Hunting the Hunter
This is the third part of the story of a community network that was
cracked and what was done to recover from it. The first
part Cracked! Part1:
Denial and truth details the report that leads to the discovery
that the community network was indeed cracked and some of the initial
reactions. The second article Cracked! Part 2: Watching and
Waiting talks about how they learned more about the cracker
and what they did next. This article talks about some of the efforts
made to track down the cracker and some surprises.
After a few days of watching the cracker I decided to start working on
tracking him back to his origin. Most of his connections were from a
university computer across the country. So that is where I started
I called the admins of the university system he was coming from and
got one of them on the phone
while the cracker was connected to us from their system. At first all
they would tell me was that there was no one logged on that had
connected to our system. After working on finding the cracker for a
while they figured out that the cracker was not logging in to their
system he was also using a port redirector that was pretending to be
just a shell. They told me that they were going to set up a sniffer
to watch the port redirector and figure out where the next connection
down the line was coming from.
The next day they called me back and gave me several IP addresses that
had connected to the port redirector. Doing a lookup on the addresses
showed that they were Compuserve dialup servers. This fit a pattern we
had seen where occasionally the cracker would connect to the port
redirector on our box from a Compuserve address.
I called up the Compuserve toll free number and after quite a bit of
effort with their front line tech support folk finally got the
telephone number of their security section.
After some additional effort I had convinced them to give me the
number of their security
chief. I left him a message that contained the IP addresses, the
times that the cracker had connected and a description of what had
been going on. A few hours later he had called
me back and agreed to do some research and help me track the cracker
down. I told him about the ISP situation and the FBI computer crime
squad being on the case.
The next morning the Compuserve security chief called me back and told
me that the dialup servers had been logged into with an account that
belonged to an English man. However the connections had been forwarded
from dialups in Austria. They were convinced from this and some other
details that the account had been stolen.
He then went on to explain that they had been having a great number of
accounts stolen. One of the most popular method was to send out a few
thousand emails to Compuserve users pretending to be a Compuserve
security officer. The emails requested that the user reply to the
email and include their password. It did not matter that few people
fell for this scam, it only took a few for the crackers to have as
many accounts as they needed.
So we were back to square one. Looking at my sniffer logs I could see
that the cracker would sometimes configure his sniffer directly from a
Compuserve dial up server. I decided to go ahead on the assumption
that this was the actual address that the cracker was connecting to
the net on. I did not want to let the cracker know we
were watching him so I decided to take a leaf from his book and hide
I first connected to an account on a friends machine in a different state. I
then connected to a system in Texas that offered free accounts. I
uploaded a port-scanner to this system and then waited watching my
It did not seem that long before the cracker connected to the port
redirector from his dialup. He set it up to redirect a telnet to port
2323 on our box to port 23 on the ISP's system. I then watched as he
telnetted through the port redirector and started chatting with someone
on the ISP's system.
I quickly connected to my friends system and then to the system in Texas
and started my port scan. I had set it up to go very slowly in the hope
that it would not suck up all his bandwidth and make him notice what was
going on. A few seconds after I started the scan I read on my sniffer:
Cracker: uh.. someone is port scanning my machine.. how weird
Cracker: I Don't know at this pooint.
Girl: What ddoes port-scanning mean?
Cracker: port-scanning means trying to figure out what services does
my machine provide. it's weird because i'm not exactly running a large
erge server.. and it causes me to get lagged even more because my
connection is slow Thatt's odd... I wonder why ssomeone would be doing
Girl: Is that what peopllle do to log in your machihine or something?
Cracker: i don't know why they are doing it. it's so slow i haven't
even figure out who's doing it yet.... uh.. they stopped.. gave i
up at port 10000. its usually done when you want to hack into a
machine you don't otherwise know how to hack into.
Girl: To look for vonerunerable programs or somethiing?
Cracker: but i'm not running anything so they were in :)
Cracker: Huh, uh, interestin somebody from dallas,
At this point I am more than a little nervous. He has noticed
my port scan within seconds and has already tracked me back to
Texas. I rm the port scanner and log out. Hoping that I have not let
the cat out of the bag. By this point I am beginning to assume that he
may have root on any machine. But the same things that are his friend
are mine. There are so many systems and so many connections that a
search for me on the Texas system even if he has access to the logs
would most likely drown in a sea of information.
Now at this point I look back and make some conclusions. First, I
am very glad I did not scan him from a system connected with the
community network as it seems likely that he would have at least been
suspicious that we were on to him. Two, I now know nothing more
than he seems to
run some sort of unix on his own machine and that he is very alert to
what is going on with his machine and network connection. In my mind
this makes him more likely to be a expert cracker and not a script
kiddie. I know that
he is willing to use stolen dial in accounts running up other peoples
credit card bills. This makes me think that he is potentially willing
to trash our system to prevent us from catching him. But what does
this tell me. Nothing.
Nothing at all. I am still in the dark and no closer to finding out
who this guy is as the first day. He is still a faceless connection from
out of the ether.
That is the problem with a connection over the Internet. Who are
the people that connect to your boxes? How can you tell that they are
really the person that they claim to be, that they login as. It is so
easy to hide to be someone else, to use a stolen account. Anonymous
behind lies and misdirection.
How can you know who is who? For friends PGP signatures are a start but
even that can be stolen. Biometric identification may be bypassed by
control over the hardware or software on the system. When the client
is under the control of a expert cracker, can you ever really know?
Without any doubt you can make the odds much better. You can use
methods that are harder to break or bypass. But you can never know.
Not beyond any doubt.
In talking to the FBI I was informed that they convict a cracker by
tracking the crack back to the keyboard that the cracker is typing on
and literary catch them in the act. A complete trace back to the
"wetware" of the cracker so to speak. This of course involves
courtrooms, phone taps, and traces and then someone kicking down the
front door. Not the sort of thing that I can do as a system
As the old cartoon goes "on the net no one knows your a dog". On the
net there are no fingerprints.