Investigating an intrusion with fake logs
-
Hi, last night I was reviewing my logs and I noticed a unique hacking attempt emanating from a 2007 Nokia hacker tool that triggered the following rule:
FILE-IMAGE Nokia N95 JPG parsing denial of service attempt, followed by some BARE BYTE ENCODING
I quickly created a "floating rule" to block the ip <23.131.16.24> which is , according to my cli whois search, registed to a CONVERSE IN CODE, Inc. outfit seemingly operating out of Canada, using American servers.
I know this because approximately 30 seconds prior to the hack attempt I saw something else unusual:
HTTP server response before client request emanating from a 23.173.33.90
I decided to reboot after creating the floating rule.
Upon rebooting, the hacker ip above was changed to an AT&T ip address with the same date, time and violations: 32.65.199.71
I immediately reported this to abuse.att.com
I'm wondering if there is anything I can do to investigate a situation like this further, should the need arise, as I have been a victim of comcast probing today and certain ET Trojans including BPFdoor magic packet attempts from Canadian google clouds while playing world of warcraft, which messes up my game on a time sensitive gaming experience.
Forcing a reload, which is a felony.
Pls help. ty!
-
@myfamilydeservesbetter said in Investigating an intrusion with fake logs:
Forcing a reload, which is a felony.
Not at all, from a network administrator perspective as, it quickly allows change implementation.
Remember, the NIC sees the traffic before the firewall does which will block that traffic since no source from LAN originated it.
-
What fake logs?
-
@Bob-Dig I am curious to about these fake logs.
-
The live ip in action (in double terminated brackets above) was changed to the AT&T ip address when i rebooted my system as a precaution.
Same date/time and sniffed packet violations.
My assumption is this is standard operating procedure using a VPN, something I would consider doing if i was a felonious hacker probing matt oliver's computer do because only a moron hacks from a compromised system, which is inevitable as well as the result of this malicious maneuver of a peon apparently looking for a needle in a haystack, whether it be crypto (no interest), or a hot file to sell to a da to esacpe his next court case presumably also (a rat).
-
@myfamilydeservesbetter said in Investigating an intrusion with fake logs:
The live ip in action (in double terminated brackets above) was changed to the AT&T ip address when i rebooted my system as a precaution.
Same date/time and sniffed packet violations.
My assumption is this is standard operating procedure using a VPN, something I would consider doing if i was a felonious hacker probing matt oliver's computer do because only a moron hacks from a compromised system, which is inevitable as well as the result of this malicious maneuver of a peon apparently looking for a needle in a haystack, whether it be crypto (no interest), or a hot file to sell to a da to esacpe his next court case presumably also (a rat).
Yet, you have not answered the question...what fake log? Show us, will you?
-
and +1 from me.
See my foot note, just below, for further explanation. -
@Gertjan if you have nothing to contribute, than gtfo my thread BITCH.
-
@myfamilydeservesbetter cmon dudeā¦.
-
myfamilydeservesbetter said in Investigating an intrusion with fake logs:
@Gertjan if you have nothing to contribute, than gtfo my thread BITCH.Well I think he was asking you to contribute the logs, which seems perfectly valid.
@myfamilydeservesbetter
Btw: You are now only 1 more rude post from ending on my forum blocklist./Bingo
-
@myfamilydeservesbetter said in Investigating an intrusion with fake logs:
if you have nothing to contribute
I have, and I'm going to.
This :intrusion with fake logs
is serious.
Yet, all I have is these four words.
I presume you saw the logs.
If possible, remove private items share them, post them here.The logs, not always well understood, are there to indicate what happened with the system with a time stamp, and as such a very important analysis tool.
If a system got breached, some one not authorized logins in, the very first thing he would do is modifying the logs to wipe out his "visits".
Like : breaking into a store, and remove the videos of all the security cameras first.Also : sharing examples of log examples on the forum will helps other to recognize situations.
@bingo600 said in Investigating an intrusion with fake logs:
1 more rude post
I didn't meant to be rude, as such behavior doesn't contribute to "finding answers". My way of motivating people to share as much possible info is/was maybe somewhat harsh.
You are, of course, totally free to interpret my words.
I was just asking for the logs .... because the subject of this thread is about logs. -
I didn't mean you were rude (sorry) .. You just wanted to be helpfull
I surely meant OP
/Bingo
-
@myfamilydeservesbetter said in Investigating an intrusion with fake logs:
@Gertjan if you have nothing to contribute, than gtfo my thread BITCH.
This tone and language is most certainly uncalled for. As the moderator for this sub-forum, consider this your first warning. Please tone down the rhetoric.
-
Yup that^. Keep it civil please.
I will add that if you're running Snort on WAN you're going to see a lot of hits. Generally unless you are forwarding traffic to internal services they are not really useful.
Steve
