Re: disconnect a hacker

From: klunk (klunk_at_hotmail.com)
Date: 06/09/04 

Date: Wed, 09 Jun 2004 02:26:11 GMT

I have attempted to do so, but with limited success... as this person
is still able to continually scan my system for vulnerabilities...

Since "his" IP is dynamically generated, this approach doesn't work...
I just find myself continually adding new IPs to my blocked list
in what feels like a never-ending and fruitless exercise...

One IP/host that I did block still generated over 1000 instances
of probing within a 12 hour period.

Also, since his methodology is to "hijack" other systems with
"remote controlling worms", I would only succeed in blocking
what could (at another time) be a legitimate host visiting my site.

(How do I know this to be the case...? My Web server station is right next
to my Workstation and I normally like to simply "let it run" so that I can
focus on productive activities... because of my recent experiences, I've had
my attention divided by security concerns... so when I use "netstat -an" and
see an IP connected to port 80, I check it... when I see that the hostname
is "suspicious", I check Web server activity for legitimate traffic...)

I am (almost 100%) certain, that this person is "sitting at my doorstep"
because
I notice a significant number of probes on my firewall console window
occurring at the same time.

I need to keep port 80 open, but am wondering if there is a method of
isolating
an IP address currently connected to this port and simply "shutting it
out"...
similar to disconnecting a user that's logged onto an account...
even if it's only for a few minutes as I'm hoping his frustration overcomes
his persistence and simply tires of trying...

I've been forwarding my firewall (evidence and packet) logs to my ISP,
but don't hold much hope that action will be taken as the "generic" response
I get is to contact local police... since I don't have "clear proof" of the
intruder's identity, I feel that I'm caught between a "rock and a hard
place"...

Thank you in advance for your assistance :-)

"Bit Twister" <BitTwister@localhost.localdomain> wrote in message
news:slrnccchk6.4a8.BitTwister@wb.home.invalid...
> On Tue, 08 Jun 2004 22:58:12 GMT, klunk wrote:
> > I've been experiencing a sustained series of hacking and attacking
attempts
> > on my Web server.
> >
> > I have disabled unnecessary services, am running a software firewall and
> > have taken every precaution and implemented every preventative method I
> > encounter to ensuring my security.
> >
> > When I run "netstat -an", I can still see the hacker connected to port
80 on
> > my Web server through several ports on his end.
>
> Put his ip in your firewall.
>