Alex, a word of advice. however much of a good thing (tm) you might be doing, posting stuff like this on a public forum usually ends up being a bad deal for the poster.. On Wed, Oct 14, 1998 at 04:22:53PM +0400, Alex P. Rudnev wrote:
Hi.
(Sorry, I had not time to read NANOG forum for some time).
As the result of my anti-hacker;'s tracing, I found one place where (may be one, may be a lot) hackers are playing at. This place include:
IRCD daemon including into the IRC hacker's network; SMURF program and config files for it; DNS vulen. checker (boft, I am not sure what's it exactly), SNIFFER logs TELNETD daemon for the port 2001 (do you look TCP sessions to your port 2001? This is the hackers, no doubt) backdoor in login
It's not difficult to close this host and inform it's owners (through it's school-server and I am not sure if they did not contact hackers themself) but it's not the way to decrease hacker's activity. The best way is to listen to their IRCD daemons, to trace where they are coming from, and where they are getting their tools from and (mainly) where they (or he, I do not know exactly) they store their information.
If someone who are familiar with IRC and LINUX and who live in USA (not far from the network '209.180.204/24') is tired from the SMURF attacks and (better) who know some oficial ways to investigate this accident (remember, we know about this place and have back-door account there; they do not know it) want to investigate this incident and fight against this particular hacker or hackers group, welcome...
The accident my investigation was started from was BO activity here in Russia, next step was to found the sniffer installed by the hacker at remote 'WWW' server hosted by our customer and look into this file - a lot of interesting about the hacker himself was found there. Step by step... but I never so IRC hacker's server and their IRC network and a lot of this different tools at the same place... But this place is in USA...
Once again... it's easy to write a message "Dear system admin. Your system is infected and have been used by hacker for the smurf attack. In addition, all your local paswords are (no doubt) sniffed in.". The result - hacker had 100 backdoors, now he have 99 backdoors; next day he'll open one more... The better is to trace him.
This particular server seems to be school-server and does not hold important information.. may be it's good place for someone to start from. But how to do it better in case of USA... I do not know.
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)