Report Hackers

HOW TO REPORT HACKERS

 Stopping hackers can be very difficult sometimes seemingly

impossible. I believe however if you use the right types of

programs combined with self-education on how hackers think,

you can make your computer much safer.

 

Reporting hackers can sometimes be a little bit tricky. A lot of

users never report hack attempts. Simply because they just

don’t care or believe that the “hacker” knows he can’t get into

their system. There is also the reason that users just don’t know

what steps to take once they realize their system is being

 

attacked.

 Once your system is connected to the Internet, some form of

system attack will eventually hit your computer. Most of the

times these attacks will be completely random. While not every

single attack ever made should be reported, repetitious attacks

should. Repeated attacks from the same person/IP address

should always be reported. This is a clear indication that

someone is trying to gain access to your computer.

 

If you are using Black Ice Defender and or Lockdown 2000, you

will be able to see the IP address of the person attempting to

break into your system.

 

What do you do now that you know that someone is attempting

to hack into your computer?

Before you can do anything you will require some utilities. I

recommend getting the following program.

 

·         NetLab

 

Netlab has a variety of utilities combined into one easy to use

application.

You can obtain a copy of Netlab from:

 

http://www.filedudes.lvdi.net/win95/dns/netlab95.html

 

After obtaining a copy of NetLab and installing it you’ll be ready.

I find the best procedure for this is to begin by identifying how

many times this “individual” has attempted to hack into your

system, and at what times.

 

(Consult your firewall program documentation for instructions on

where to locate the number of attacks originating from an IP

address.)

 

Once you have identified how many times the person has

attempted to gain access and at what time the most recent

attack was, it is a wise idea to check if they actually got through.

To check what is currently connected to your computer, do the

following:

 

     ·         Write down the IP address you were given by Black Ice and

      or Lockdown 2000

·         Click Start

·         Go to Run

·         Type in Command and hit Enter

 

This will bring you to your DOS prompt again.

 

 

 Type the following at the DOS prompt.

 

·         Netstat

 

 This will give you a listing of all active connections to your

 

computer and it will look something like this.

 

 Active Connections

 

Protocol    Local Address    Foreign Address     State

TCP         COMP: 0000      10.0.0.1 : 0000   ESTABLISHED

TCP         COMP:2020       10.0.0.5 : 1010   ESTABLISHED

 

TCP         COMP:9090       10.0.0.3 : 1918  ESTABLISHED

 

Your information will have different numbers. I used the IP

 

address 10.0.0.x for demonstration purposes only.

 

If your attacker is connected to your computer, you will see his IP

 

address in this listing. Compare this listing to the IP address you

 

have written down.

 

In the table above you will see numbers after a (:)

 

For example: COMP: 2020

 

The 2020 represents the port number that the Foreign computer

 

is connected to on your computer.

 

Using our example let’s take a look at the second row. This

 

shows us that someone is connected to our computer on port

 

(2020) from the IP address 10.0.0.5.

 

Once you have assessed that the “hacker” was unsuccessful in

 

his attempts to hack into your computer, you can proceed to

 

gather information to report the attack.

 

Start up NetLab

 

 

·         Type in the IP Address in the indicated area below

 

 

·         After typing in the IP Address Click on Ping indicated

Below

 

At this point you will see one of two results. You will see a

 

response indicating either the person is online or you will see no

 

response indicating they are offline. We do this to check if the

 

person is still connected.

 

 

 

 

1: This is the IP address that you are pinging

2: The time it takes to ping the address.

The next step is to check who the IP address belongs to. You can

do this by using whois.arin.net on the person’s IP address.

 

Once you’ve typed in the IP address in Query String Click on the

Whois button. You will then see who the IP address belongs to.
 

This will reveal who the “hackers” internet service provider is.
 

This is very important, if you can figure out where your attacker

is coming from you can forward the appropriate information to

the right people.

 Let’s recap our procedure in a step-by-step format.

 

A) Drop to the DOS prompt
 

B) Run netstat to check if they got through
 

C) Start Netlab and do a Ping Test to check if they are still
 

    connected
 

D) Do a Whois (Using the whois.arin.net) lookup
 

 Once you’ve done the steps above you will need to send the
 

information to your ISP and the attacker’s ISP. The goal is to
 

give them as much information as you can about the attacker.
 

