How to find a hacker ISP? - GoFuckYourself.com

Bear · 10-24-2001, 03:01 PM

Hi all,

My server is attacked by a hacker, he try to guess my member area password. I already deny his IP but he still try to access my site and make my server generate a lot of 403 error.

I just traced his IP:

Reston3.er.usgs.gov (130.11.48.6) 5 ms 3 ms 5 ms
2 MenloPark5-a4-0.usgs.net (198.187.220.105) 84 ms 84 ms 82 ms
3 MenloPark66-v67.usgs.net (130.118.255.253) 84 ms 84 ms 83 ms
4 MaeWest9-p1-0-0-67.usgs.net (130.118.255.249) 84 ms 85 ms 85 ms
5 fddi0-0-0.edge1.fix-west1.level3.net (198.32.136.24) 84 ms 85 ms 85 ms
6 pos1-0.core2.SanJose1.Level3.net (209.244.3.181) 85 ms 85 ms 84 ms
7 ae0-52.mp2.SanJose1.Level3.net (64.159.2.33) 85 ms 85 ms 86 ms
8 * * *
9 * * *
10 * * *
11 bbr0218-mht.lightship.net (216.204.102.18) 193 ms 192 ms 192 ms
12 ipn6-e0126.net-resource.net (216.204.100.126) 191 ms 191 ms 192 ms
13 * * *
14 ipn9-d9200.net-resource.net (216.204.19.200) 594 ms 660 ms 550 ms

But when I go to net-resource.net, I can't access this site. Does any body know how can I find out which ISP that the hacker is using?

He's really crazy, he runs so many request to my server per second. Some body please help!

Bear

[Labret] · 10-24-2001, 03:07 PM

Your fucked and its most likely nothing would happen to them anyways. I used to go thru extraordinary lengths when I first started paysites to track down who was hammering my servers with brute force login and password attacks. 10's of thousands of requests per day. Seemed like they went around the clock. Its easy enough to stop a password leak, but the brute forcing can just be brutal.

My advice is give up. For a reasonable price you can get Pennywize installed and it has helped me out alot.

m0rph3us · 10-24-2001, 03:11 PM

Quote:

Originally posted by Bear:
Hi all,
He's really crazy, he runs so many request to my server per second. Some body please help!

Bear

That doesn't mean he's a hacker dude.

onlyreal · 10-24-2001, 03:17 PM

maybe a kind of DOS attack

Quote:

Originally posted by Bear:
Hi all,
He's really crazy, he runs so many request to my server per second. Some body please help!

Bear

GiggleBerries · 10-24-2001, 03:38 PM

Per second? I have a hard time believing that. What makes you so sure it's the same guy? I see no evidence of that so far. Post times, error messages, etc. Hell, maybe even several lines straight from your error log. I can help you get this crap stopped if it's truly an attack but really if it's a brute fore hack attempt, they're easy to stop. Is any of your content really THAT important?

------------------
Dot Matrix TGP System
GiggleBerries.com TGP
Russian TGP Submitter

Bear · 10-24-2001, 04:25 PM

Yeah, I checked my access log. He can run more than 10 requests within a second. I think it's a brute fore attack becasue it points to my member area.

He already ran it several days already.

AaronM · 10-24-2001, 04:42 PM

Quote:

Originally posted by Bear:
Yeah, I checked my access log. He can run more than 10 requests within a second. I think it's a brute fore attack becasue it points to my member area.

He already ran it several days already.

Here is the answer to your question.
Mail Call (NETBLK-RESO-216-204-19-192)
10 Northern Blvd, Suite 1
Amherst, NH 03031
US

Netname: RESO-216-204-19-192
Netblock: 216.204.19.192 - 216.204.19.255

Coordinator:
Grillo, Paul (ZPG1-ARIN) [email protected]
603-598-3684 3010

Call them. They may or may not give a fuck but it may be worth a try.

------------------
Aaron Matthews Productions

aaron-matthews.com

pr0 · 10-24-2001, 10:35 PM

Reston3.er.usgs.gov (130.11.48.6) 5 ms 3 ms 5 ms

Nice originating IP ...remind me not to do business with you ; )D

------------------

Come use my dialer Bitch
ICQ# 420
Favorite Color: $

AaronM · 10-25-2001, 12:04 AM

Quote:

Originally posted by pr0:
Reston3.er.usgs.gov (130.11.48.6) 5 ms 3 ms 5 ms

Nice originating IP ...remind me not to do business with you ; )D

LOL, no doubt.
An employee of The United States Geological Survey is hardly a threat though.

awechen · 10-25-2001, 10:31 AM

Quote:

Originally posted by Bear:
Hi all,

My server is attacked by a hacker, he try to guess my member area password. I already deny his IP but he still try to access my site and make my server generate a lot of 403 error.

dont denny the IP in your webserver.
if u using unix / linux / BSD
reject in the system route table the IP !
if linux
/sbin/route add -host IPOFUSER gw 127.0.0.1
bsd :
route add -host IP_OF_USER -reject
BUT read bevor the "man route" for rejecting this
or give ne a query on ICQ ...

------------------
"Shock your systemadministration! Read manual-pages!"

kenjin · 10-25-2001, 03:42 PM

i wouldn`t bother with those IP address, hes using a brute force program , it will be using 100`s of public proxies not his own ip address, leaving him anonymous.

------------------
www.thaigirlfriend.net

kenjin · 10-25-2001, 03:54 PM

Quote:

Originally posted by GiggleBerries:
Per second? I have a hard time believing that. What makes you so sure it's the same guy? I see no evidence of that so far. Post times, error messages, etc. Hell, maybe even several lines straight from your error log. I can help you get this crap stopped if it's truly an attack but really if it's a brute fore hack attempt, they're easy to stop. Is any of your content really THAT important?

a brute force program can run 10 attacks per second no problem, it uses bots, say you have 50 bots running simultaneously all using a different IP address,(public proxies) a program like that could run 5,000 password combinations in less than 5 mins quite easily, its only a matter of time before the program gets a correct password combination.it isnt going to use any bandwidth while its attacking the only thing you have to worry about is that the password will probably be given out to 1000s of others free-loaders on request boards. but there is a program that detects if the members are coming from different ip address using the same pass.

------------------
www.thaigirlfriend.net

awechen · 10-25-2001, 09:19 PM

i protect our sites for this with a own login system with session ID an SSL
... show me a ssl passcrack bot

also we send a cookie ...
easy protection agins the fuckers ..

i think to relase the loginsystem for public use ...

... but alos a easy way is make a loginform wih flash.
and a dynamic position of the input box

....

------------------
"Shock your systemadministration! Read manual-pages!"

10-24-2001, 03:01 PM	#1
Bear Confirmed User Join Date: Jul 2001 Posts: 261	How to find a hacker ISP? Hi all, My server is attacked by a hacker, he try to guess my member area password. I already deny his IP but he still try to access my site and make my server generate a lot of 403 error. I just traced his IP: Reston3.er.usgs.gov (130.11.48.6) 5 ms 3 ms 5 ms 2 MenloPark5-a4-0.usgs.net (198.187.220.105) 84 ms 84 ms 82 ms 3 MenloPark66-v67.usgs.net (130.118.255.253) 84 ms 84 ms 83 ms 4 MaeWest9-p1-0-0-67.usgs.net (130.118.255.249) 84 ms 85 ms 85 ms 5 fddi0-0-0.edge1.fix-west1.level3.net (198.32.136.24) 84 ms 85 ms 85 ms 6 pos1-0.core2.SanJose1.Level3.net (209.244.3.181) 85 ms 85 ms 84 ms 7 ae0-52.mp2.SanJose1.Level3.net (64.159.2.33) 85 ms 85 ms 86 ms 8 * * * 9 * * * 10 * * * 11 bbr0218-mht.lightship.net (216.204.102.18) 193 ms 192 ms 192 ms 12 ipn6-e0126.net-resource.net (216.204.100.126) 191 ms 191 ms 192 ms 13 * * * 14 ipn9-d9200.net-resource.net (216.204.19.200) 594 ms 660 ms 550 ms But when I go to net-resource.net, I can't access this site. Does any body know how can I find out which ISP that the hacker is using? He's really crazy, he runs so many request to my server per second. Some body please help! Bear

10-24-2001, 10:35 PM	#8
pr0 rockin tha trailerpark Industry Role: Join Date: May 2001 Location: ~Coastal~ Posts: 23,088	Reston3.er.usgs.gov (130.11.48.6) 5 ms 3 ms 5 ms Nice originating IP ...remind me not to do business with you ; )D ------------------ Come use my dialer Bitch ICQ# 420 Favorite Color: $

10-24-2001, 03:07 PM	#2
[Labret] Registered User Industry Role: Join Date: May 2001 Location: Са́нкт-Петербу́рг Posts: 10,945	Your fucked and its most likely nothing would happen to them anyways. I used to go thru extraordinary lengths when I first started paysites to track down who was hammering my servers with brute force login and password attacks. 10's of thousands of requests per day. Seemed like they went around the clock. Its easy enough to stop a password leak, but the brute forcing can just be brutal. My advice is give up. For a reasonable price you can get Pennywize installed and it has helped me out alot.

10-24-2001, 03:38 PM	#5
GiggleBerries Confirmed User Join Date: Oct 2001 Location: The pay phone outside the 7-11 Posts: 357	Per second? I have a hard time believing that. What makes you so sure it's the same guy? I see no evidence of that so far. Post times, error messages, etc. Hell, maybe even several lines straight from your error log. I can help you get this crap stopped if it's truly an attack but really if it's a brute fore hack attempt, they're easy to stop. Is any of your content really THAT important? ------------------ Dot Matrix TGP System GiggleBerries.com TGP Russian TGP Submitter

10-24-2001, 04:25 PM	#6
Bear Confirmed User Join Date: Jul 2001 Posts: 261	Yeah, I checked my access log. He can run more than 10 requests within a second. I think it's a brute fore attack becasue it points to my member area. He already ran it several days already.

10-25-2001, 03:42 PM	#11
kenjin Registered User Join Date: Oct 2001 Location: UK Posts: 62	i wouldn`t bother with those IP address, hes using a brute force program , it will be using 100`s of public proxies not his own ip address, leaving him anonymous. ------------------ www.thaigirlfriend.net

10-25-2001, 09:19 PM	#13
awechen Confirmed User Join Date: Oct 2001 Location: LA Posts: 162	i protect our sites for this with a own login system with session ID an SSL ... show me a ssl passcrack bot also we send a cookie ... easy protection agins the fuckers .. i think to relase the loginsystem for public use ... ... but alos a easy way is make a loginform wih flash. and a dynamic position of the input box .... ------------------ "Shock your systemadministration! Read manual-pages!"