3

I'm wondering what one can do if they have the IP addresses that were used by the attackers during a security breach?

The specific situation is this - recently two of our servers were hacked into and taken offline. After we regained control I looked at the /var/logs/secure file and noticed a ton of messages like the one below:

Jun 12 23:56:35 d3db01 sshd[31736]: reverse mapping checking getaddrinfo for host31-65-211-80.serverdedicati.aruba.it [80.211.65.31] failed - POSSIBLE BREAK-IN ATTEMPT!

That occurred right around the time of the attack.

Can I find information about the attacker and possibly use that to report them to the authorities? Am I looking in the right place for information about the attacker or is there somewhere else I should be looking?

When you hear about high profile breaches they are often able to track the attack back to where it originated from. I'm curious how that is done.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • What kind of security breach happened? – vidarlo Jun 15 '19 at 08:07
  • Yes, it is more refined, but then you added in the whole "tracking back" element, which is not quite the same as just sorting out the IP. WMIF's answer below now becomes very relevant. It is not likely that an attacker uses their own IP . – schroeder Jun 17 '19 at 19:36

4 Answers4

2

The "POTENTIAL BREAK-IN ATTEMPT" language in this log message was a frequent source of confusion, and was removed in 2016. The fact that you're still seeing it suggests that you are running an old version of OpenSSH, which should be upgraded.

The only thing that this log message means is that the IP address indicated in the message attempted to make an SSH connection to your server. If you weren't expecting a connection from this hosting provider, it's possible that there was an SSH scanner running on this IP. This is (unfortunately) quite common, and should be reported to the ISP, but it's not a reliable indicator that they were specifically at fault for the breakin.

1

Nothing.

It’s very likely to be infrastructure for another victim and anything you do towards that IP will be considered as you attacking that victim.

WMIF
  • 292
  • 1
  • 3
1

I'm wondering what one can do if they have the IP addresses that were used by the attackers during a security breach?

Nothing at all. One word: jurisdiction. If you live, have your server, the attacker IP or the attacker lives on another jurisdiction, there's little chance of authorities doing anything at all. For example, don't expect the Italian provider to provide the American police information about an attack to a French server committed by a Russian national.

You got the picture.

The only thing you can do is to report the attack to the provider. If the attacker is responsible, his account can be suspended (hacking is usually against every ToS of every provider around). If the attacker is not the owner, the server can be taken offline and his owner can correct the issues.

Can I find information about the attacker and possibly use that to report them to the authorities?

The server logs usually can be used, but not as proof of anything. It's not hard to identify an IP address involved on any attack, but it's a different story to identify the actors behind the attack.

The attacker could have used another victim as a platform for launching attacks, and your own server could have been used to attack others, you cannot know. Attacker could have planted false entries on the log to mislead investigation, even if this is rarely used because going after the attacker usually lead nowhere.

Am I looking in the right place for information about the attacker or is there somewhere else I should be looking?

You are looking at the right place, but the wrong data. The IP is the only thing you have.

When you hear about high profile breaches they are often able to track the attack back to where it originated from. I'm curious how that is done.

Almost all the time, the attacker brags about the attack. If the attack was a high profile one, authorities get to hear, and start moving police around the world. Or they steal important data and try to sell online, only to be contacted by undercover law enforcement.

That Hollywoodian scenes showing traces running, IP addresses flowing on the screen and police cars surrounding a house while the hacker is still connected does not exist.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
0

If you want to investigate this IP address you could reach out to the owner of the network and report abuse.

host31-65-211-80.serverdedicati.aruba.it [80.211.65.31]

The reverse DNS lookup suggests that currently this IP address belongs to aruba.it. Go to their Web site and send a support request.

I am not sure if they are going to do anything about it, but who knows. If they have received a number of complaints, they could take some action.

It is possible that a host at this address has been infected and is being used by an attacker and the user of that host has nothing to do with it.

VL-80
  • 1,234
  • 1
  • 9
  • 17