1

Somebody made a lot of(unusual, like never before) http requests on my website, I checked this thing on google analytics and it shows that someone with no lang, no country has visited my website. My website has some sensitive data(personal) that should not be stolen(mobile numbers + emails).

Now I'm worried if someone did find some loophole on my website and tried to steal my data. Can I trace that person who made some unusual requests on my website?

I tried to search on google to find out "how to find a hacker" or something like that but I couldn't get any appreciable info there.

ali
  • 11
  • 2
  • You could of course get in touch with law enforcement but you have no clear proof that data was stolen. You could send an email to the abuse contact of their ISP but unless the attacks are severe and still ongoing it's unlikely that they'll respond either. – André Borie Jan 03 '16 at 16:37
  • When you host a website with sensitive data, you should have hardened it enough to be confident that some probing with random requests does not cause you to panic. – Philipp Jan 03 '16 at 16:38
  • With your own mean you will most probably never find anything useful. Most scanning operation is handled by bots installed on compromised innocent machine, remotely controlled by the hackers operating hidden behind proxies system (sometimes other innocent compromise systems). With such a complexity, tracing the genuine author of these request is usually anything but trivial (well, if you are lucky, you may find that the IP correspond to a Chinese IP, but what then ? You are not even sure and in all case have no proof that these IP is real source and wasn't used as a relay...). – WhiteWinterWolf Jan 03 '16 at 16:39
  • You may block such ips based on access pattern – Ijaz Ahmad Jan 03 '16 at 17:08
  • It is hard to be certain without examining your logs, but this is likely just background scanning that hits every site on the internet. – Neil Smithline Jan 03 '16 at 17:10

1 Answers1

1

To find more information about who owns an IP address you can:

  • use the traceroute (unix) / tracert (windows) command line tool to find out which routers are between them and you.
  • check a GeoIP database to get a very approximate geographical location of that IP address block.
  • use the ripe database to check to whom the IP address block is registred, which will usually lead you to their ISP.

The exact identity is only known to the ISP which will usually only reveal it when they get a court order or similar official request from law enforcement, which requires that you report it and that they find the case relevant enough to act. Unless you actually lost data or have other tangible damages, they are unlikely to act, though.

Also, when the attacker knows what they are doing, they will use various anonymization tools to hide their identity. There are various methods to make deanonymization of internet users very difficult (which are explained in greater detail in lots of other questions on this site, so I won't go into further detail). Following the IP will likely lead you to just some hapless internet user who got his machine infected with a botnet trojan.

But acting after an attack is really not what you should be worrying about. What you should be worrying about is making sure that such attacks won't work on your systems.

Scans like that happen all the time. When you put a webserver online it usually only takes minutes until people start hammering it with all kinds of exploits. If you aren't confident in your security, you shouldn't be doing this.

Philipp
  • 48,867
  • 8
  • 127
  • 157