How I caught a hacker 2
Continued, start here .
When I logged on to the server, I saw a bank’s open page in the browser, several compiled versions of a popular virus, Apache’s logs, which monitored the attack and an open terminal session on a server with Turkish IP inviting you to enter a login and password. It was clear from the Apache logs that the Turkish server is one of the worm’s “heads”, i.e. focal point of attack. It was necessary in some way to give the command to stop the attack, otherwise, "cutting off" the head, we could not stop DDOS. Understanding that I had already exceeded my powers enough, I archived all the files I was interested in on the server, sent it to my mail, took several screenshots and informed Sergey Ivanovich that he would return access to the server to the hacker.
Later, as Sergey Ivanovich promised, he provided me with an ICQ number and a hacker's mobile phone. Hacker was called Alexander. Sergey Ivanovich said that Alexander works as a programmer for a foreign customer. The customer rented this and several other servers on their hosting for their needs. Later, Sergey Ivanovich also asked the customer whether he was aware that Alexander was using the server for DDOS attacks. At the same time, the hacker was fired. He was frantic and did not try to hide, cover his tracks, or deny what he was accused of. He was confident of his impunity.
')
While the networkers of the communications department, along with CISCO employees who were urgently arriving, installed the DDOS protection module (nevertheless tens of thousands of open connections simultaneously gave a strong load on the firewall), I tried to find out who Alexander was and I wasn’t mistaken in their accusations. Filing an Internet image by ICQ number was not difficult: this ICQ belonged to a certain person by the nickname Flick from Odessa, who successfully found work in Kiev and moved there with his wife. Things were going well for them, and he even consulted about buying a car on one of the forums. Also among his posts were several related to the discussion of the organization of botnets and the offer of their services. This information confirmed the correctness of my thoughts, and I decided to contact the hacker via ICQ.
- Hello, Alexander, I am an employee of the information technology department of the bank <% bank_name%>
- Hello
- I will ask you a question directly - I need access to the server, which is the “head” of the worm
- what worm?
- Alexander, I offer you a deal - you tell me the username and password on the server with IP XX.XXX.XXX.XXX, or disable the DDOS attack themselves, and my actions will not go further than this dialogue. Or you continue to oppose, and I will transfer all the information about you to the bank’s security service, and they will continue the conversation.
- and if you do not prove anything, who will compensate me for moral damage?
- Alexander, are we cooperating or not?
- I have no idea what you're talking about.
Within an hour after this dialogue, the Turkish server stopped pinging. The "head" was cut off. The only thing left was to transfer all the information to the security service of the bank, which I did.
The security service filed a complaint with the police and after a while I received a call from the economic crime department and were asked to come for a consultation. Previously, one of the bank security chiefs gave me some useful tips on how to behave when talking to the Economic Crimes Department and reported that the case was led by a young, excellent specialist, a guy who was crazy about this matter in a good way. But she also said that we should understand that for him the greatest priority now is about organizing child pornography on the Internet, which he leads, and honestly admitted that since the damage caused to the bank from an attack is difficult to assess, we don’t There are many chances for a successful outcome. But, as they say, our business is to crow, and then dawn will not break ...
On this, in fact, everything is over. Whether as a result of the transfer of the case to the police, or a conversation in ICQ, but the attack the next day stopped and the story ended. After the consultation at the Economic and Security Department during the next year, nobody informed me about the results of the case, but from time to time the ICQ short number went online and it was clear that the hacker remained unpunished. Or is it punished? Loss of work and nervous experiences, which, I think, he had in abundance.
the end
UPD: it seems that the hacker appeared in the comments, I will not say for sure, but the nickname looks like, and the comments are tricky. I will write exactly when I study it
When I logged on to the server, I saw a bank’s open page in the browser, several compiled versions of a popular virus, Apache’s logs, which monitored the attack and an open terminal session on a server with Turkish IP inviting you to enter a login and password. It was clear from the Apache logs that the Turkish server is one of the worm’s “heads”, i.e. focal point of attack. It was necessary in some way to give the command to stop the attack, otherwise, "cutting off" the head, we could not stop DDOS. Understanding that I had already exceeded my powers enough, I archived all the files I was interested in on the server, sent it to my mail, took several screenshots and informed Sergey Ivanovich that he would return access to the server to the hacker.
Later, as Sergey Ivanovich promised, he provided me with an ICQ number and a hacker's mobile phone. Hacker was called Alexander. Sergey Ivanovich said that Alexander works as a programmer for a foreign customer. The customer rented this and several other servers on their hosting for their needs. Later, Sergey Ivanovich also asked the customer whether he was aware that Alexander was using the server for DDOS attacks. At the same time, the hacker was fired. He was frantic and did not try to hide, cover his tracks, or deny what he was accused of. He was confident of his impunity.
')
While the networkers of the communications department, along with CISCO employees who were urgently arriving, installed the DDOS protection module (nevertheless tens of thousands of open connections simultaneously gave a strong load on the firewall), I tried to find out who Alexander was and I wasn’t mistaken in their accusations. Filing an Internet image by ICQ number was not difficult: this ICQ belonged to a certain person by the nickname Flick from Odessa, who successfully found work in Kiev and moved there with his wife. Things were going well for them, and he even consulted about buying a car on one of the forums. Also among his posts were several related to the discussion of the organization of botnets and the offer of their services. This information confirmed the correctness of my thoughts, and I decided to contact the hacker via ICQ.
- Hello, Alexander, I am an employee of the information technology department of the bank <% bank_name%>
- Hello
- I will ask you a question directly - I need access to the server, which is the “head” of the worm
- what worm?
- Alexander, I offer you a deal - you tell me the username and password on the server with IP XX.XXX.XXX.XXX, or disable the DDOS attack themselves, and my actions will not go further than this dialogue. Or you continue to oppose, and I will transfer all the information about you to the bank’s security service, and they will continue the conversation.
- and if you do not prove anything, who will compensate me for moral damage?
- Alexander, are we cooperating or not?
- I have no idea what you're talking about.
Within an hour after this dialogue, the Turkish server stopped pinging. The "head" was cut off. The only thing left was to transfer all the information to the security service of the bank, which I did.
The security service filed a complaint with the police and after a while I received a call from the economic crime department and were asked to come for a consultation. Previously, one of the bank security chiefs gave me some useful tips on how to behave when talking to the Economic Crimes Department and reported that the case was led by a young, excellent specialist, a guy who was crazy about this matter in a good way. But she also said that we should understand that for him the greatest priority now is about organizing child pornography on the Internet, which he leads, and honestly admitted that since the damage caused to the bank from an attack is difficult to assess, we don’t There are many chances for a successful outcome. But, as they say, our business is to crow, and then dawn will not break ...
On this, in fact, everything is over. Whether as a result of the transfer of the case to the police, or a conversation in ICQ, but the attack the next day stopped and the story ended. After the consultation at the Economic and Security Department during the next year, nobody informed me about the results of the case, but from time to time the ICQ short number went online and it was clear that the hacker remained unpunished. Or is it punished? Loss of work and nervous experiences, which, I think, he had in abundance.
the end
UPD: it seems that the hacker appeared in the comments, I will not say for sure, but the nickname looks like, and the comments are tricky. I will write exactly when I study it
Source: https://habr.com/ru/post/86333/
All Articles