Unix tools track hackers

Laura Taylor Tech Republic

Published: 01 Oct 2002 08:51 BST

Use tcpdump to look for aberrant packet behavior
Use the tcpdump tool to trace packets and print out packet header information. When you execute the command tcpdump > outputfile on a shared network that is not switched and dumping to an output file, you'll see a timestamp, a source socket, a destination socket, a TCP flag, a sequence number and offset, and a maximum segment size. The output will look something like Listing A.

One thing that should tip you off to a problem in this example is that 295.128.16.0 is not a valid Internet address, since 295 is not in the range of acceptable octets. Another indicator that something could be awry is that port 4950 is a known hacker port for ICQ exploits or attempts to log into port 23 (Telnet) from clients that shouldn't need to use Telnet. The TCP flag indicated is S, which, if there were a lot of these flags in sequence, could indicate a SYN flood attack. You'll want to look at the packet sizes and see whether they look typical for the traffic on your network. In short, you should look for aberrant behavior.

Keep in mind that your tcpdump output is valid only for the time during which you executed the command, and any aberrant activity that has already ended will not be captured. For that reason, tcpdump is particularly useful when you have observed suspicious behavior on a live system.

Use dig to uncover suspicious IP addresses
The dig utility, a replacement for the older nslookup, is a good tool for looking up suspicious IP addresses discovered through netstat, tcpdump, or other commands. To use this command, insert the IP address or hostname after the dig command, like so: dig 140.216.41.2.

The dig tool takes the IP address and returns the hostname, or, if you put the hostname after the dig command, it returns the IP address. If you need to map an IP address to find the fully qualified domain name, you can use the dig command to find out who owns it. You can then go to the American Registry for Internet Numbers (ARIN) or the WHOIS server and find contact, registration, and ownership information regarding the domain in question.

Use traceroute to find geographic physical locations
The traceroute tool can help you figure out the route a packet follows to get from one place to another. Most administrators use traceroute to find out the physical, geographic location of a system.

If you decide to involve law enforcement, you'll likely need to know where the crime originated. If the hacker isn't using relaying, false identities, or anonymisers, you can use the traceroute command in conjunction with the information garnered from the WHOIS database to find the hacker's physical location.