How can I punish a hacker?

  • I am a small business owner. My website was recently hacked, although no damage was done; non-sensitive data was stolen and some backdoor shells were uploaded. Since then, I have deleted the shells, fixed the vulnerability and blocked the IP address of the hacker.

    Can I do something to punish the hacker since I have the IP address? Like can I get them in jail or something?

    This question was featured as an Information Security Question of the Week.
    Read the Feb 05, 2016 blog entry for more details or submit your own Question of the Week.

    The said hacker already spends his nights on his computer, alone, staring at his bleak screen, looking for vulnerabilities and installing backdoors. How could you possibly punish him any further ?

    You deleted the shells.. meaning you destroyed the evidence?

    Are you 100% sure that you deleted all of the shells? It may be prudent to rebuild the system from the ground up and audit your network to make sure the hacker wasn't able to use the compromised machine to gain access to other machines on the network.

    @Tass: You're joking, but take a look at the labrea project. Then consider how long it's been around.

    How do you know you have his *real* IP Address?

    Punish crackers, reward hackers.

    @bobobobo negative

    Tie him up and spank him like Max Mosley.

    Go over to his house and speak sternly with his mother.

    you don't punish the hacker, the hacker punishes you.

    ping his IP twice a week. Let his host die in slow agony!

    @TomLeek writes: *The said hacker already spends his nights on his computer, alone, staring at his bleak screen, looking for vulnerabilities and installing backdoors. How could you possibly punish him any further ?* Yeah, but the ground is level on that point, since OP spends his nights on his computer alone, tracking down the activities of crackers attacking his website and dreaming up punishments.

    *although no damage was done* <- so what's the point in seeking punishment? pride? personally I'd be happy if someone broke onto my servers but did no damage — I can patch the vulnerability before someone else does cause damage thanks to him.

    @Mahn Data was stolen!

    @ClickUpvote So damage *was* done. You might want to look for relevant breach notification laws for your jurisdiction.

    @randomstring only in Soviet Russia.

    Hack him back...

    Leave him a note thanking him for identifying the problem-and consider yourself lucky. The person you punish should either be the person you hired to set up your system or, if they are not trained professionals, the person who chose to use untrained talent to set up an internet-facing business server. I wish the right people would be held responsible for crimes like this, the adult who leaves the door open when they leave for work, not the child who walks into the open, empty house and eats a few cookies.(Yes, the hacker was malevolent, but it would have been someone else if not him)

    #TL;DR# It's not the correct IP address and law enforcement doesn't care.

    You also don't know if your own server (read IP) has been compromised to do the same thing to other servers. Going by your logic, your IP should be reported as a center of suspicious activity and blacklisted.

    Find where he lives and go to his house with a blond from Nebraska and knock on the door. When he opens the door, let her kick him in the nads and quickly take back your bat'leth, and your WoW account. I've been places where this happened in the USA with intent to cause damages and we turned the evidence over to the FBI. Not sure what/if they every did anything, since the perp was in Russia.

    Did you managed to punish him?

  • You don't punish the hacker. The law does. Just report whatever pieces of information you have to the police and let them handle it.

    However, it is very unlikely that the attacker will be caught. The IP address you posses most likely belongs to another system that the attacker has compromised and is using as a proxy. Just treat it as a lesson learnt and move on.

    Then, how are the hackers you read about in news get caught?

    @ClickUpvote Everybody makes mistakes occasionally. If somebody makes enough of them and the police puts in the effort to dig through all that data you might catch someone. Often they catch one in a group and then use him as a mole to catch the rest.

    Or they hack something that the law/government actually care about, which gives them an incentive to actually try and catch them. I'm sure they don't really care about the average website.

    @ClickUpvote here's a list of what I see as hacker investigation priorities: [Exploited government owned networks, Large scale financial exploits, DDOS on public govt sites, Zero Day vulnerability distributers, high incident exploiters, ....., ....., browse facebook out of boredom, ....., ....., script kiddies] (this case)

    @ClickUpvote, *what* hackers you read about in the news? A dozen sites are hacked every day, and I read about hackers getting caught maybe a couple of times a year, tops. Those few cases are usually people cracking a sensitive government system. Someone notices, contacts the FBI, but *doesn't* stop the hacker or acknowledge them in any way. This allows law enforcement time to get the necessary warrants in multiple states and/or countries to trace the connection back to its source *while the hacker is connected,* probably over several weeks. But tracing a hacker after the fact? Good luck.

    Of course, you could just post the IP address on 4chan and hope someone is especially bored today...

    @MarkAllen That assumes you're in the USA

    Is there such thing as "Digital Trespassing"? Although the OP doesn't make mention of it, I think one could to surmise that the OP took reasonable steps to harden his server if it took "hacking" to get in. I don't see this as any different from somebody breaking into your home to read your newspaper and made a copy of the key to the back porch. Would law enforcement take the same indifference in that case?

    @hydroparadise If you live in the USA and a robber robs your house you report it to the local corps. What happens if you live in the USA, host your website using a server located in a datacenter in Japan, was attacked by a French hacker using a compromised machine in China? Who do you report it to? Which law enforcement agency is going to arrest the guy?

  • So you have identified the IP address involved in the process of hacking your website. Congratulations!

    What makes you believe that this IP is indeed a hacker's IP address, and not simply another hacked into computer running in zombie mode? And who is to say, that your own web server didn't run in exactly the same zombie mode until you removed the shells installed through, as you say, later identified backdoor?

