|
Catching a Hacker...
ok... well I am not the biggest into security... but I need some help... an ex friend of mine has been cracking into my computer and doing little things
i.e opening up giFTcurs and downloading gay porn, changing hotmail settings so all text is in jap, requesting passwords of mine... well last night I come home from work... open up XMMS and click play... NOTHING works... I am like wtf... so I restart my computer and it cant find anything to boot from... so I pop my slack disk in... try to install lilo but oh wait nm... the disks are corrupt... cfdisk makes me basically format the disks... well anyway, I am almost positive this was him since it was 2 hard drives... and the odds that BOTH drives died on me the same night... but anyway... I called his ISP along with mine and they said the best thing to do is get logs... so I need a way to get SSH logs... and if it is possible logs of commands that are run... can anyone help me |
Once you get your machine up and you read up on securing services, setup Snort and Tripwire. The first is a packet sniffer/intrusion detection system, and the other is a file system IDS. Make sure you output logging somewhere else, like a different machine if possible. Then the next time the little script kiddie gets a wild hair and 0wn3s your machine, you will have a record of what he did and where (ip) he did it from.
|
I would also consider running a dedicated firewall like Smoothwall or Ipcop. Both of these distros already have snort included and setup. They will gladly log everything that hits the firewall, it will stop him from getting in as well. They block all incoming request that have not originated from inside the network by default.
|
Well just an FYI... he isn't a "script kiddie" he is more of a pathetic excuse for a human... who knows my passwords... I have SSH up and running for my personal use... he iwll just SSH my computer and login that way... so I dont feel packet monitoring will be useful but... btw I am installing Gentoo now... so if anything is different between gentoo and slack just tell me, and I have a firewall up with an internal firewall
|
change the f***'n password
-Joey |
haha ... werd. Did you know that MD5s take 20 trillion years to crack with our current technology? ;)
BTW - Smoothwall rules ... I've had someone busting into my router every other day. Now, the activity light on the cable modem blinks, but on the router, it doesn't :D And it's snorted all sorts of things, like attempted virus implants, attempted information leaks, attempted shell hacks, etc ... |
As far as recovering data (including logs) from the hd, take a look at the LQ security references thread that unSpawn's put together. There is an entire section on undeleting and recovering partitions here.
|
i recommand u carry a big bat... next time u see your friend give him hell ^^
All that aside, dont give him your ip, if your ip is static call your isp and change it. Using snort, tripwire, smoothfirewall, or some sort of NAT device to stop that bugger, installing personal firewalls help too. Since he is your "friend" call him up on the phone and talk serious about this. And dont give into soical engineering either ^^ |
I would second joey.dale's recommendation -- in addition to hardening your system, I would immediately change your passwords to something wildly different than whatever you've been using. Most people have a tendency to use the same password for multiple systems, or for their passwords to be variations on the same general theme. If this guy knows your password(s) already, and he knows you pretty well, then chances are reasonably high that even if you change your password to something else, the degree of difference between the old and the new may not be sufficient. Thus, I'd advise you to change it to something completely unlike anything you've used before, and follow the standard rules: it should include letters and numbers, mixed case, the longer the better, etc. Good luck cleaning things up -- J.W.
|
Well when your password consists of random letters and numbers up and lower case... it is sorta hard to change them from what you normaly use... along with that... it is hard to change my IP because he has ways of figuring it out... i.e I host my own website and the fact that I visit webpages that logs IPs which he has access to, and talk to people who he has access to... but besides that... changing my IP address and password will not stop him from attacking... I dont know if it is still possible but I have already started installing gentoo and xp on the hard drive again... I dont know if the place where the logs were has been written over or not... when I get gentoo installed (yes I am slow at it because I suck at reading manuals) but when I get gentoo up and running I will enable all of that... thank you all for your help
|
Quote:
|
Here are some sites that can help you generate a new password... that are perhaps a bit difficult to remember :)
http://www.winguides.com/security/password.php http://www.multicians.org/thvv/gpw.html You can find plenty if you google for them |
Quote:
If you know for sure he has access, and although it may be a bit unethical, why not think about leaving him a surprise or maybe doing some of the same back to him. |
you can also set your system to "REFUSE" connection from "HIS" ISP also.
It"s kind of crappy to refuse a whole host of people like that but......... you can also set it up to "refuse" concection from his "IP Address" also.......... |
Alternative to 320MB's post, you can allow ssh connections only to the IP of the external machine that you connect from.
you can put this entry in /etc/hosts.allow e.g. sshd: <your external system's IP> |
| All times are GMT -5. The time now is 08:15 PM. |