tracks. Experienced hackers cover
them more thorougly, but amateur hackers sometimes leave things behind. Don't
expect them to leave any really big evidence behind; expect more of little
things here and there you might find surprising. For example, if you're writing
a term paper and a black hat hacker accidently saved it when he took a paragraph
out- that's suspicious. Where did that paragraph go? Well, for one thing, now
you know he was in that area. Check the folders surrounding the file- you might
find something.
Tip
2: Decipher between the type of hackers that are attacking
you. Experienced hackers will have a more in depth look around when they
penetrate your system. They won't touch much because they know that that won't
add too much to their knowledge. But if you know a hacker's been in, and some
files are messed with, and you have a log of someone guessing passwords to a
file or something of that sort, its probably some newbie who's just starting
out. These are the easiest hackers to catch. They usually get so caught up in
thoughts like "I'm in!" that they forget the basics, such as work
behind a proxy.
My
friend was setting up a webserver once. His first time too, and he wasn't to
anxious to set up some good software to protect against hackers and viruses. He
didn't put up one IDS, and before you know it, the obvious happened. But this
time, a newbie had struck. The nice log files showed, bluntly across the screen,
multiple instances of a foreign IP address that stood out. Some stupid newbie
had tried to login as "uucp" on my friend's XP computer, with a
password of "uucp." Well, that's great, but he also had tried the same
user/pass combination three times, enough to get himself logged nicely. Even a
semi-brainless user with some form of neurological system knows that uucp isn't
a default XP account. Again, excitement toiled this hacker's brain, and maybe if
he hadn't done that, along with a few other stupid things, he wouldn't have
gotten caught. What other things did he do? Well, lets see. He openned 35
instances of MS-DOS. He tried to clean the printer's heads, and he edited a .gif
in notepad. Then he uninstalled a few programs and installed some html editor,
and replaced four files with the words "14P."
He
might as well have posted his phone number. In a few days, we had tracked him
down to a
suburban
town in Ohio. We let him go, not pressing any charges, because he had done
nothing really damaging and had provided me with an example of a moron for this
guide.
Tip
3: Don't go crazy if you lose data. Chances are, if it was
that important, you would have backed it up anyway. Most hackers nowadays wish
they were back in 1989 when they could use a Black Box and having a Rainbow Book
actually meant something. Most hackers aren't blackhat, they are whitehat, and
some even greyhat. But in the end, most hackers that are in systems aren't
satisfied by looking around. From past experiences, I have concluded that many
hackers like to remember where've they been. So, what do they do? They either
press delete here and there, or copy some files onto their systems. Stupid
hackers (yes, there are plenty of stupid hackers) send files to e-mail
addresses. Some free email companies will give you the IP of a certain e-mail
address's user if you can prove that user has been notoriously hacking you. But
most of the time, by the time you get the e-mail addy it's been unused for weeks
if not months or years, and services like hotmail have already deleted it.
Tip
4: Save information! Any information that you get from a
log file (proxy server IP, things like "14P", e-mail addresses that
things were sent to, etc.) should be saved to a floppy disk (they're not floppy
anymore, I wish I could get out of the habit of calling them that) incase
there's a next time. If you get another attack, from the same proxy, or with
similar e-mail addresses (e.g: one says Blackjack [email protected] and the
other says [email protected]) you can make an assumption that
these hackers are the same people. In that case, it would probably be worth the
effort to resolve the IP using the proxy and do a traceroute. Pressing charges
is recommended if this is a repeat offender.
Tip
5: Don't be stupid. If you've been hacked, take security
to the next level. Hackers do talk about people they've hacked and they do post
IPs and e-mail addresses. Proof? Take a look at Defcon Conventions. I've never
gone to one, but I've seen the photos. The "Wall of Shame"-type of
boards I've seen have IPs and e-mail addresses written all over them in fat red,
dry-erase ink. Don't be the one to go searching the Defcon website and find your
e-mail address posted on the Wall of Shame board!
Tip
6: Don't rely on luck. Chances are, sometime or another,
you're going to be targeted for an attack. Here you can rely on luck. Maybe
they'll forget? Maybe they don't know how to do it? If you think this way, a
surprise is going to hit your face very hard. Another way you could stupidly
rely on luck is by saying this: It's probably just a whitehat. On the contrary,
my friend, it's probably just a blackhat. A blackhat with knowledge stored in
his head, ready to be used as an ax. It's your data. You take the chance.