The following is based on an actual successful spam:
USER QUESTION:
I was attempting to do a whois on (aimc.ko.kr) which may be the source of the spam header below. However, TigerSuite doesn’t appear to include a whois site which will reveal who this site actually is. Can you advise? I’m assuming Kate Sanders is spoofed but as I’m not on a network connection here, I haven’t the luxury of spending time online to find out.
Spam Header: Received from aimc.co.kr ([212.1.152.13]) by Gateway From kate.sanders@teacher.com
ANSWER:
You’re right; some IP addresses will not resolve using the WhoIs service as they’re not reg- istered domains. And as far as hostname finder, or resolving an address to a computer name, this too may fail as the address could belong to a specific gateway or system that is protected by blocking such discovery—a simple example would be anonymous browsing (the address is actually spoofed for protection from discovery). That said, ultimately most times resolving an address is limited to your own DNS or DNS service provider.
In a case like this, I would normally recommend starting out with Trace Route. By trac- ing back an address, you may discover who the intended system’s ISP may be, what gate- ways (hops) are being traversed, and/or what potential anonymity services may be used.
Your case is a special one—if you use TigerSuite Hostname Finder, pop in the IP address of your spammer (212.1.152.13 from the spam header) and click Get Hostname, you’ll uncover it to be: (ppp-1-13.cvx5.telinco.net). Next, pop the REAL domain name (telinco.net) into WhoIs Query to get:
Registrant:
Telinco Internet Services plc (TELINCO2-DOM) Sirius House Alderly Road
Chelford N/A, SK11 9AP UK
Domain Name: TELINCO.NET
Administrative Contact, Technical Contact, Billing Contact:
Telinco (TE360-ORG) naming@TELINCO.NET Telinco Plc
Sirius House, Alderley Road Chelford, Cheshire SK11 9AP UK
+44 (0)1625 862 200 Fax- - +44 (0)1625 860 251 Record last updated on 20-Aug-2001.
Record expires on 12-Sep-2003.
Record created on 11-Sep-1997.
Database last updated on 21-Aug-2001 20:33:00 EDT.
Domain servers in listed order:
NS0.TELINCO.NET 212.1.128.40 NS2.TELINCO.NET 212.1.128.42
USER QUESTION:
Another question, I’m afraid. Same spammer, different alias, but this time the hostname IP address (ns.ako.net) 203.234.226.2 won’t resolve in TigerSuite. Can you possibly tell me why? Many thanks.
Spam Header: Received from ns.ako.net ([203.234.226.2]) by Gateway Received from ako.co.kr (ppp-1-70.cvx1.telinco.net [212.1.136.70]) From mary.sanders@scientist.com
ANSWER:
Yes, there are a few interesting issues here:
1.) 203.234.226.2 is not a registered name server and as a result, may be blocking the request. Let me explain and don’t agonize, however, because the NetBIOS name is already
listed for you in the message ID as (ns.ako.net, from the spam header). Take (ns.ako.net) and plug in the domain (ako.net) into WhoIs Query to get:
Registrant:
AKO Technology (AKO2-DOM)
507 Main Street 2nd Floor Front Fort Lee, NJ 07024
Domain Name: AKO.NET
Administrative Contact, Technical Contact, Billing Contact:
Choi, Moo Young (MYC3) info@AKO.NET Ako Technology
201 Prime B/D 5-16 YangJae-Dong Seocho-Gu SEOUL
110-540 KR
82-2-577-6155 (FAX) 82-2-577-6174 Record last updated on 05-Oct-2000.
Record expires on 12-Sep-2001.
Record created on 11-Sep-1996.
Database last updated on 31-Aug-2001 00:08:00 EDT.
Domain servers in listed order:
NS.AKO.CO.KR 203.234.226.5 NS.MYWEB.CO.KR 203.234.226.1
As you examine the domain servers, you’ll notice our address (203.234.226.2) is not listed—just as we suspected—this is typically the case when a temporary or secondary NS was implemented to act as backup or ns caching, or with a mail server daemon used (sometimes illegally) as a mail relay system for spammers.