Both firewall programs (Black Ice Defender) and (Lockdown
 

2000) create log files of each attack. Copy the information along

with your own test and include the times of each attack into an

email and send it to your ISP provider. Send a copy of that email

to your attacker’s ISP provider also.

 

(Note: You may need to call the attackers ISP provider in order to

get the right Email Address. If the call will involve long distance

charges send the message to support@thehackersisp.com)

 

All ISP providers have an Abuse department. They are

responsible for dealing with such issues. If you send the email to

the support department of the “hackers” ISP they will forward it

to the correct division.

 

It is your responsibility to report any attacks being made against

your computer. I encourage you to take an active part in

reporting repeated attacks from the same IP address against

your computer, as these are clear indications of someone

targeting you.

 

It may be that you have something they are interested in, or

perhaps your system has been compromised prior to your

realization, and with the installation of the firewall program you

are now blocking their attacks. Whatever the reason now thatyou are aware your goal is to

 

protect your privacy. 

 

 

Hacker ................?

WHO ARE HACKERS?

 

I feel it is necessary to clarify the term hacker. Perhaps your

definition of a hacker has been influenced and tainted over the

years. There have been various computer related activities

attributed to the term “hacker”, but were greatly misunderstood.

Unfortunately for the people who are truly defined within the

underground tech world as a “hacker” this is an insult to them.

There are various types of “hackers”, each with their own

agenda. My goal is to help protect you from the worst of them.

 

Anarchist Hackers

These are the individuals who you should be weary of. Their sole

intent on system infiltration is to cause damage or use

information to create havoc. They are primarily the individuals

who are responsible for the majority of system attacks against

home users. They are more likely to be interested in what lies on

another person’s machine for example yours.

Mostly you’ll find that these individuals have slightly above

computer skill level and consider themselves hackers. They

glorify themselves on the accomplishments of others. Their idea

of classing themselves as a hacker is that of acquire programs

and utilities readily available on the net, use these programs with

no real knowledge of how these applications work and if they

manage to “break” into someone’s system class themselves as a

hacker. These individuals are called “Kiddie Hackers.”

They use these programs given to them in a malicious fashion on

anyone they can infect. They have no real purpose to what they

are doing except the fact of saying “Yeah! I broke into <insert

name here> computer!” It gives them bragging rights to their

friends.

If there is any damage to occur in a system being broken into

these individuals will accomplish it.

These individuals are usually high school students. They brag

about their accomplishments to their friends and try to build an

image of being hackers.

 

Hackers

A hacker by definition believes in access to free information.

They are usually very intelligent people who could care very little

about what you have on your system. Their thrill comes from

system infiltration for information reasons. Hackers unlike

“crackers and anarchist” know being able to break system

security doesn’t make you a hacker any more than adding 2+2

makes you a mathematician. Unfortunately, many journalists

and writers have been fooled into using the word ‘hacker.” They

have attributed any computer related illegal activities to the term

“hacker.”

Real hackers target mainly government institution. They believe

important information can be found within government

institutions. To them the risk is worth it. The higher the security

the better the challenge. The better the challenge the better they

need to be. Who’s the best keyboard cowboy? So to speak!

These individuals come in a variety of age classes. They range

from High School students to University Grads. They are quite

adept at programming and are smart enough to stay out of the

spotlight.

They don’t particularly care about bragging about their

accomplishments as it exposes them to suspicion. They prefer to

work from behind the scenes and preserve their anonymity.

Not all hackers are loners, often you’ll find they have a very tight

circle of associates, but still there is a level of anonymity between

them. An associate of mine once said to me “if they say they are

a hacker, then they’re not!”

 

Crackers

For definition purposes I have included this term. This is

primarily the term given to individuals who are skilled at the art

of bypassing software copyright protection. They are usually

highly skilled in programming languages.

They are often confused with Hackers. As you can see they are

similar in their agenda. They both fight security of some kind,

but they are completely different “animals.”

Being able to attribute your attacks to the right type of attacker is

very important. By identifying your attacker to be either an

Anarchist Hacker or a Hacker you get a better idea of what you’re

up against.

“Know your enemy and know yourself and you will always be

victorious...”

