Hi there

I'm an IT engineer in London. Last Thursday I was called out to a client who I had never been to before. They were having some major server problems. After poking around a bit it transpired that their server had been hacked. Whoever had got in had created himself a user account with domain admin privileges and inserted a virus on the server which ran as "2footninja.exe" or something like that. I spent most of the day locking down the server so it couldn't be repeated. However, I then began checking the logs to see if I could find anything about who had hacked this server. I subsequently found that whoever had hacked this server did so from the IP address <REMOVED AS SOMEONE COMPLAINED>. After doing a quick whois on the ptr record it seemed that this was a "one and one internet" customer (I assume this is a broadband provider in the US). More than that I cannot tell. I then did some portscans and found 3389 and ftp open. I also managed to login via anonymous ftp and located the virus he used to infect my server in a file " foot.zip" I then left and went home, that night I ran tsgrinder against his terminal server port but came up with nothing - no doubt my dictionary attack would have been ineffective against someone who knew what he was doing anyway. I was hoping if I could log into his server I might be able to find out his name or email address...

Other files I located on his server of interest was a directory "artexpo 2007" which seemed to have been files perhaps taken from another company. I tried contacting the person Kim who was listed on the bottom of some of the documents via email but got no reply.

My question is this: Have I reached the end of my detective work? Is there nothing more I can learn about this person? Has he escaped forever without me being able to (at least) send him an angry email?

Any thoughts/coments would be interesting.

Pete

I modified the post so the ip is not shown now. Any ideas?

LegioX makes a great point. Breaking into a robber's house also makes you a criminal, even if it's to look for evidence of a crime committed against you. Think of how this would be treated in the real world. Not only would you go to jail, but the evidence would be inadmissable. When all is said and done, you're in the jail and the original crminial goes free. Is it fair? Probably not, but escalating crimes cannot be tolerated by law enforcement for understandable reasons.

Can you show financial loss? Unfortunately, many law enforcement outfits won't help if it does not meet a certain dollar amount. With so many cases out there, they have to draw the line somewhere, because they simply don't have the man-power to handle every case. So showing something like $5000 or more of financial loss may get you more attention from both the ISP and the FBI.

The you have to ask yourself... is it worth it? Again not fair but this is life.

Don

the other thing to remember is that that IP is probably the other helpless victim in the mess and "probably" not the real attacker's IP.

that's why contacting the ISP is a good first step.

The ethics part means that you get written permission from the owner of that server to perform a port scan, run tsgrinder, or to even log on to it. LegioX did not say it was unethical to perform a port scan on it, he said it can't do any harm. (This is not entirely correct, as some port scans on some servers may cause the server to reboot or freeze.)

Posting the IP is a bad idea, as even though this site is an ethical hacking site, it is frequented by many unethical types who are thirsty for the information here. Along comes petera and anounces to the world that at a certain IP, there is an open FTP server with free malware to download.

Now crackers usually use steping stones, such as open proxies or other hacked boxes, so this FTP server is probably just the last step before your customers server. It might even be someone elses production server and they may not even know that it is now being used as an open FTP server or even as a malware repository. One thing is sure. When the owner of this server starts to check what's happening to it, they will surely see all your activities there, and they won't seem as inocent to them as they might seem to you.

This is not true. Someone else may have caused him more than $5000 damages (perhaps important production files were stolen from the server, or the companys roadmap was on there), yet the only evidence of anyone ever being there will be yours.

Thank you for the compliment.    Perhaps if you were a bit more paranoid yourself, you might be a good ethical hacker.

When I learned security, I was told that if you follow 2 rules you will (almost) always be safe;
1. Never install anything that you don't have access to the source code and that you can't compile on your own.
2. Never trust anyone online, not even the person masquerading as your grandmother. Everyone online is out to screw you. The only person you can ever trust with a computer is yourself.

then you'll probably get no more help here. 

bye