linux security - Jun 1998 - What are some programs to use to trace spoofers?

ALL,

Our Primary DNS has been broken into twice in the last week.  The first
time it happened I noticed the hacker used named for means of gaining
entry.  This guy was good at hiding his/her tracks so we reinstalled the OS
and left a minimum install to see if it was done again.  We logged all
goings on from a secure remote machine.  We got the hacker''s IP address
and
even some of what he/she did on the box.  But the IP was spoofed.  I heard
there was a way to trace a spoofed IP ( I know tracing can''t be done
after
the fact).  Any ideas?  And what are some good programs out there to do so?
 There is a chance that the hacker attempted a connection to see if the box
was still up before he/she spoofed the IP.  I have logs of someone
telnetting to the box a few minutes before the actual attack with a valid
domain name.  Any ideas anyone?

Jim
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Jim Conner						|	3100 New York Dr.
-Earthlink Network					|	Pasadena, CA 91107
-Support Operations Center		|	(626) 296-3017 or (626) 296-3018

>To: Jim Conner <j_conner@earthlink.net>
>From: Gary Stanley <ancient@nws.net>
>Subject: Re: [linux-security] What are some programs to use to trace
spoofers?
>
>At 02:50 AM 6/14/98 -0700, you wrote:
>>ALL,
>>
>>Our Primary DNS has been broken into twice in the last week.  The first
>>time it happened I noticed the hacker used named for means of gaining
>>entry.  This guy was good at hiding his/her tracks so we reinstalled the
OS
>>and left a minimum install to see if it was done again.  We logged all
>>goings on from a secure remote machine.  We got the hacker''s IP
address and
>>even some of what he/she did on the box.  But the IP was spoofed.  I
heard
>>there was a way to trace a spoofed IP ( I know tracing can''t be
done after
>>the fact).  Any ideas?  And what are some good programs out there to do
so?
>> There is a chance that the hacker attempted a connection to see if the
box
>>was still up before he/she spoofed the IP.  I have logs of someone
>>telnetting to the box a few minutes before the actual attack with a
valid
>>domain name.  Any ideas anyone?
>>
>>Jim
Only program I know of to tracked a spoofed IP address is MCI''s Denial
of
Service tracker. (http://www.security.mci.net/dostracker/index.html)




Gary Stanley
NWS Network Operations Center
http://www.nws.net

> ALL,
> 
> Our Primary DNS has been broken into twice in the last week.  The first
> time it happened I noticed the hacker used named for means of gaining
> entry.  This guy was good at hiding his/her tracks so we reinstalled the OS
> and left a minimum install to see if it was done again.  We logged all
> goings on from a secure remote machine.  We got the hacker''s IP
address and
> even some of what he/she did on the box.  But the IP was spoofed.  I heard
> there was a way to trace a spoofed IP ( I know tracing can''t be
done after
> the fact).  Any ideas?  And what are some good programs out there to do so?
Gotta trace it up one link upstream at a time while it is in progress. aka
it is damn near impossible (try getting ahold of an ISP who knows where
when the local time at that ISP is 3am ;).
>  There is a chance that the hacker attempted a connection to see if the box
> was still up before he/she spoofed the IP.  I have logs of someone
> telnetting to the box a few minutes before the actual attack with a valid
> domain name.  Any ideas anyone?
> 
> Jim
Run named chrooted (http://www.seifried.org/dns/), use tcp_wrappers on the
machine to finger/identd anyone connecting via telnet/pop/anything,
possibly set up another machine running sniffit/tcpdump or NFR
(www.nfr.com, but it''s free), to log everything that happens. Possibly
setup a program to watch for the hack attempts and firewall off the
ip''s
that are being spoofed, to make his life a bit harder. Also make sure you
are running the latest greatest (most secure hopefully) version of
everything, the OS, named, etc, and if possible turn off as much as you
can.

I do not see why someone would telnet to a machine to see if it is up, an
nslookup localhost target.for.the.attack.com would tell you if it is up
and running named (which is what is being exploited). He might keep coming
back if he thinks he has found an easy target, OTOH if he has any sense he
won''t, by the third time you''d think the remote end has done
something to
fix the problem. =)

-seifried

On Sun, 14 Jun 1998, Jim Conner wrote:
| goings on from a secure remote machine.  We got the hacker''s IP
address and
| even some of what he/she did on the box.  But the IP was spoofed.  I heard

spoofed? the hacker worked (i.e. logged in and executed commands) with a
spoofed IP? are you sure it wasn''t someone from your OWN network?

| was still up before he/she spoofed the IP.  I have logs of someone
| telnetting to the box a few minutes before the actual attack with a valid

could be the hacker.. could be not..  did you get anything suspicious from
his activity from your sniffing logs (i guess you meant sniffing (and
mrore) when you said monitored from the remote secure server)?

---
Annex