[Click Here]

Taking A Second Look (Webpage Access Logs And Hacker Behavior)

Once again I'm going to use the example of a "webpage hack". Simply because
it's the easiest to visualize, it's something that I think most of our
users will be familiar with, and it's an area where I'm less worried about
"spilling the beans" (hey, I worked hard on this stuff, I deserve to keep
secrets, haha).

Behavior, behavior, behavior. I can't say it enough, and I hope that this
simple, common sense example, can show you why.

Let's say that www.AntiOnline.com was hacked (God forbid). All of the
system logs were gone, and the webpage was changed with a message from some
hacker telling what he really thinks of me (You can all envision what and
ugly site that would be, haha). I can't come up with any "leads" using
other methods, as the hacker has left no "virtual fingerprints" for me to
find on my system, or the systems of any of my uplink providers. Or has he?

How many of you have had to investigate a webpage hack, for some reason or
another? How many of you have noticed that many of the system logs, which
would have given you valuable insights into the hacker's identity, have
been deleted? Ok, now, how many of you still had the webpage access logs
from that system? I bet almost all of the hands in the room just went up,
huh? It's something almost EVERY EVERY EVERY EVERY hacker leaves behind.
Why? What damage could it possibly do to them? Well, a lot more than they
may think.

Look at that access log for a minute. You'll see the domains (or ips,
depending) of all users that requested files from the servers. Say your
main page is made up of two elements, index.html and logo.gif. The "hacked
version" of the page contains say, three elements: index.html,
hackerlogo.gif, and YouAreOwned.jpg. If the site is moderately to heavily
trafficed, looking for the first time "YouAreOwned.jpg" appears in the
access logs will give you a pretty good indication what time the site was
hacked. Useful information indeed.

Now, let's take this one step further, and implement something that we know
about hacker's behavior into this formula. Say you planned on hacking
www.AntiOnline.com. What's the very first thing that you would do just
minutes before the hack took place, and just seconds after the new, "hacked
version" was uploaded? Answer: visit www.AntiOnline.com A hacker quickly
breaks into the system using a method he's established would work, uploads
the new documents (all from a hacked shell, or "bounce point" no doubt, to
help protect his true identity"), then opens up a browser on his local
machine (and true ip) to see if the new, hacked page appears. It happens
that way 99.999% of the time, I guarantee.

Go back to your webpage access logs. Cut out everything between 5 minutes
before you see the altered graphics showing up, to 5 minutes after they
first appear. Guess what? I'd bet my bottom dollar that the hacker's true
IP address appears in there at least once.

Look for IPs or domains which visited once before the site was hacked, and
once after the site was hacked. Guess what? You now have the hacker's true
domain in that list somewhere. Although this may not "prove" that he's the
one, and this method may come up with a small list of possible "suspects",
at least now you have something to go by (and some good circumstantial
evidence of top of that, placing the hacker at the scene of the crime),
which is more than you had before.

Once again, let me repeat that this is just one, "common sense", approach
to a multitude of creative ways you can gain information about any given
hacker, by simply knowing and understanding their behavior.

Back To The Table Of Contents