How I caught a hacker 2
Continued, start here .
Having entered the server, I saw an open bank page in a browser, several compiled versions of the popular virus, Apache logs that monitored the attack and an open terminal session on some server with Turkish IP with an invitation to enter a username and password. According to the Apache logs, it was clear that the Turkish server is one of the “heads” of the worm, ie center of attack coordination.It was necessary to somehow give the command to stop the attack, otherwise, having “chopped off” our heads, we could no longer stop DDOS. Understanding that I had already exceeded my authority enough, I archived all the files of interest to me on the server, sent it to my mail, took some screenshots and informed Sergey Ivanovich that he would return the access to the server to the hacker.
Later, as Sergei Ivanovich promised, he provided me with an ICQ number and a hacker's mobile phone. The hacker was called Alexander. Sergei Ivanovich said that Alexander works as a programmer with a foreign customer. The customer rented this and several other servers on their hosting for their needs. Later, Sergey Ivanovich also asked the customer if he was aware that Alexander was using the server for a DDOS attack. At that very moment, the hacker was fired. He was furious, and neither tried to hide, nor cover his tracks, nor deny what he was accused of. He was confident in his impunity.
While the communications department networkers, together with the urgently arrived CISCO employees, were installing the DDOS protection module (after all, tens of thousands of open connections at the same time put a heavy load on the firewall), I tried to find out who Alexander was and if I was wrong in their accusations. It was not difficult to compose an Internet image by ICQ number: this ICQ belonged to a certain person by the nickname Flick from Odessa, who successfully found work in Kiev and moved there with his wife. Things were going well with them, and he even at one of the forums consulted about buying a car. Also among his posts were several related to the discussion of organizing botnets and offering their services. This information confirmed the correctness of my thoughts, and I decided to contact the hacker via ICQ.
- Hello, Alexander, I’m an employee of the bank’s IT department <% bank_name%>
- hello
- I will ask you a question directly - I need access to the server that is the head of the worm
- which worm?
- Alexander, I offer you a deal - you give me the login and password to the server with IP XX.XXX.XXX.XXX, or you disable the DDOS attack yourself, and my actions will not go beyond this dialogue. Or you continue to oppose, and I pass on all the information about you to the bank’s security service, and they will continue to talk.
- And if you do not prove anything, who will compensate me for moral damage?
- Alexander, are we cooperating or not?
- I have no idea what you're talking about
Within an hour after this dialogue, the Turkish server stopped pinging. The "head" was chopped off. All that remained was to transfer all the information to the bank’s security service, which I did.
The security service filed a complaint with the police and after some time they called me from the Economic Crimes Department and asked me to come for a consultation. Previously, one of the chiefs of the bank’s security service gave me some useful tips on how to behave when talking to the UBEP and reported that the case was being conducted by a young, excellent specialist, a guy who, in a good way, was obsessed with this matter. But she also said that we should understand that for him now the matter of organizing child pornography on the Internet, which he conducts, has the highest priority, and honestly admitted that, since the damage caused to the bank from the attack is difficult to assess, we don’t many chances for a successful outcome. But, as they say, our business is crowing, and there it will be dawning - it will not dawn ...
On this, in fact, it was all over. Either as a result of the transfer of the case to the police, or a conversation in ICQ, but the attack the next day stopped and the story ended. After a consultation with the UBEP over the next year, no one informed me of the results of the case, but from time to time it appeared to the ICQ short number going online that it still went unpunished. Or is he punished? Loss of work and nervous experiences, which, I think, he had in abundance.
the end
UPD: it seems that the same hacker appeared in the comments, I won’t say for sure, but the nickname is similar, and the comments are tricky. I'll write for sure when I study it
Having entered the server, I saw an open bank page in a browser, several compiled versions of the popular virus, Apache logs that monitored the attack and an open terminal session on some server with Turkish IP with an invitation to enter a username and password. According to the Apache logs, it was clear that the Turkish server is one of the “heads” of the worm, ie center of attack coordination.It was necessary to somehow give the command to stop the attack, otherwise, having “chopped off” our heads, we could no longer stop DDOS. Understanding that I had already exceeded my authority enough, I archived all the files of interest to me on the server, sent it to my mail, took some screenshots and informed Sergey Ivanovich that he would return the access to the server to the hacker.
Later, as Sergei Ivanovich promised, he provided me with an ICQ number and a hacker's mobile phone. The hacker was called Alexander. Sergei Ivanovich said that Alexander works as a programmer with a foreign customer. The customer rented this and several other servers on their hosting for their needs. Later, Sergey Ivanovich also asked the customer if he was aware that Alexander was using the server for a DDOS attack. At that very moment, the hacker was fired. He was furious, and neither tried to hide, nor cover his tracks, nor deny what he was accused of. He was confident in his impunity.
While the communications department networkers, together with the urgently arrived CISCO employees, were installing the DDOS protection module (after all, tens of thousands of open connections at the same time put a heavy load on the firewall), I tried to find out who Alexander was and if I was wrong in their accusations. It was not difficult to compose an Internet image by ICQ number: this ICQ belonged to a certain person by the nickname Flick from Odessa, who successfully found work in Kiev and moved there with his wife. Things were going well with them, and he even at one of the forums consulted about buying a car. Also among his posts were several related to the discussion of organizing botnets and offering their services. This information confirmed the correctness of my thoughts, and I decided to contact the hacker via ICQ.
- Hello, Alexander, I’m an employee of the bank’s IT department <% bank_name%>
- hello
- I will ask you a question directly - I need access to the server that is the head of the worm
- which worm?
- Alexander, I offer you a deal - you give me the login and password to the server with IP XX.XXX.XXX.XXX, or you disable the DDOS attack yourself, and my actions will not go beyond this dialogue. Or you continue to oppose, and I pass on all the information about you to the bank’s security service, and they will continue to talk.
- And if you do not prove anything, who will compensate me for moral damage?
- Alexander, are we cooperating or not?
- I have no idea what you're talking about
Within an hour after this dialogue, the Turkish server stopped pinging. The "head" was chopped off. All that remained was to transfer all the information to the bank’s security service, which I did.
The security service filed a complaint with the police and after some time they called me from the Economic Crimes Department and asked me to come for a consultation. Previously, one of the chiefs of the bank’s security service gave me some useful tips on how to behave when talking to the UBEP and reported that the case was being conducted by a young, excellent specialist, a guy who, in a good way, was obsessed with this matter. But she also said that we should understand that for him now the matter of organizing child pornography on the Internet, which he conducts, has the highest priority, and honestly admitted that, since the damage caused to the bank from the attack is difficult to assess, we don’t many chances for a successful outcome. But, as they say, our business is crowing, and there it will be dawning - it will not dawn ...
On this, in fact, it was all over. Either as a result of the transfer of the case to the police, or a conversation in ICQ, but the attack the next day stopped and the story ended. After a consultation with the UBEP over the next year, no one informed me of the results of the case, but from time to time it appeared to the ICQ short number going online that it still went unpunished. Or is he punished? Loss of work and nervous experiences, which, I think, he had in abundance.
the end
UPD: it seems that the same hacker appeared in the comments, I won’t say for sure, but the nickname is similar, and the comments are tricky. I'll write for sure when I study it