hacker tracking

To: debian-user@lists.debian.org
Subject: hacker tracking
From: Mike McClain <mike.junk.46@att.net>
Date: Sun, 18 Jun 2017 16:52:16 -0700
Message-id: <[🔎] 20170618235216.GA29794@playground>
Mail-followup-to: debian-user@lists.debian.org

First let me say that according to my IDS I haven't been hacked.
I don't have a website or run any servers for off site access.
Just an individual with an ATT internet connection.

    All the flack in the news lately about Russian hacking and Putin's
denials got me curious and I enabled my firewall to start logging
dropped incoming packets.
    I must admit to being surprised at the quantity of attempts to
hack into my computer. It only took a couple of days before I started
rotating those logs to keep the size down. I'm getting from 20,000 to
over a million hits a day on a computer that's only online 3-4 hours a
day and often much less.
    By doing 'whois' lookups on the source IP of the dropped packets
I've built a database of the IP, country, inetnum/route and hit count.
Now as I go through yesterday's log most hits fall into previously
seen routes greatly reducing the number of 'whois' lookups.
    Using the same program to read the logs, compile the database and
pull various relations from the data I've seen some surprising things.

These are the countries most often showing up in the logs:
mike@/deb73:~> perl/hackers.pl -s | awk '$1>100'
hitcount, country, numIPs
646 US 373
636 CN 513
562 IE 6
153 RU 107
143 FR 40
108 IN 83
In order, the 2 letter codes detailed in ISO-3166 equate to:
the United States, China, Ireland, Russia, France and India.

Notice that Ireland which has third highest hits has only 6 unique IPs.
mike@/deb73:~> perl/hackers.pl -c IE
CountryRoutes(IE),      numHits
86.40.0.0/15,   1
87.198.0.0/16,  1
91.230.47.0/24, 560

The most hits from Ireland come from a single route.
mike@/deb73:~> perl/hackers.pl -r 91.230.47.0/24
routeIPs(91.230.47.0/24),       numHits
91.230.47.3,    13
91.230.47.37,   24
91.230.47.38,   522
91.230.47.4,    1
It would seem likely that all of these are from the same person and
in fact the packet info logged includes the MAC address which verifies
that this is all one hacker.

Browsing the logs has shown be that the MAC address can be spoofed.
One day I was getting hit every 6 seconds by IP address that spread
across the range of the IP block while the MAC address varied by a
character or 2. I'd appreciate a pointer to an algorythm that would
compare 2 strings (MAC addresses) and give a congruity percentage.

I've gotten hit by one source address that the RIR in Brasil is
unassigned. I'm totally bewildered by this as I can see no way any
hacker could ever ger a response. Perhaps there was something in the
rest of the packet that could have given them access? Only the header
of the packet gets logged so I'll never know.
There are several IPs from Japan that 'whois' doesn't return a
inetnum/route for.

I suspect I'm not the only one who is interested in this exploration
and hope some of you can share tips to carry it further.

Thanks,
Mike
--
Your talent is God's gift to you.
What you do with it is your gift back to God.

Reply to:

Follow-Ups:
- Re: hacker tracking
  - From: John Hasler <jhasler@newsguy.com>
- Re: hacker tracking
  - From: conover@rahul.net (John Conover)

Prev by Date: Resolved [was Re: Stretch--how to launch WICD, which isn't in the menu]
Next by Date: Re: hacker tracking
Previous by thread: Re: Stretch--how to launch WICD, which isn't in the menu
Next by thread: Re: hacker tracking
Index(es):
- Date
- Thread