- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Action after a failed hack attempt
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 06:06 PM
тАО09-01-2004 06:06 PM
Since I hadn't logged on I check the lastb output and did strings on /var/adm/btmp
I got an IP address in Tokyo. 210.159.198.1
I ran it and the reverse address through google and got nothing. I want to contact the company and warn them about any future hacking attempts.
I have added the following line to my iptables firewall.
block in log quick from 210.159.198.1 to any group 100
Here is what I need:
1) How do I track down the ISP and get the user kiccked off.
2) How do I verify that ipfilter is working right after my change.
3) Any further enhancement of the ipfilter conf file to block a larger address block.
You know me. Solutions get points.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 07:04 PM
тАО09-01-2004 07:04 PM
SolutionThis is the full information of IP-Address 210.159.198.1,
http://www.showmyip.com/?ip=%20210.159.198.1
1> It says the ISP as Dream Train Internet Inc.
Why don't you check with known+ accessible ip by blocking it.
Is it good to check profile file for that ip-address using who am I -Ru
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 07:38 PM
тАО09-01-2004 07:38 PM
Re: Action after a failed hack attempt
1) Do you know the whois command.
It enables you do to do a lookup on the domain name and provides info that could help you.
2) Add an ipadres you own to the filter rule and do a test.
3) Sorrie...
Regards,
Gideon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 08:54 PM
тАО09-01-2004 08:54 PM
Re: Action after a failed hack attempt
I did a lookup in http://whois.nic.ad.jp/cgi-bin/whois_gw and http://www.apnic.net/apnic-bin/whois.pl.
HTH.
Regards,
Sri Ram
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-01-2004 11:01 PM
тАО09-01-2004 11:01 PM
Re: Action after a failed hack attempt
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2004 01:05 AM
тАО09-02-2004 01:05 AM
Re: Action after a failed hack attempt
You can also use ARIN ( http://www.arin.net ) to search. Here is a link for that IP address:
http://ws.arin.net/cgi-bin/whois.pl?queryinput=210.159.198.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2004 01:11 AM
тАО09-02-2004 01:11 AM
Re: Action after a failed hack attempt
# class A xxx.0.0.0/8 255.0.0.0
# class B xxx.xxx.0.0/16 255.255.0.0
# class C xxx.xxx.xxx.0/24 255.255.255.0
# 128 subnet xxx.xxx.xxx.xxx/25 255.255.255.128
# 64 subnet xxx.xxx.xxx.xxx/26 255.255.255.192
# 32 subnet xxx.xxx.xxx.xxx/27 255.255.255.224
# 16 subnet xxx.xxx.xxx.xxx/28 255.255.255.240
# 8 subnet xxx.xxx.xxx.xxx/29 255.255.255.248
# 4 subnet xxx.xxx.xxx.xxx/30 255.255.255.252
# 2 subnet xxx.xxx.xxx.xxx/31 255.255.255.254
# single address xxx.xxx.xxx.xxx/32 255.255.255.255
# Drop everyting from the following ip's
echo "Process the bad people ..."
$IPT -A INPUT -p ALL -s 210.159.198.0/24 -j DROP
etc...
For logging, I set this up in syslog.conf:
# log iptables
kern.warning /var/log/iptables.log
Havn't tried this yet, but was about to install: IPTables log analyzer
http://www.gege.org/iptables/
dig -x 210.159.198.1
gives you the domain, then a simple whois gives you the ISP...
Rgds...Geoff
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2004 01:56 AM
тАО09-02-2004 01:56 AM
Re: Action after a failed hack attempt
I wrote a script to run the btmp file and found 38 attempts to log on from that address. All failed.
I guess I do know a thing or two about security. I see a couple of bunny quality posts and will make changes. If I use your post, you got yourself 8 points minimum....
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2004 02:10 AM
тАО09-02-2004 02:10 AM
Re: Action after a failed hack attempt
I have contacted the company and requested the user be stopped and compensation.
I will go through other suggestions as time presents itself during the day and award points as fast as possible.
I will not close the thread until the ipfilter changes are validated.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-02-2004 02:21 AM
тАО09-02-2004 02:21 AM
Re: Action after a failed hack attempt
One other thing. Make sure you have a login banner warning users about unauthorized access & possible consequences of such or any legal pusuits may be frivolous. Many courts have ruled that w/o notice given users may plead "open door" policy RE they assumed it was "OK" to access the system.
Below is what we use:
===========================================================================
PROPRIETARY INFORMATION
All content of this system and its associated sub-systems are PROPRIETARY
INFORMATION and remain the sole and exclusive property of this company.
This system may be accessed and used by authorized personnel only.
Authorized users may only perform authorized activities and may not exceed
the limits of such authorization. Disclosure of information found in this
system for any unauthorized use is *STRICTLY PROHIBITED*. All activities on
this system are subject to monitoring. Intentional misuse of this system
can result in disciplinary action or criminal prosecution.
===========================================================================
Note that there is *NO* mention of just what organization one is attempting to access. That is entirely deliberate - you don't want to give hackers a clue about who you are. Just what will happen if you attempt to hack in.
HTH,
Jeff