North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: HACKER's IRC network, smurf configs, etc etc
Alex, a word of advice. however much of a good thing (tm) you might be doing, posting stuff like this on a public forum usually ends up being a bad deal for the poster.. On Wed, Oct 14, 1998 at 04:22:53PM +0400, Alex P. Rudnev wrote: > Hi. > > (Sorry, I had not time to read NANOG forum for some time). > > As the result of my anti-hacker;'s tracing, I found one place where (may > be one, may be a lot) hackers are playing at. This place include: > > IRCD daemon including into the IRC hacker's network; > SMURF program and config files for it; > DNS vulen. checker (boft, I am not sure what's it exactly), > SNIFFER logs > TELNETD daemon for the port 2001 (do you look TCP sessions to your port > 2001? This is the hackers, no doubt) > backdoor in login > > It's not difficult to close this host and inform it's owners (through > it's school-server and I am not sure if they did not contact hackers > themself) but it's not the way to decrease hacker's activity. The best > way is to listen to their IRCD daemons, to trace where they are coming > from, and where they are getting their tools from and (mainly) where they > (or he, I do not know exactly) they store their information. > > If someone who are familiar with IRC and LINUX and who live in USA (not > far from the network '209.180.204/24') is tired from the SMURF attacks > and (better) who know some oficial ways to investigate this accident > (remember, we know about this place and have back-door account there; > they do not know it) want to investigate this incident and fight against > this particular hacker or hackers group, welcome... > > The accident my investigation was started from was BO activity here in > Russia, next step was to found the sniffer installed by the hacker at > remote 'WWW' server hosted by our customer and look into this file - a > lot of interesting about the hacker himself was found there. Step by > step... but I never so IRC hacker's server and their IRC network and a > lot of this different tools at the same place... But this place is in > USA... > > Once again... it's easy to write a message "Dear system admin. Your > system is infected and have been used by hacker for the smurf attack. In > addition, all your local paswords are (no doubt) sniffed in.". The result > - hacker had 100 backdoors, now he have 99 backdoors; next day he'll open > one more... The better is to trace him. > > This particular server seems to be school-server and does not hold > important information.. may be it's good place for someone to start from. > But how to do it better in case of USA... I do not know. > > > > > > Aleksei Roudnev, Network Operations Center, Relcom, Moscow > (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) > (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
|