Urgent hacker help!

[hockyfan]

I had a board I admin at hacked by a hacker. He was able to get mine, as well as a few other people's passwords, and correctly gave them to someone (I have confirmed that mine was correct). I currently have an IP address he's used (not sure if it's static or what not) and his MSN. Is there anything I can do?


h

[Visionray]

not much experience with this but I would look up the IP and then contact the ISP to start.

[hockyfan]

Is it ok if I post the IP here? If not, how do I look it up, and how do I use that information once I get it?
(not much experience in these matters)

This is on the Sports Board I help run, using IPB - but the beta version of 1.2 which I think had a security flaw (which was exploited by this hacker). My main board now is my music forum, running vB 2.3.2 - I feel much safer...


h

[PCRIDE]

do a tracert in CMD to find out the name of the ISP

type in command promtp

tracert 12.888.255.475

then enter.

that would get you going, unledd they have a firewall and can;t be seen
or try this

http://security.symantec.com/ssc/vr_...HYTINMHDKDCWLL

enter the IP and it will show you on a map where the attack came from. and give you the details.
need java-

[cougrhky20]

how do you find out someone's ip address if they have done what you say they have done?

[Mojosmackwit]

Logs, for one.

[hockyfan]

Originally posted by cougrhky20
how do you find out someone's ip address if they have done what you say they have done?

He did this by hacking an IPB forum somehow, possibly by uploading something through FTP. He was a member of the forums so I have an IP address for him.


h

[onlinegs.com]

http://www.arin.net/whois/ <- enter the IP in that form, and get the ISP. There should be an abuse number or e-mail address and you need to contact them and get this moron stopped.

[hockyfan]

When I search, they're giving me other different IPs that are clickable...



h

[Markp.com]

Moved here... I'm sure the backend people will have dealt with something similar to this before.

[hockyfan]

Originally posted by Markp.com
Moved here... I'm sure the backend people will have dealt with something similar to this before.

Thanks, didn't know if they would have or not.

So..can anyone here help me out?


h

[random_fool]

I just got home, and I need to cook dinner, but since I've had issues like this before (*sigh*, inheriting other people's servers causes these types of issues), I'll chime in...

Originally posted by hockyfan
Thanks, didn't know if they would have or not.

So..can anyone here help me out?


h

Here's what you do....

Step 1) Make sure he doesn't still have access. This means fixing any security hole there was, and changing ALL OF YOUR PASSWORDS. This isn't just "change passwords and assume it's fixed," because they'll be back. They always come back. Fix the hole. If you don't know what the hole is, you need to get ahold of someone with security experience (and, that said, you probably can't afford them).

Step 2) Start investigating. Usually a simple nslookup will tell you the domain name, which in turn usually tells you the ISP. If it's not a standard North American ISP, you're 90% hosed. If it's a HUGE ISP, you're similarly hosed (unless you have financial loses, in which case they might care; if all you lost was time, and you can't prove that your time is worth $100/hour, then they won't care). What you ideally want is a small (local, state or county sized) ISP, because they're usually small enough to care, but knowledgable enough to know what's going on. If nslookup doesn't reveal their domain, you can try tracert (and look at the top level domain of the last resolved IP; usually you'll see 10-15 hops, then it'll stop resolving into *'s. Use the name of the last resolved hop as the probable ISP. If neither nslookup nor tracert work, you can try whois (available various places online), or you can send me a message and I'll find out who owns the IP block. Once you know who owns the block, start sending emails. Be professional about it, make it look like you know what you're doing. Be assertive, but not demanding. Have a list of dates that the suspect visited your site, along with their IP, so that they can find that user in the logs. Be respectful, network administrators have enough stress without some jackass spouting unfounded accusations. Check the ISPs website: if they have contact information, use it. Other good addresses are abuse@ , webmaster@, and security@ . If you don't get a response in 5 days, try again. If you still don't get a response, assume that you're being ignored, and give up.

Note 1: If the IP is a proxy, you may be wasting a lot of time. If it resolves to something like anonymizer.com, and you don't have significant financial losses, don't even bother, you don't have the resources to fight a battle like that.

Note 2: Don't resort to dirty tricks. Don't give the IP to your 'friend' on IRC. If it's dynamic, and you mess up some poor old lady's computer, you're an ass. Even if it's the suspect, and you break into their computer, all you've done is sunk to their level and opened yourself up to prosecution.

*takes off his network-administrator hat and goes to make dinner*

[random_fool]

Originally posted by random_fool
I just got home, and I need to cook dinner, but since I've had issues like this before (*sigh*, inheriting other people's servers causes these types of issues), I'll chime in...

Any updates on this?

[Musicman]

Hi.

I think random_fool already sait it all...
It is up to you to ensure this will not happen again - that's about all.
I once tried to explain to the local police department that I considered a certain behaviour a computer crime ... all in vain, I felt like talking greek there.
If you can find out the ISP, sending them mail might have more success

Musicman

[hockyfan]

Yes, you all have helped a lot. Although as some have mentioned, I didn't suffer any "loss", just extremely upset. I appreciate the help anyway.


h