HACKER's IRC network, smurf configs, etc etc

• Previous message (by thread): [info at webmood.com: I need your kindly help, please!]
• Next message (by thread): HACKER's IRC network, smurf configs, etc etc
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi.

(Sorry, I had not time to read NANOG forum for some time).

As the result of my anti-hacker;'s tracing, I found one place where (may 
be one, may be a lot) hackers are playing at. This place include:

IRCD daemon including into the IRC hacker's network;
SMURF program and config files for it;
DNS  vulen. checker (boft, I am not sure what's it exactly),
SNIFFER logs
TELNETD daemon for the port 2001 (do you look TCP sessions to your port 
2001? This is the hackers, no doubt)
backdoor in login

It's not difficult to close this host and inform it's owners (through 
it's school-server and I am not sure if they did not contact hackers 
themself) but it's not the way to decrease hacker's activity. The best 
way is to listen to their IRCD daemons, to trace where they are coming 
from, and where they are getting their tools from and (mainly) where they 
(or he, I do not know exactly) they store their information.

If someone who are familiar with IRC and LINUX and who live in USA (not 
far from the network '209.180.204/24') is tired from the SMURF attacks 
and (better) who know some oficial ways to investigate this accident 
(remember, we know about this place and have back-door account there; 
they do not know it) want to investigate this incident and fight against 
this particular hacker or hackers group, welcome...

The accident my investigation was started from was BO activity here in 
Russia, next step was to found the sniffer installed by the hacker at 
remote 'WWW' server hosted by our customer and look into this file - a 
lot of interesting about the hacker himself was found there. Step by 
step... but I never so IRC hacker's server and their IRC network and a 
lot of this different tools at the same place... But this place is in 
USA... 

Once again... it's easy to write a message "Dear system admin. Your 
system is infected and have been used by hacker for the smurf attack. In 
addition, all your local paswords are (no doubt) sniffed in.". The result 
- hacker had 100 backdoors, now he have 99 backdoors; next day he'll open 
one more... The better is to trace him.

This particular server seems to be school-server and does not hold 
important information.. may be it's good place for someone to start from. 
But how to do it better in case of USA... I do not know.





Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

• Previous message (by thread): [info at webmood.com: I need your kindly help, please!]
• Next message (by thread): HACKER's IRC network, smurf configs, etc etc
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]