Brute Force attack in progress!!!!

[adri_ht_]

Unbelievable, I just got home from school and when I look up to my router the internet led and my FTP Server led are constantly flashing. I can't believe someone is trying to brute force my FTP Server that I have on the open... Thanks to all of you I know many tricks now.

Anyways, I couldn't get any logs out of my router which is using dd-wrt (if any of you know please let me know). My FTP Server is simple a NAS which doesn't log a thing. Nevertheless, I did a MITM attack on the internal IP of my FTP server and now I'm able to catch every single ftp brute force attempt with wireshark. Which means I have prove and even more the Public IP address of my dear offender.

Since I my router had NAT set up, the guy obviously wasn't able to fingerprint my NAS; therefore he is using the wrong default username. Although I don't like people sneaking on my network I think is fun seen an attack in progress.

Please help on how to proceed, are the wireshark catchs enough to bring down the guy. He is down currently in letter C of his dictionary, I think I will let him run a little bit more. I would stay up all night, but unfortunately I have a Calculus test tomorrow! Thanks

[streaker69]

Honestly, chances are, it's not worth pursuing via Law Enforcement. If they never really got in, then no one is going to be interested in pressing charges.

But you can pursue it through the originating ISP. Gather as much information as you can and email the logs to whatever the ISP's Abuse@ email address. Be sure to include all appropriate TimeStamps as well as what TimeZone you're in.

Don't threaten them (unless you actually have the power to pull the threat off*) but tell them that a user on their network has violated the ToS/AUP of their service and you expect them to take whatever measures necessary to prevent it from happening again.

Chances are, you'll never hear anything back, but you'll probably never see an attack from that IP again.

*If you work for a public utility, you can threaten ISP's. As interference with a Public Utility is frowned upon by the Fed's and ISP's hate having the Fed's show up and want to see their logs. It's amazing the number of IP's that have never shown back up in my logs.

[adri_ht_]

Honestly, chances are, it's not worth pursuing via Law Enforcement. If they never really got in, then no one is going to be interested in pressing charges.

But you can pursue it through the originating ISP. Gather as much information as you can and email the logs to whatever the ISP's Abuse@ email address. Be sure to include all appropriate TimeStamps as well as what TimeZone you're in.

Don't threaten them (unless you actually have the power to pull the threat off*) but tell them that a user on their network has violated the ToS/AUP of their service and you expect them to take whatever measures necessary to prevent it from happening again.

Chances are, you'll never hear anything back, but you'll probably never see an attack from that IP again.

*If you work for a public utility, you can threaten ISP's. As interference with a Public Utility is frowned upon by the Fed's and ISP's hate having the Fed's show up and want to see their logs. It's amazing the number of IP's that have never shown back up in my logs.

Thanks for the quick reply, anyways I just did a geographic IP lookup on two sites and is coming from China.... Here is the information:

Code:

CHINA BEIJING CNCGROUP HENAN PROVINCE NETWORK

I bet my ISP has no power nor jurisdiction over there, so I will just settle by closing my FTP port and sending the logs to my ISP aswell as the ISP from the offender. I would love to send a message back saying at least back-off or something, but I guess that will take scanning him for possible holes and will make it illegal from my part, right? Any other way or should I just settle by walking away from the issue... Thanks

Note: I really have to go, I will get back tomorrow.

[Virchanza]

I would love to send a message back saying at least back-off or something, but I guess that will take scanning him for possible holes and will make it illegal from my part, right? Any other way or should I just settle by walking away from the issue...

No no no, don't close your FTP port!

What you want to do is change your username and password so that he will crack it pretty soon. But of course, before you do that, you download some images of some Chinese girls doing some very questionable things with horses, and you save these images to your FTP folder.

That's EXACTLY what I'd do, and I'm not even joking (note the lack of smiley).

[fastboi]

No no no, don't close your FTP port!

