what to do about a hacker?
April 12, 2005 9:09 PM   Subscribe

I've found the IP address of someone who's hacked my phpBB. now what?

earlier tonight, I found that every post and forum on my phpBB had been erased and I wasn't able to login. I had a fellow admin reset my password, and it was then that I noticed a strange IP address logged in as me. and for a time after that, every post or forum I created vanished until I banned said address at the server level. so I'm reasonably certain that that's the guy.

but now, I'm not sure what recourse I have. is there a law enforcement agency I can report the address to? should I report the address to the offender's ISP? I have access to the server logs but I'm not sure what to look for in order to offer proof. any ideas?
posted by mcsweetie to Computers & Internet (10 answers total)
 
Probably the only thing you can do is report the IP to the offender's ISP. Keep in mind that it's probably not the offender's IP address either, but another machine that he hacked.

The FBI does investigate crimes like this, but they tend to go for much bigger fish. I've only seen them get involved when corporations get hacked and request assistance. Sometimes companies will pay incident responders to track down the jerk who hacked them, but most of the time that just goes nowhere, and costs them thousands of dollars.

Reporting this to the offender's ISP will probably just result in the hacker losing the machine he owns there. At least it's something though, and the people deserve to know that their machine is owned (assuming they themselves aren't the offenders).

Good luck.
posted by agropyron at 9:23 PM on April 12, 2005


Unfortunately, the only recourse you have is to try and get to the point where criminal charges are made, then a police officer or judge can ask the ISP for logs, to figure out what Rogers customer was using that cable modem at that time.

But like agropyron said, it could just be an infected PC running zombie services that could act as proxies, and without the actual owner's knowledge.

Whenever I get hack attempts on any of my stuff, it always seems to come from open proxies in eastern europe, which are nearly impossible to trace.

(also, samspade is my favorite whois service: check it out)
posted by mathowie at 9:26 PM on April 12, 2005


As far as offering proof, if you want to give proof that will stand up in a court of law, you'd probably have to shut down the machine, yank out the hard drive, label it with the time and date, seal it in a plastic bag, and so on. I can't give exact details, but I'm pretty sure it's more trouble than you want to go to. Printed logs, or copy/pasted logs are nice for casual proof, like getting the ISP to track down the machine, but for a criminal investigation they need something more. Even if the evidence is preserved professionally, its veracity is called into question.
posted by agropyron at 9:26 PM on April 12, 2005


There is a mod for phpBB that logs the IP of all users (check around at phpbb.com). You could use that to find out if the IP is being used by a registered user on your board. Then you have a person to go after, or at least an E-mail address or name. This I think is the only realistic way of handling it, aside from better security.
posted by rolypolyman at 10:45 PM on April 12, 2005


Alternately, you can also write an .htaccess to block their IP or a range of their IP. It wouldn't stop any serious hacker as they can just go use a proxy or an open WiFi connection, but on the other hand if you use the .htaccess creatively to redirect them to a hidden page saying the server will be down for a week or more, they'll think the board really is down and probably quit monkeying around for awhile.
posted by rolypolyman at 10:52 PM on April 12, 2005


The FBI does investigate crimes like this, but they tend to go for much bigger fish.

The general rule of thumb I've heard from various sysadmins who've gotten hacked is that if you can't demonstrate $5000 in losses, the FBI will investigate it the way the local police will investigate your stolen pocket calculator.

The only thing you can do is report the offending IP to abuse@[ISP]. Being mostly anonymous is trivial these days - go to a nice downtown area with your laptop, find an open access point and enjoy (making sure to fake your MAC address). *Good* rootkits for all purposes are trivial to acquire these days, scan some IP ranges until you find an unpatched Windows machine and use it as a proxy. Conduct your business from there.

If the person who did your messageboard in had two braincells, they did something like this. You really stand next to no chance of catching them, unfortunately.
posted by Ryvar at 11:01 PM on April 12, 2005


now what?

Now check that your version of phpBB is up to date, set yourself a less easy to guess password, then go about your daily business and forget about ever catching anybody
posted by ajbattrick at 12:58 AM on April 13, 2005


huh; as an aside, where can i get my hands on some decent rootkits, ryvar? i'd like to point them at my servers and see if anything bad happens. guess i could do some research, but maybe you could just suggest some titles.
posted by fishfucker at 12:59 AM on April 13, 2005


FF: It's been five years since I did that kind of thing. That said, I think you've got your terminology confused - a rootkit is what you install after finding an exploitable system. It's the backend server designed to allow you to use the machine for purpose X without the user ever catching wise (by making sure it doesn't show up on the process list, etc.).

For example, Back Orifice 2000 and the thousands of derivations thereof is one of the oldest ones - I'm sure you've heard of it. What the modern ones would be called, I honestly do not know.

If you want to scan your servers for vulnerabilities, which sounds more like what you're trying to do, head over to nmap.org and check out their security tools section. There are all KINDS of neat toys to play with over there. Nessus and nmap in particular have yielded positive results for me in admin-sanctioned pen-testing of IIS servers.
posted by Ryvar at 1:45 AM on April 13, 2005


nift. i'll try those two out.
posted by fishfucker at 9:31 AM on April 13, 2005


« Older use emusic? What are some great albums you got...   |   Comparitive analysis of Transit worker salaries. Newer »
This thread is closed to new comments.