# RootPrompt.org   Nothing but Unix.[Home] [Features] [Programming] [Mac OS X] [Search]


 Feature: Cracked! Part 3: Hunting the Hunter

Noel continues the story of when some Unix boxes that he helped admin were cracked. This article talks about some of the efforts made to track down the cracker and some surprises.

"At this point I am more than a little nervous. He has noticed my port scan within seconds and has already tracked me back to Texas. I rm the port scanner and log out. Hoping that I have not let the cat out of the bag. By this point I am beginning to assume that he may have root on any machine. But the same things that are his friend are mine. There are so many systems and so many connections that a search for me on the Texas system even if he has access to the logs would most likely drown in a sea of information."
  • Cracked! Part 1: Denial and truth details the report that leads to the discovery that the community network was cracked and some of the initial reactions.
  • Cracked! Part 2: Watching and Waiting talks about how they learned more about the cracker and what they did next.
  • Cracked! Part 4: The Sniffer tells how they found the sniffer that the cracker was running on their network and what they did next.
  • Cracked! part 5: Rebuilding covers the rebuilding of the system to recover from the crack and fix some long standing problems.
  • Cracked! Part 6: Talking with the Enemy tells about talking to the cracker in IRC.
  • Cracked! Part 7: The Cracker's Revenge explains what the Cracker did when he broke back in, our recovery from this, talking to the cracker afterwards and brings the story to a close.

     (Submitted by Noel Mon May 22, 2000 )

      

    Cracked


    Part 3

    Hunting the Hunter


    This is the third part of the story of a community network that was cracked and what was done to recover from it. The first part Cracked! Part1: Denial and truth details the report that leads to the discovery that the community network was indeed cracked and some of the initial reactions. The second article Cracked! Part 2: Watching and Waiting talks about how they learned more about the cracker and what they did next. This article talks about some of the efforts made to track down the cracker and some surprises.

    After a few days of watching the cracker I decided to start working on tracking him back to his origin. Most of his connections were from a university computer across the country. So that is where I started hunting.

    I called the admins of the university system he was coming from and got one of them on the phone while the cracker was connected to us from their system. At first all they would tell me was that there was no one logged on that had connected to our system. After working on finding the cracker for a while they figured out that the cracker was not logging in to their system he was also using a port redirector that was pretending to be just a shell. They told me that they were going to set up a sniffer to watch the port redirector and figure out where the next connection down the line was coming from.

    The next day they called me back and gave me several IP addresses that had connected to the port redirector. Doing a lookup on the addresses showed that they were Compuserve dialup servers. This fit a pattern we had seen where occasionally the cracker would connect to the port redirector on our box from a Compuserve address.

    I called up the Compuserve toll free number and after quite a bit of effort with their front line tech support folk finally got the telephone number of their security section. After some additional effort I had convinced them to give me the number of their security chief. I left him a message that contained the IP addresses, the times that the cracker had connected and a description of what had been going on. A few hours later he had called me back and agreed to do some research and help me track the cracker down. I told him about the ISP situation and the FBI computer crime squad being on the case.

    The next morning the Compuserve security chief called me back and told me that the dialup servers had been logged into with an account that belonged to an English man. However the connections had been forwarded from dialups in Austria. They were convinced from this and some other details that the account had been stolen.

    He then went on to explain that they had been having a great number of accounts stolen. One of the most popular method was to send out a few thousand emails to Compuserve users pretending to be a Compuserve security officer. The emails requested that the user reply to the email and include their password. It did not matter that few people fell for this scam, it only took a few for the crackers to have as many accounts as they needed.

    So we were back to square one. Looking at my sniffer logs I could see that the cracker would sometimes configure his sniffer directly from a Compuserve dial up server. I decided to go ahead on the assumption that this was the actual address that the cracker was connecting to the net on. I did not want to let the cracker know we were watching him so I decided to take a leaf from his book and hide myself.

    I first connected to an account on a friends machine in a different state. I then connected to a system in Texas that offered free accounts. I uploaded a port-scanner to this system and then waited watching my sniffer.

    It did not seem that long before the cracker connected to the port redirector from his dialup. He set it up to redirect a telnet to port 2323 on our box to port 23 on the ISP's system. I then watched as he telnetted through the port redirector and started chatting with someone on the ISP's system.

    I quickly connected to my friends system and then to the system in Texas and started my port scan. I had set it up to go very slowly in the hope that it would not suck up all his bandwidth and make him notice what was going on. A few seconds after I started the scan I read on my sniffer:

    Cracker: uh.. someone is port scanning my machine.. how weird

    Girl: who?

    Cracker: I Don't know at this pooint.

    Girl: What ddoes port-scanning mean?

    Cracker: port-scanning means trying to figure out what services does my machine provide. it's weird because i'm not exactly running a large erge server.. and it causes me to get lagged even more because my connection is slow Thatt's odd... I wonder why ssomeone would be doing theat?

    Girl: Is that what peopllle do to log in your machihine or something?

    Cracker: i don't know why they are doing it. it's so slow i haven't even figure out who's doing it yet.... uh.. they stopped.. gave i up at port 10000. its usually done when you want to hack into a machine you don't otherwise know how to hack into.

    Girl: To look for vonerunerable programs or somethiing?

    Cracker: but i'm not running anything so they were in :)

    Cracker: Huh, uh, interestin somebody from dallas,

    At this point I am more than a little nervous. He has noticed my port scan within seconds and has already tracked me back to Texas. I rm the port scanner and log out. Hoping that I have not let the cat out of the bag. By this point I am beginning to assume that he may have root on any machine. But the same things that are his friend are mine. There are so many systems and so many connections that a search for me on the Texas system even if he has access to the logs would most likely drown in a sea of information.

    Now at this point I look back and make some conclusions. First, I am very glad I did not scan him from a system connected with the community network as it seems likely that he would have at least been suspicious that we were on to him. Two, I now know nothing more than he seems to run some sort of unix on his own machine and that he is very alert to what is going on with his machine and network connection. In my mind this makes him more likely to be a expert cracker and not a script kiddie. I know that he is willing to use stolen dial in accounts running up other peoples credit card bills. This makes me think that he is potentially willing to trash our system to prevent us from catching him. But what does this tell me. Nothing. Nothing at all. I am still in the dark and no closer to finding out who this guy is as the first day. He is still a faceless connection from out of the ether.

    That is the problem with a connection over the Internet. Who are the people that connect to your boxes? How can you tell that they are really the person that they claim to be, that they login as. It is so easy to hide to be someone else, to use a stolen account. Anonymous behind lies and misdirection.

    How can you know who is who? For friends PGP signatures are a start but even that can be stolen. Biometric identification may be bypassed by control over the hardware or software on the system. When the client is under the control of a expert cracker, can you ever really know? Without any doubt you can make the odds much better. You can use methods that are harder to break or bypass. But you can never know. Not beyond any doubt.

    In talking to the FBI I was informed that they convict a cracker by tracking the crack back to the keyboard that the cracker is typing on and literary catch them in the act. A complete trace back to the "wetware" of the cracker so to speak. This of course involves courtrooms, phone taps, and traces and then someone kicking down the front door. Not the sort of thing that I can do as a system administrator.

    As the old cartoon goes "on the net no one knows your a dog". On the net there are no fingerprints.


Our content can be syndicated: Main page Mac Page

Copyright 1999-2005 Noel Davis. Noel also runs web sites about sailing and kayaking.
All trademarks are the property of their owners.
All articles are owned by their author