2. What we will cover
There are many ways to track “hackers” back to
learn more about them
Will go over some easy methods that may
produce fruitful results
Will not cover every single way
Two real life examples of using these techniques
will be covered
3. Tracking Hackers
Attackers often leave various unique calling
cards that you can use to track them back
These include email addresses, names, IP
addresses, tool names, images, techniques, etc.
Various tools on the Internet can be used to find
more information on them
Can sometimes figure out how good they are
with the information you find.
Note: Your mileage may vary.
4. Emails
Emails provide more information than you may
realize.
Mail headers
Who sent the email (IP address, name)?
Web-based email often has creator's IP address
What mail software were they using?
Who does the email go back to?
Mail content
Plain text or HTML?
HTML comments? Image locations, links?
5. Names
Once you've found some information (name,
address, etc) what can you do with it?
Search for it on the Internet!
Many different places on the Internet to get
information
Google – search for other occurences of names,
other people seeing the same thing
Member directories – many large websites have
directories with information on their members
Yahoo, ICQ, myspace, youtube, etc.
6. Names
Domain Names – Who owns it? What else do
they own? What is their contact information?
http://www.completewhois.com
IP Addresses – Where is the IP address located?
Is there anyone else seeing attacks from this
address?
http://www.arin.net - look up IP information
http://www.dshield.org - Internet DB of attacks
9. eBay Phish
Header shows originating IP address as 216.66.20.82
WHOIS lookup on address shows owned by Hurricane
Electric
Reverse DNS lookup: servidor8.hgmnetwork.com
Spanish ISP/Hosting Provider
No more information – probably open relay
Google search of jessman335 finds a few
message board spam
10. eBay Phish
All images in email link back to eBay
One interesting link for “respond here”:
http://signinebaycomwsebayisapdllsgd.pop3.ru/BayISAPIdllSig
nInUsingSSLpUserIdcopartnerId2siteid77ruhttpAF2Fcontacteb
aycouk3A802Fws2FeBayIS711eBayISAPIdllSignInUsingSSLpUs
erIa.txt
Notice anything unusual about the link?
11. eBay Phish
The link went to an HTML file with a txt extension
Therefore, not rendered in browser as an HTML file
Typical phish would try to mimic eBay login page and
email results to phisher
We now have an address – bad_boy_maf@yahoo.com
Look it up in Yahoo Profiles
14. eBay Phish
Now we have a picture, name, age and other websites
to look at
Two of the websites are down but one is still active
Last website gives his birth date, real name, astrological
sign, IRC nick and channels he frequents, Yahoo
messenger ID, favorite links, etc.
Download section on the webpage has links to various
scanners, bots and attacker scripts
16. Honeypot - Background
Linux 7.1 honeypot was put up for my GCFA
certification in May 2004
Hacked, analyzed and written about*
In early 2006 Robert Wright and I started
looking into the group which hacked the
honeypot to see how much info we could find.
This is what we found…
*The paper can be found at http://www.hudakville.com/infosec
17. Email Address
In the compromise, the attacker downloaded a
rootkit named l1tere.tgz and sent emails to
l1tere@yahoo.com
Profiles.yahoo.com shows no information
Google search of email address finds 2 reports
of compromises
Another hacked honeypot
ID Theft trojan
Neither provide more information
18. Another search
Changed Google search to “l1tere”
Bingo! Found web page at
http://www.l1tere.5u.com
Contained pornographic cartoons and
photos
Email address link to
l1tere@yahoo.com
Looking in /images/ directory find
index with more images
Many of them other people
19. What now?
L1tere homepage has no more info
Try Googling the images we found
Specifically the ones with people in them
One of the images: d4r3ck.jpg
A name?
Google: inurl: d4r3ck.jpg = no
hits
Google: inurl: d4r3ck =
20. d4r3ck
Two pages from search but only one active
http://d4r3ck.8m.net/
More images, pictures of family, friends
Some of the same pics as l1tere
Email address: d4r3ck@personal.ro
List of IRC nicks and channels he frequents
What happens if we try and Google just for
d4r3ck?
21. Carding
Google search pulls up LOTS of IRC chat logs
related to #CCcards, #cardz
IRC channels for trading credit card information
D4r3ck is a channel OP
22. More on D4r3ck
Further searches revealed
other email addresses
more CC trading information
connections to other hackers
Also appears to be former “European e-Commerce
Principal Assistant” for Hi-Tech Shells/IT e-solutions
World Company
“Industry leader in providing web hosting services and shell
accounts to businesses in all 50 states”
Located in Romania
23.
24. What about the other pictures?
With each new find, more information was uncovered
All are Romanian
Look to be around 16-19 at the time the pictures were
taken
All pictures had time stamps of 2004
Most of their home pages had the same images
Did an MD5 hash of the images
Most matched site to site, but one didn’t
Upon further examination it appeared be steganographic
25. baietzasul22
aka. baietzasu, Ba|3tzasu
Email Addresses
phainu@k.ro
baietzasu@yahoo.com
Mentioned in a lot of the same
IRC logs as the other members
26. alinus
Email addresses
sales@gsm-mania.ro
alinus22@yahoo.com
http://alinus.s5.com/index.html
Posts a lot of cell phone/GSM hacking forums
Speaks English
Profiles say he lives in Pitesti Arges, Romania
ICQ # 167213752
27. Summary
You can use little tidbits of information found
within a phish, compromise, email to find more
information on who sent it
The Internet is full of sources – use them
Be creative! Look at names, images, logs, etc.
Don’t always expect to find something.
Sometimes there’s nothing out there.
Lots of dead ends.