Hi.
(Sorry, I had not time to read NANOG forum for some time).
As the result of my anti-hacker;'s tracing, I found one place where (may
be one, may be a lot) hackers are playing at. This place include:
IRCD daemon including into the IRC hacker's network;
SMURF program and config files for it;
DNS vulen. checker (boft, I am not sure what's it exactly),
SNIFFER logs
TELNETD daemon for the port 2001 (do you look TCP sessions to your port
2001? This is the hackers, no doubt)
backdoor in login
It's not difficult to close this host and inform it's owners (through
it's school-server and I am not sure if they did not contact hackers
themself) but it's not the way to decrease hacker's activity. The best
way is to listen to their IRCD daemons, to trace where they are coming
from, and where they are getting their tools from and (mainly) where they
(or he, I do not know exactly) they store their information.
If someone who are familiar with IRC and LINUX and who live in USA (not
far from the network '209.180.204/24') is tired from the SMURF attacks
and (better) who know some oficial ways to investigate this accident
(remember, we know about this place and have back-door account there;
they do not know it) want to investigate this incident and fight against
this particular hacker or hackers group, welcome...
The accident my investigation was started from was BO activity here in
Russia, next step was to found the sniffer installed by the hacker at
remote 'WWW' server hosted by our customer and look into this file - a
lot of interesting about the hacker himself was found there. Step by
step... but I never so IRC hacker's server and their IRC network and a
lot of this different tools at the same place... But this place is in
USA...
Once again... it's easy to write a message "Dear system admin. Your
system is infected and have been used by hacker for the smurf attack. In
addition, all your local paswords are (no doubt) sniffed in.". The result
- hacker had 100 backdoors, now he have 99 backdoors; next day he'll open
one more... The better is to trace him.
This particular server seems to be school-server and does not hold
important information.. may be it's good place for someone to start from.
But how to do it better in case of USA... I do not know.
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)