Re: disconnect a hacker

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 06/09/04 

Date: Wed, 9 Jun 2004 03:28:06 +0000 (UTC)

"klunk" <klunk@hotmail.com> writes:

]I have attempted to do so, but with limited success... as this person
]is still able to continually scan my system for vulnerabilities...

]Since "his" IP is dynamically generated, this approach doesn't work...
]I just find myself continually adding new IPs to my blocked list
]in what feels like a never-ending and fruitless exercise...

]One IP/host that I did block still generated over 1000 instances
]of probing within a 12 hour period.

]Also, since his methodology is to "hijack" other systems with
]"remote controlling worms", I would only succeed in blocking
]what could (at another time) be a legitimate host visiting my site.

What do you mean by this and how do you know?

](How do I know this to be the case...? My Web server station is right next
]to my Workstation and I normally like to simply "let it run" so that I can

it=?

]focus on productive activities... because of my recent experiences, I've had
]my attention divided by security concerns... so when I use "netstat -an" and
]see an IP connected to port 80, I check it... when I see that the hostname
]is "suspicious", I check Web server activity for legitimate traffic...)

? I do not understand it.

]I am (almost 100%) certain, that this person is "sitting at my doorstep"
]because
]I notice a significant number of probes on my firewall console window
]occurring at the same time.

]I need to keep port 80 open, but am wondering if there is a method of
]isolating
]an IP address currently connected to this port and simply "shutting it
]out"...
]similar to disconnecting a user that's logged onto an account...
]even if it's only for a few minutes as I'm hoping his frustration overcomes
]his persistence and simply tires of trying...

with 1000 probes in a day, this is not a person, this is an automated
script. Are you sure taht you are not simply seeing a standard MS worm? and
that the attacks on you are simply attacks on you amongst millions of
others.

]I've been forwarding my firewall (evidence and packet) logs to my ISP,
]but don't hold much hope that action will be taken as the "generic" response
]I get is to contact local police... since I don't have "clear proof" of the
]intruder's identity, I feel that I'm caught between a "rock and a hard
]place"...

Yes.

]Thank you in advance for your assistance :-)

]"Bit Twister" <BitTwister@localhost.localdomain> wrote in message
]news:slrnccchk6.4a8.BitTwister@wb.home.invalid...
]> On Tue, 08 Jun 2004 22:58:12 GMT, klunk wrote:
]> > I've been experiencing a sustained series of hacking and attacking
]attempts
]> > on my Web server.
]> >
]> > I have disabled unnecessary services, am running a software firewall and
]> > have taken every precaution and implemented every preventative method I
]> > encounter to ensuring my security.
]> >
]> > When I run "netstat -an", I can still see the hacker connected to port
]80 on
]> > my Web server through several ports on his end.
]>
]> Put his ip in your firewall.
]>