2.) Regardless of #1, the next source hop in our spam is (ppp-1-70.cvx1.telinco.net) with address (212.1.136.70). Both can be plugged into Hostname finder for verification.
If you plug the domain portion (telinco.net) into WhoIs you’ll get:
Registrant:
Telinco Internet Services plc (TELINCO2-DOM) Sirius House Alderly Road
Chelford N/A, SK11 9AP UK
Domain Name: TELINCO.NET
Administrative Contact, Technical Contact, Billing Contact:
Telinco (TE360-ORG) naming@TELINCO.NET Telinco Plc
Sirius House, Alderley Road
Chelford, Cheshire SK11 9AP UK
+44 (0)1625 862 200 Fax- - +44 (0)1625 860 251 Record last updated on 20-Aug-2001.
Record expires on 12-Sep-2003.
Record created on 11-Sep-1997.
Database last updated on 31-Aug-2001 00:08:00 EDT.
Domain servers in listed order:
NS0.TELINCO.NET 212.1.128.40 NS2.TELINCO.NET 212.1.128.42
Sometimes when you contact the host of the mail server relay or source server, you can have the user banned from the system; he or she will use the simple security fea- tures of the mail server daemon or turn off mail relay from external sources. (The latter is a vulnerability.) Unfortunately, however, sometimes the source relay is a company that provides these services for paying sources that claim they received your informa- tion legally through a sponsor or other source.
Also, you should always use the TigerSuite trace route to get a snapshot of the path to your target. Doing so is important, as sometimes the message header may be spoofed. Tracing questionable addresses can sometimes reveal ISP network(s) of the source. Keep in mind that some internetworking equipment (i.e. routers) may block this. But usually, by using all the steps mentioned in this chapter, you’ll find a domain host or ISP to start with.
Finally, after being attacked and, it is hoped, having some evidence of the activity—
whether in the form of a personal firewall or a server/router log—always report the attacker to his or her ISP. The ISP can further trace the incident and potentially cancel the attacker’s account or provide even further evidence. Typically, ISPs maintain an account for receiving the evidence you’ve recorded, for example, abuse@ISPdomain.
In regard to proactive evidence gathering, I always recommend IDS for a network or a simple stealth logger for a user. The reason is that many times, attackers use audit trail editing, such as log bashing, to cover their tracks when they penetrate a system; in this way they can remove all presence of trespassing activity.
In regard to users, under normal circumstances individuals may use stealth loggers to not only track evidence of a successful penetration but also monitor what their chil- dren do on a computer (including what they view over the Internet). Also, individuals may use stealth loggers to determine whether anybody has used their computer while they are away, as well as determine the identity of that person. In this case, key and stealth activity loggers secretly record keystrokes, browser logs, and connection activity.
Although loggers can be quite complicated, they are relatively easy to code, and there are hundreds of freeware, shareware, and commercial packages readily available.
For a quick download and evaluation, search for Windows and Unix loggers on C|Net (download.cnet.com), TuCows (www.tucows.com), The File Pile (filepile.com /nc/start), Shareware.com (www.shareware.com) and ZDNet (www.zdnet.com /downloads). Here are a few of the most popular programs:
■■ Stealth Activity Recorder and Reporter (STARR), by IOPUS Software (www.iopus.com)
■■ Invisible KeyLogger, by Amecisco (www.amecisco.com)
■■ KeyInterceptor, by UltraSoft (www.ultrasoft.ro)
■■ Ghost KeyLogger, by Software4Parents (http://www.software4parents .com )
■■ KeyLogger, by DGS Software (www.dgssoftware.co.uk)
Home and/or office users can also customize TigerLog (from Hack Attacks Denied, Second Edition, published by John Wiley & Sons, Inc.) for full stealth keylogging con- trol. Among TigerLog’s obvious uses is its capability to modify valid keypresses that are to be secretly captured; to change the visible session sniffer activation key sequence (currently, Shift + F12); to alter the default log filename and location; and, for remote evidence safekeeping, to send log file contents to an e-mail address when the log is full.
III
Using Security Analysis