What you want to do is change your username and password so that he will crack it pretty soon. But of course, before you do that, you download some images of some Chinese girls doing some very questionable things with horses, and you save these images to your FTP folder.

That's EXACTLY what I'd do, and I'm not even joking (note the lack of smiley).

wow what a mental image you just gave me. I was about to hit the bed, but now i am scared of getting nightmares about horses and Chinese girls lol. But yeah... thats a pretty nice idea haha. Also image editing of Chinese flag would be great lol

[Virchanza]

wow what a mental image you just gave me. I was about to hit the bed, but now i am scared of getting nightmares about horses and Chinese girls lol. But yeah... thats a pretty nice idea haha. Also image editing of Chinese flag would be great lol

Don't forget to write a program that deletes all your files and save it as "college_project.exe". Oh wups sorry, don't do that, it would be terrible if the intruder were to open it, oh God that would be just terrible. Forget the idea.

[streaker69]

Thanks for the quick reply, anyways I just did a geographic IP lookup on two sites and is coming from China.... Here is the information:

Code:

CHINA BEIJING CNCGROUP HENAN PROVINCE NETWORK

I bet my ISP has no power nor jurisdiction over there, so I will just settle by closing my FTP port and sending the logs to my ISP aswell as the ISP from the offender. I would love to send a message back saying at least back-off or something, but I guess that will take scanning him for possible holes and will make it illegal from my part, right? Any other way or should I just settle by walking away from the issue... Thanks

Note: I really have to go, I will get back tomorrow.

Nope, not much you can do, other than make the entire Pacific Rim disappear. For example, I have my mail server configured that any traffic that comes from certain subnets gets dropped before they connect. Seeing how we generally do no business with any company on the PacRim, I can safely drop the entire region.

[Thorn]

Don't forget to write a program that deletes all your files and save it as "college_project.exe". Oh wups sorry, don't do that, it would be terrible if the intruder were to open it, oh God that would be just terrible. Forget the idea.

That's horrid, mean, and low down.

I knew that there was something I liked about you.

Nope, not much you can do, other than make the entire Pacific Rim disappear. For example, I have my mail server configured that any traffic that comes from certain subnets gets dropped before they connect. Seeing how we generally do no business with any company on the PacRim, I can safely drop the entire region.

Agreed. I've blocked out huge chunks of the Pac Rim on both my email server and firewall, as well as those for clients.

[Virchanza]

That's horrid, mean, and low down.

I knew that there was something I liked about you.

I'd be giddy as a school girl if I was the original poster, I'd be thinking "Hmm do I wanna put in a backdoor, or will I just screw up his master boot record?". It's brilliant, the hunter becomes the hunted, there's nothing better than watching someone who's watching you, you can paint your face and make a fort out of blankets and boxes. Don't forget to turn out to lights and turn on the black light

I'm not into doing anything malicious to people who haven't asked for it (peace and unity among all and all that). I like hacking but I've no desire to delete people's college work or to screw up their business. However... if I found someone trying to brute force my FTP server, well then my moral compass would spin right the way around and point South. To be honest I think I'd go for the backdoor, which still leaves the option open of destroying data later on. Actually a thought just came to me know, I'd probably try to overclock his CPU, proper crank it through the roof til it melts.

...but only if I had his permission, of course. It might be illegal in some jurisdictions to retaliate against an attacker, but thankfully right now I'm living in a country where they'd probably give you a medal if you murdered someone burglarizing your home. Back in my home country of Ireland the judicial system favours the criminal over the victim -- you'd have to dispose of the body and never mention it ever again or else run the risk of being convicted of "manslaughter" or some other bullshit offence. I'm with Randy Marsh on this one, "I'm sorry I thought this was America".

[purehate]

Agreed. I've blocked out huge chunks of the Pac Rim on both my email server and firewall, as well as those for clients.

You guys are missing out on all the best pr0n, bootleg copies of windows and you'll never know if your the heir to a Chinese emperor who left you a small fortune.