Hacking Tools

Tools

Hackers use a variety of tools to attack a system. Each of the tools we cover in this

article have distinct capabilities. We describe the most popular tools from each of the

following categories:

·        Port scanners

·        Vulnerability scanners

·        Rootkits

·        Sniffers

Later in this article, we use some of these tools in realistic scenarios to demonstrate

how easily even a novice hacker or script-kiddie can gain access to an unsecured

system.

Port Scanners

Port scanners are probably the most commonly used scanning tools on the Internet.

These tools scan large IP spaces and report on the systems they encounter, the ports

available, and other information, such as OS types. The most popular port scanner is

Network Mapper (Nmap).

The Nmap port scanner is described as follows on the Nmap web site:

Nmap (“Network Mapper”) is an open source utility for network exploration or

security auditing. It was designed to rapidly scan large networks, although it

works fine against single hosts. Nmap uses raw IP packets in novel ways to

determine what hosts are available on the network, what services (ports) they are

offering, what operating system (and OS version) they are running, what type of

packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs

on most types of computers, and both console and graphical versions are

available. Nmap is free software, available with full source code under the terms

of the GNU GPL.3

Nmap is an excellent security tool because it allows you to determine which services

are being offered by a system. Because Nmap is optimized to scan large IP ranges, it

can be run against all IP addresses used by an organization, or all cable modem IP

addresses provided by an organization. After using Nmap to find machines and

identify their services, you can run the Nessus vulnerability scanner against the

vulnerable machines.

Tools

Nmap supports an impressive array of scan types that permit everything from TCP

SYN (half open) to Null scan sweeps. Additional options include OS fingerprinting,

parallel scan, and decoy scanning, to name a few. Nmap supports a graphical

version through xnmap. For more information about Nmap, refer to the Nmap web

site or the nmap(1m) man page.

 

Vulnerability Scanners

This section describes tools available for scanning vulnerable systems. Vulnerability

scanners look for a specific vulnerability or scan a system for all potential

vulnerabilities. Vulnerability tools are freely available. We focus on the most popular

and best-maintained vulnerability scanner available, Nessus.

The Nessus vulnerability tool is described on the Nessus web site:

The “Nessus” Project aims to provide to the Internet community a free,

powerful, up-to-date and easy to use remote security scanner. A security scanner

is a software which will remotely audit a given network and determine whether

bad guys (aka ‘crackers’) may break into it, or misuse it in some way.

Unlike many other security scanners, Nessus does not take anything for granted.

That is, it will not consider that a given service is running on a fixed port—that

is, if you run your web server on port 1234, Nessus will detect it and test its

security. It will not make its security tests regarding the version number of the

remote services, but will really attempt to exploit the vulnerability.

Nessus is very fast, reliable and has a modular architecture that allows you to fit

it to your needs.4

Nessus provides administrators and hackers alike with a tool to scan systems and

evaluate vulnerabilities present in services offered by that system. Through both its

command line and GUI-based client, Nessus provides capabilities that are

invaluable. Running Nessus is much more convenient in its GUI mode. For more

information about Nessus, refer to their web site.

How Hackers Do It: Tricks, Tools, and Techniques • May 2002

 

Rootkits

The term rootkit describes a set of scripts and executables packaged together that

allow intruders to hide any evidence that they gained root access to a system. Some

of the tasks performed by a rootkit are as follows:

 

·        Modify system log files to remove evidence of an intruder’s activities.

·        Modify system tools to make detection of an intruder’s modifications more difficult.

·        Create hidden back-door access points in the system.

·        Use the system as a launch point for attacks against other networked systems.

 

Sniffers

Network sniffing, or just “sniffing,” is using a computer to read all network traffic,

of which some may not be destined for that system. To perform sniffing, a network

interface must be put into promiscuous mode so that it forwards, to the application

layer, all network traffic, not just network traffic destined for it.

The Solaris OE includes a tool called snoop that can capture and display all network

traffic seen by a network interface on the system. While being relatively primitive,

this tool can quite effectively gather clear-text user IDs and passwords passing over

a network. Many popular protocols in use today such as Telnet, FTP, IMAP, and

POP-3 do not encrypt their user authentication and identification information.

Once a system is accessed, an intruder typically installs a network sniffer on the

system to gain additional user ID and password information, to gather information

about how the network is constructed, and to learn what it is used for.