Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I find my hacker 1

Status
Not open for further replies.
Smarty

Smarty

Programmer
Apr 12, 2001
191
BE
Our website has been hacked. Is there any possibility how I can find who might have hacked my website? I have some logging:

HTTP_ACCEPT_LANGUAGE:nl HTTP_CONNECTION:Keep-Alive HTTP_HOST: HTTP_REFERER:HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) ASPSESSIONIDQCBCTBRR=OHHLEFCDDLKIKKBGPDKKLBKD HTTP_CONTENT_LENGTH:134 HTTP_CONTENT_TYPE:application/x- HTTP_ACCEPT_ENCODING:gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
LOCAL_ADDR: 62.212.81.132
LOGON_USER:
REMOTE_ADDR: 80.65.116.60
REMOTE_HOST: 80.65.116.60

Where do I start?
 
Sort by date Sort by votes
Here's what I did:

First I went to and entered the REMOTE_ADDR into their whois search. That entry told me that the record is maintained by RIPE, not ARIN.

So I went to and punched in the REMOTE_ADDR into their whois search. That told me the IP address involved is registered to a ISP in the Netherlands.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
following is info on the ip addresses you listed. remember that a hacker may be about to spoof these but at least you have a starting point to let the other domains know about this as well. you may also want to add these ips to you blocke list.

good luck


Target: 62.212.81.132
Date: 1/24/2005 (Monday), 1:26:41 PM
Nodes: 15
52.083N 5.133E

Node Data
Node Net Reg IP Address Location Node Name
15 1 1 62.212.81.132 Utrecht green.peweb.nl


Packet Data
Node High Low Avg Tot Lost
15 0 ---- 0 39 40


Network Data
Network id#: 1
This is the RIPE Whois query server 2.
The objects are in RPSL format.

Rights restricted by copyright.
See
inetnum: 62.212.81.0 - 62.212.81.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 616
descr: 3500AP, Utrecht
descr: Netherlands
descr: remarks: Please send email to abuse@leaseweb.nl for complaints
remarks: regarding portscans, DoS attacks and spam.
country: NL
admin-c: ZCA1-RIPE
tech-c: LT303-RIPE
status: ASSIGNED PA
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20031209
source: RIPE

route: 62.212.64.0/19
descr: OCOM
origin: AS16265
remarks: Ocom
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20031209
source: RIPE

person: Cornelis Zwinkels
address: P.O. Box 616
address: 3500 AP Utrecht
address: Netherlands
phone: +31 30 2368696
fax-no: +31 30 2368779
e-mail: ripe@ocom.com
nic-hdl: ZCA1-RIPE
remarks: Ocom B.V.
remarks: notify: ripe@ocom.com
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20031224
source: RIPE

person: Laurens Rosenthal
address: P.O. Box 616
address: 3500 AP Utrecht
address: Netherlands
phone: +31 30 2368696
fax-no: +31 30 2368779
e-mail: ripe@ocom.com
nic-hdl: LT303-RIPE
remarks: Ocom B.V.
remarks: notify: ripe@ocom.com
mnt-by: OCOM-MNT
changed: ripe@ocom.com 20031224


Registrant Data
Registrant id#: 1

Rights restricted by copyright. See

Domain name:
peweb.nl (first domain)

Status: active

Registrant:
PeWeb.NL
Uitloper 66
8256 CD BIDDINGHUIZEN
Netherlands

Domicile:
N/A

Committed to ADR: no

Administrative contact:
L. Peters
+31 (0)321332134
postmaster@peweb.nl

Registrar:
PeWeb.NL - EuSelect (*/d)
Uitloper 66
8256 CD BIDDINGHUIZEN
Netherlands

Technical contact:
Th. Peters
+31 (0)321332134
hostmaster@peweb.nl

Technical contact:
N. Mooney
+31 (0)321333743
hostmaster@euselect.com

Domain nameservers:
ns1.peweb.nl 62.212.81.128
ns2.peweb.nl 62.212.81.129

Date registered: 24-08-1999
Record last updated: 26-05-2003


Target: 80.65.116.60
Date: 1/24/2005 (Monday), 1:29:58 PM
Nodes: 18


Node Data
Node Net Reg IP Address Location Node Name
18 1 1 80.65.116.60 Enschede ip116-60.dsl.introweb.nl


Packet Data
Node High Low Avg Tot Lost
18 165 125 127 12 0


Network Data
Network id#: 1

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL

ReferralServer: whois://whois.ripe.net:43

NetRange: 80.0.0.0 - 80.255.255.255
CIDR: 80.0.0.0/8
NetName: 80-RIPE
NetHandle: NET-80-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: AUTH62.NS.UU.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at RegDate:
Updated: 2004-03-16

ARIN WHOIS database, last updated 2005-01-23 19:10


Registrant Data
Registrant id#: 1

Rights restricted by copyright. See

Domain name:
introweb.nl (first domain)

Status: active

Registrant:
IntroWeb B.V.
Welbergweg 30
7556 PE HENGELO OV
Netherlands

Domicile:
N/A

Committed to ADR: yes

Administrative contact:
R. Esschendal
+31 (0)742430105
postmaster@introweb.nl

Registrar:
IntroWeb B.V. *) /p
Welbergweg 30
7556 PE HENGELO OV
Netherlands

Technical contact:
Pieter de Haer
+31 (0)742430105
domain-admin@introweb.nl

Technical contact:
Duco Waterreus
+31 (0)742430105
domain-admin@introweb.nl

Technical contact:
Edwin Ringersma
+31 (0)742430105
domain-admin@introweb.nl

Domain nameservers:
ns1.introweb.nl 80.65.96.40
ns3.introweb.nl 62.165.127.222

Date registered: 02-02-1996
Record last updated: 23-12-2004
 
Upvote 0 Downvote
80.65.116.60
Location: Enschede
52.267N 6.800E
 
Upvote 0 Downvote
Thank you, PEWEB is our hosting company... I sended an email to the other company. If I don't get an answer, I will give them a phone call.

If any other steps are possible, please let me know
 
Upvote 0 Downvote
check your user logins surrounding the time of the incident including remotes.
 
Upvote 0 Downvote
Unfortunately any hacker that knows what they are doing will have used at least one proxy to hide their address or use an already compromised machine to launch an attack.

At a guess your admin function has been abused in which case someone knows your password or it has no protection against a brute-force attack. Check your webserver log for multiple guesses in alphabetical order this will give you a clue as to whether they knew the password or hacked it. Hopefully your user id isn't "admin" or "administrator" or something obvious, if it is change it to something obscure and change the password too.

If the attacking address is in the same hosting company the chances of this being random are slim, you need to determine if the attacker knew the password or broke in. If they broke in you will have thousands of repeating log entries in your webserver log.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
2K
Rick998
Rick998
Miluis
  • Question
How necessary is an antivirus?
Replies
3
Views
267
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
1K
Sameer258
Sameer258
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
676
XLNTech1
XLNTech1
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
796
Johnkite
Johnkite

Part and Inventory Search

Sponsor

Back
Top