Forum Moderators: open
2007-05-19 08:21:10 00.000.000.00 2243 00.000.000.000 80 HTTP/1.1 GET /w00tw00t.at.ISC.SANS.DFind:) 400 - Hostname -
Additional information about the those responsible for the hack attempts are as follows (retrieved from #*$!):
CustName: ----------------(hidden by me)
Address: Private Address
City: Plano
StateProv: TX
PostalCode: 75075
Country: US
RegDate: 2005-08-27
Updated: 2005-08-27
Apparently this person was trying to use the dfind hacker tool to find vulnerabilities on my server. The IP address belongs to AT&T Yahoo; and I've already contacted them by email. I believe that subsequent hack attempts have originated from this IP, however, the IP address has been masked by the use of proxies. I think that this may be someone I know because the IP is only about an hours drive from me. I'm starting to suspect a disgruntled former client who has friends living where that IP's from.
Has anyone here had any similar experiences? What do you think AT&T Yahoo's response will be? Is there anything else I can do or should not do?
I am also considering reimaging my server because of system issues but I am concerned that would erase any information needed for investigative purposes. I have saved my log files, though, on a CD but I'm thinking that AT&T Yahoo or whoever investigates this needs the server as it is.
And this is not a "hacker" -- A hacker (or more properly, "cracker") is someone who gets into your server and modifies or deletes files, an activity you will never see in your HTTP (Web access) log files. This is just a log-file polluter who sends invalid requests that will never successfully get content from any properly-configured server.
The address in Plano, Texas (not far from here) is a local network operations center for SBC/Yahoo's ISP services. So this is just some guy (or probably his zombied computer) who uses SBC/Yahoo as his ISP.
Jim
Oh, the "ISC at SANS" bit in the User-agent string is the Internet Storm Center [isc.sans.org] at the SANS (SysAdmin, Audit, Network, Security) Institute, a major center for tracking Web exploits.
Someone probably got mad at them years ago, and turned this stupid client loose to get 'revenge' on them...
Jim
I had read somewhere on the SANS site, though, about the dfind tool and how it's used by hackers to case servers. Also, the CustomerName portion of the info I posted actually has a customer name; I'm thinking that it's maybe some sort of dedicated business server going through the local network operations center system. When I visit the IP through a browser I also get an under construction page.
