LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-24-2008, 09:07 AM   #1
procfs
Member
 
Registered: Jan 2006
Location: Sri Lanka
Posts: 651

Rep: Reputation: 34
need to trace a hacker


Hi

I have a server running Redhat linux 2.1, in message logs I can see some one from pedicular domain trying to login to the server. In message file all I can see is the guys domain, username, time, etc but not the IP which he is coming from. how can I find (trace) where this login is coming from ..

Regards
 
Old 03-24-2008, 09:21 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
If you mean in active mode (still trying) set up ipchains/iptables logging rules, run tcpdump or use an IDS like Snort. If you mean passive mode then maybe the (failed) login records and services logs hold more details (depending on how much info you log of course). Probing is quite common. In any case you may want to verify the offender didn't try enter through other service(s) and use a blocking application, see http://www.linuxquestions.org/questi...tempts-340366/ for details. If that doesn't help, posting full details on what service(s) this is about, what access controls are in place and whatever info you got on the offender may help us help you better.
 
Old 03-24-2008, 09:22 AM   #3
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Doesn't the domain resolve to the ip address ?
 
Old 03-26-2008, 05:02 AM   #4
procfs
Member
 
Registered: Jan 2006
Location: Sri Lanka
Posts: 651

Original Poster
Rep: Reputation: 34
Hi guys thanks for the reply, by the way the name do not resolve to an ip address, thats the problem that we are having.

Best regards
 
Old 04-05-2008, 12:47 AM   #5
novent
LQ Newbie
 
Registered: Jan 2008
Posts: 7

Rep: Reputation: 0
Spoofed

If you are truly being attacked, as in this is not an automated tool of some sort, then the mischievous end user is probably spoofing. More so proven by the lack of name/ip resolution. This is typically the slight of hand trick. Keep you tracking down and looking at something that doesn't really exist while a very quite and concentrated attack is happening elsewhere.

To combat this a very thorough and effective firewall with a solid IDS is usually the best chance you have a finding out what is really happening. Also I am a big fan of port knocking as a heightened measure for admin ports.
 
Old 05-17-2008, 09:04 AM   #6
procfs
Member
 
Registered: Jan 2006
Location: Sri Lanka
Posts: 651

Original Poster
Rep: Reputation: 34
Hi guys thanks

Best regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What would you ask an ex-hacker? Ricio Linux - Security 12 02-10-2008 09:43 AM
"killed" Message - how to trace/back trace ebinjose Linux - Kernel 1 01-29-2008 07:12 AM
Could it be a hacker? Madone_SL_5.5 Linux - Server 19 12-15-2006 11:31 AM
Been hacked Any way of getting ip of hacker? mattfraunfelter Linux - Security 14 03-30-2005 07:02 PM
Trace hacker? mikeshn Linux - Security 8 04-17-2003 02:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration