How to Catch a Script Kiddie?

H

henkk78

Well-Known Member
Joined
Feb 16, 2006
Messages
390
Reaction score
0
Location
Cape Town
I'm getting just a little bit (okay, way way) too much traffic from a particular IP address.

A reverse DNS lookup tells me it's linked to:

dsl-240-103-09.telkomadsl.co.za

What does this mean? Can I do anything with it? How do I find out which ISP the IP address belongs to?

Any help will be greatly appreciated!
 
what kind of traffic are you seeing from that IP?

If its incoming traffic then your router/firewall is not setup correctly. No one should be able to do a inbound connection to you (by default) - unless you've opened the ports and are running web server or something like that.
 
dsl-240-103-09.telkomadsl.co.za What does this mean? Can I do anything with it? How do I find out which ISP the IP address belongs to? Any help will be greatly appreciated![/QUOTE said:
ummm telkomadsl is your clue :P TELKOM INTERNET!

J
Click to expand...
 
PostmanPot said:
No, anyone using a SAIX-based ISP will give a *.telkomadsl.co.za.
Click to expand...

So SAIX will be able to track them. Someone else did this on a forum a while back with just someones IP, but he apparently knew some guys working at SAIX who helped him.

If it is legitimate abuse then send them the info and they should be able to find the guy, or at least his parents ADSL line. :p
 
Ekhaatvensters said:
So SAIX will be able to track them. Someone else did this on a forum a while back with just someones IP, but he apparently knew some guys working at SAIX who helped him.

If it is legitimate abuse then send them the info and they should be able to find the guy, or at least his parents ADSL line. :p
Click to expand...

AFAIK IP address isn't used as they are dynamic in SA.

AFAIK they use a 'NAT port number' (I could be thinking of the wrong thing) to track you down. The 'NAT port number' is permanent and unique to the house/location from which the router was accessed.
 
zamrg said:
send an e-mail with router logs to [email protected]
Click to expand...
This is where you must start. The SAIX abuse desk has access to the RADIUS logs and will refer the complaint to the relevant SAIX reseller. Just supply them with an exact time and an IP address.

If you don't come right with SAIX abuse then you can PM me and I'll apply some pressure.
 
Has the server been hacked or is there simply plenty of (suspicious) traffic?
 
The other way to get rid of the script kiddie is to make sure you have no vulnerabilities on the www server. They might run a script once or twice but if you have no weak points its pretty pointless for them and they will soon give up.

A few basic pointers to make their life difficult:

I presume your on Linux - make you have the latest version of apache running, also make sure your backend is secure. If you running php/mysql make sure that is up to date as well. set complex mysql/linux passwords. Check your code for xss, possible sql injections. If you only run http then make sure you dont have unnessesary (sp?) ports open - this makes an attack easier.

As the other suggested above - contact SAIX if it carries on. Keep as much info/logs as you can. Dates/times/ IP's/what they were doing - everything is traceable.
 
iptables -A INPUT -s -j DROP 41.240.103.9/32

though that wont do you much good and IP addresses are cycled on a 24 hour basis as you know.

In reality you are likely to face script kiddies from all locations, most of which will be automated enumeration attempts, the average botmaster isn't interested in any one particular system, they are more interested in numbers.

It is more likely however that this is an individual, if it is from a South African IP, it could be an infected node, or the actual person themselves, dunno why they would try and enumerate from their own location though, its asking to get caught.

My advice,

1 >> nmap from an outside location, seal off any unnecessary ports,
2 >> if you have SSH access open, and you need it open from the outside, use something like deny hosts to prevent dictionary based attacks.
3 >> if you host web services, use nikto http://www.cirt.net/code/nikto.shtml to check if there are known security issues within your site.

Possibly check with your HR dept for any recent disgruntled ex-employees, if they are scanning from their own host, it means they arent smart, but still a threat nonetheless...
 
ambo said:
This is where you must start. The SAIX abuse desk has access to the RADIUS logs and will refer the complaint to the relevant SAIX reseller. Just supply them with an exact time and an IP address.

If you don't come right with SAIX abuse then you can PM me and I'll apply some pressure.
Click to expand...

Do you work for SAIX ambo?
 
henk >> the other consideration is that it could be a peer to peer app on your network ? is your server used as a gateway ?
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X