I'm an IT engineer in London. Last Thursday I was called out to a client who I had never been to before. They were having some major server problems. After poking around a bit it transpired that their server had been hacked. Whoever had got in had created himself a user account with domain admin privileges and inserted a virus on the server which ran as "2footninja.exe" or something like that. I spent most of the day locking down the server so it couldn't be repeated. However, I then began checking the logs to see if I could find anything about who had hacked this server. I subsequently found that whoever had hacked this server did so from the IP address <REMOVED AS SOMEONE COMPLAINED>. After doing a quick whois on the ptr record it seemed that this was a "one and one internet" customer (I assume this is a broadband provider in the US). More than that I cannot tell. I then did some portscans and found 3389 and ftp open. I also managed to login via anonymous ftp and located the virus he used to infect my server in a file " foot.zip" I then left and went home, that night I ran tsgrinder against his terminal server port but came up with nothing - no doubt my dictionary attack would have been ineffective against someone who knew what he was doing anyway. I was hoping if I could log into his server I might be able to find out his name or email address...
Other files I located on his server of interest was a directory "artexpo 2007" which seemed to have been files perhaps taken from another company. I tried contacting the person Kim who was listed on the bottom of some of the documents via email but got no reply.
My question is this: Have I reached the end of my detective work? Is there nothing more I can learn about this person? Has he escaped forever without me being able to (at least) send him an angry email?
Any thoughts/coments would be interesting.