Recently I got a call for help from my friend Mark, who'd just come back from a short holiday. On checking the logs of his home computer, which is connected to the Internet 24 hours a day by cable modem, he realised his system had been hacked.
We started with some routine checks, which revealed the hacker had broken in four days before and had spent several hours every evening since, unsuccessfully trying to gain access to the private areas of the computer. Mark had checksums for every file on his computer, and a quick comparison showed those files hadn't been tampered with. After running some other checks, we knew the system was clean.
So we turned our attention to the hacker. As we knew the IP number of the hacker's computer, we could check it against the ARIN database, which told us the hacker used a cable modem and was living in the same city. At this point we could have sent an e-mail to the abuse account of Mark's provider (firstname.lastname@example.org), asking the ISP to take action against the hacker, but our detective game had become too much fun for us to stop there.
So we ran a portscan - a way to discover what communications a computer will accept - which told us the hacker was running Windows 9x on a Pentium machine. Unfortunately for us, the hacker's machine was protected by a firewall, so only defined protocols could connect to it from the Internet.
The only listening application on the hacker's machine we could access from the Internet was ICQ ('I Seek You'), a popular program with a central server (see www.icq.com) that enables online user chat. After the ICQ user goes online, the program will accept connection from the ICQ server, which will announce the user's presence to other ICQ users so they can start chatting or share files. Every ICQ user has a unique identification number (NUI), but you can't learn it from a machine's IP address.
This was quite a challenge. A long search of the Internet eventually uncovered a utility that contacts the computer of an ICQ user and pretends to be the ICQ server. Thinking it had to check in to the central ICQ server, the hacker's ICQ program happily told the utility the NUI. Even better, ICQ has this little service where you can get all the details once you know the NUI. So we looked up the hacker's phone number and even his home address, just a few streets away from Mark's home.
We then decided to wait for the next attack, which we knew would be in the evening, as the hacker always broke in then. When the attack began, we set off for the hacker's house, reaching it within a minute. When a young man opened the door, Mark told him, "Now, listen, I know that you started hacking my computer just now... STOP IT." The hacker apologised and the hacking stopped. To this day he hasn't a clue how we traced him.
We also learned from this incident. Mark has installed a program that checks for intrusions and will SMS his mobile phone to warn him. You may not want to go so far, but what you should be doing as a bare minimum is taking care and checking your logs carefully.
This was first published in December 2000