The story of one hacking and the result of the work of the department "K"
The attacker, intercepting traffic, gained access to information about e-mail. Watching the correspondence, I found a domain registered on this mail, which belonged to a small company. The attempt to gain control over the company's website was accompanied by a statement to the “K” department, which then searched for the attacker for several months, and on New Year, to fulfill the plan, successfully closed the case. And now about everything and more ...
Like most such stories, this story began with a leak of email account information. Supposedly, the source of the leak was the Wi-Fi access point in one of the hotels in St. Petersburg. The email address that the attacker received was owned by a small Moscow company.
Access to the mail and the observation of the correspondence provided the attacker with additional information, among which, besides the inside information about the company's activities and personal information about the company director, was information about the company's domain, which was registered at this email address.
')
Using the password recovery system, the attacker received the FTP access details of the company's website. After copying all the information, the attacker decided to create a copy of this website in order to profit from the advertisement placed on it. Since the company's website has existed since 2003, the value of the citation index sufficient for profit has already accumulated on the domain. To steal this index, the attacker changed the robots.txt file placed on the company's server. It is this change that was noticed by the owner of the company's website.
Contacting the hosting support service (Hosting Center), information about the access logs to the website via FTP was received, as the Hosting Center turned out to keep logs only for the last 3 months. But the information received from the logs was sufficient for detecting the IP address of the attacker. Judging by the behavior of the attacker, he had not particularly great computer experience, comparable to the experience of the owner of the company's website.
The information received formed the basis of a statement to the Moscow police department, as it turned out, statements of this nature are accepted only at Petrovka. In the statement, in addition to the above information, it was mentioned the damage that the company received as a result of the disappearance of the domain from the search engines. The application was accompanied by a copy of the access logs of the company's website hosting indicating the unauthorized activity associated with copying and changing information. Some information is copyright proof.
The application lay on Petrovka for 30 days, after which the applicant was informed about the transfer of the application at the location of the hosting. After a few more weeks of consideration of the application, it was forwarded to St. Petersburg at the location of the attacker's IP address. After receiving the application, the investigator of the local “K” department contacted the applicant to clarify a number of questions, and also asked to fill in the statement form and send it by mail. The testimony was dated 22 December 2010. The letter was sent on December 23, and as it became known from a recent letter, on December 24, 2010, the case was closed due to the absence of corpus delicti.
At the hands of the applicant there is a recently received letter with information about the passport data of the attacker, the address of his registration in St. Petersburg and the number of the contract with Nevalink, whose services the attacker used to access the Internet. Strange is the fact that immediately after the transfer of the case to St. Petersburg a copy of the website on the attacker's domain was changed to other content.
I hope that the law enforcement agencies, at least, seized the computer of the attacker, even for their own needs, but the injured director of a small Moscow company will surely be convinced by visiting the attacker at the specified registration address in St. Petersburg.
Information leak
Like most such stories, this story began with a leak of email account information. Supposedly, the source of the leak was the Wi-Fi access point in one of the hotels in St. Petersburg. The email address that the attacker received was owned by a small Moscow company.
Study
Access to the mail and the observation of the correspondence provided the attacker with additional information, among which, besides the inside information about the company's activities and personal information about the company director, was information about the company's domain, which was registered at this email address.
')
Getting access
Using the password recovery system, the attacker received the FTP access details of the company's website. After copying all the information, the attacker decided to create a copy of this website in order to profit from the advertisement placed on it. Since the company's website has existed since 2003, the value of the citation index sufficient for profit has already accumulated on the domain. To steal this index, the attacker changed the robots.txt file placed on the company's server. It is this change that was noticed by the owner of the company's website.
Detection
Contacting the hosting support service (Hosting Center), information about the access logs to the website via FTP was received, as the Hosting Center turned out to keep logs only for the last 3 months. But the information received from the logs was sufficient for detecting the IP address of the attacker. Judging by the behavior of the attacker, he had not particularly great computer experience, comparable to the experience of the owner of the company's website.
Application to the police
The information received formed the basis of a statement to the Moscow police department, as it turned out, statements of this nature are accepted only at Petrovka. In the statement, in addition to the above information, it was mentioned the damage that the company received as a result of the disappearance of the domain from the search engines. The application was accompanied by a copy of the access logs of the company's website hosting indicating the unauthorized activity associated with copying and changing information. Some information is copyright proof.
The fate of the statement
The application lay on Petrovka for 30 days, after which the applicant was informed about the transfer of the application at the location of the hosting. After a few more weeks of consideration of the application, it was forwarded to St. Petersburg at the location of the attacker's IP address. After receiving the application, the investigator of the local “K” department contacted the applicant to clarify a number of questions, and also asked to fill in the statement form and send it by mail. The testimony was dated 22 December 2010. The letter was sent on December 23, and as it became known from a recent letter, on December 24, 2010, the case was closed due to the absence of corpus delicti.
Case is closed
At the hands of the applicant there is a recently received letter with information about the passport data of the attacker, the address of his registration in St. Petersburg and the number of the contract with Nevalink, whose services the attacker used to access the Internet. Strange is the fact that immediately after the transfer of the case to St. Petersburg a copy of the website on the attacker's domain was changed to other content.
I hope that the law enforcement agencies, at least, seized the computer of the attacker, even for their own needs, but the injured director of a small Moscow company will surely be convinced by visiting the attacker at the specified registration address in St. Petersburg.
Source: https://habr.com/ru/post/111758/
All Articles