    Should you expect another person, whose web server was attempted to be, or indeed was hacked through your compromised web server's IP, thinking exactly the same about you, and is already looking for ways to get even like you are?

    I would sincerely hope this not to be the case, and we've moved past the times of witch-hunting and freely accusing and passing judgment upon people before proven guilty beyond reasonable doubt in a court of law, where they are allowed to defend themselves, present their own evidence, dispute gathered evidence against them, and this evidence hopefully weight by and later passed ruling upon by decent enough people to be able to see both sides of the coin before calling it for what it turned up to be.

    The mandatory IANAL disclosure applies at this point, but these are the options that you probably ought to be looking at:

    • Report the incident to proper authorities. You should do that not only in a hope the real hacker eventually gets caught and prosecuted, but also to cover your back in case your web server was involved in other illegal activities while it was compromised and acting in ways beyond your immediate control. Then cooperate, be ready for your web server to be taken to a forensic laboratory and you might suffer your services downtime because of it. This will take time off you, and possibly incur cost too.

    • Alternatively, harden your web server against any other possible backdoors, exploits in software you use, and hire a proper security analyst to do their magic. Fill an internal incident report and have it verified by an independent party, to cover your back that way in unlikely eventuality you'll later need this as evidence, if contacted by authorities. This will also take time, and it will cost too. But your web server will be online and your business hopefully making up for any costs involved.

    Your choice then, but don't get yourself in greater trouble by playing a self-righteous vigilante, it's just not worth it and the odds are against you from the very start that you'll be seeking vendetta at the right address.

    Most people outside this community don't know about 'zombie mode'. I think you misunderstood OP. Asking 'can I get them in jail' does not make them a 'self-righteous vigilante'. That's a normal desire for justice. It would be useful to specify who are the 'proper authorities'.

    +1 that it's probably not their IP. Any real attacker would at least bounce ONCE, but more likely would proxy -> tor -> victim machine

  • The term most often used to describe what you're talking about is Hacking Back. It's part of the Offensive Countermeasures movement that's gaining traction lately. Some really smart people are putting their heart and soul into figuring out how we, as an industry, should be doing this. There are lots of things you can do, but unless you're a nation-state, or have orders and a contract from a nation-state your options are severely limited.

    There are a number of laws regarding hacking a computer you don't have authorization to hack, the CFAA in the USA, the CMA in Great Britain, the CHM in Australia, and the list goes on. All of which make it illegal to do what you want to do, and in some cases have pretty strict penalties for even the smallest of actions.

    Let's assume you can hack the offending machine without breaking a law. This is pretty less than ideal. Sometimes the IP address you have will point you back at the actual computer where the hacker was sitting. This is the best case, and also the least likely to happen. More often the IP address you have is an innocent intermediary, that is it's more likely to be your grandmother's eMachine that was compromised when she clicked on a dodgy website while researching canasta strategies. So while there is a chance hacking back could punish the do-badder, the most likely scenario is that you break your aged grandmother's link to the outside world.

    Your best option? Report the incident to the most appropriate law enforcement agency. Unless there was significant financial loss it probably won't gain much traction as an individual case. What could happen is that your information will get added to the pile of evidence that could be used to take down a large group.

    @ŁukaszLech: It's hard to overcome our initial feelings of violation and the urge to exact some kind of toll. Do enough investigations and you start to realize that in almost all cases the source of the attack is nothing more than an innocent bystander. Pretty sad really.

  • Don't play their game, you'll lose

    I've learned not to play that game, hackers by nature have more spare time than you and will ultimately win. Even if you get him back, your website will be unavailable to your customers for a solid week afterwards. Remember, you're the one with public facing servers, you have an IP of a random server that he probably used once. He's the one with a bunch of scripts and likely more knowledge than you will get in your quest for revenge. Odds aren't in your favor and the cost to your business is probably too high to risk losing.

    It's most likely not his IP

    This kind of hacking is incredibly low priority to law enforcement and the IP you have probably belongs to a server 1000 miles away from said hacker. If you are intent on getting his IP, he may have used a proxy whose purpose isn't anonymity, if you track http headers, look for x-forwarded headers in the offending requests, those will more likely have his real IP if they're there. Nobody bothers with chaining proxies for "fun" hacks like this. But again, don't bother, he's hacked you, he won, if you play his game, he will win again. Right now it's not personal to him so the cost of a DDOS attack on you doesn't outweigh the benefit yet.

    If you must play the game

    I used to setup honeypots for hackers. When one would make it into my intentionally left vulnerable server in my DMZ, I would place some fun files that look important and lead to other fun goodies that aren't so good for a PC's health. Now if I do setup a honeypot, it's just a logging server with a few vulnerable ports so I am alerted of attempts on my network. That way I can watch a little more closely when it's important.

    You're looking at this wrong

    When a guy cuts you off on the interstate and you rush up to get him back, his response isn't always going to be good for your health. Instead of getting even, think of your experience as a free security audit where the only expense was doing work that you should have done in the first place. Hackers are frustrating, but the first couple of times you have this happens will change your view of security. But overall....Woooooosah

    Even if it is "his" IP, it could be a dynamic line which can be reassigned to another customer.

  • Remember - no matter what they did, if you do hunt down the hacker (assuming you have identified the right one) and punish them,

    you will have broken the law, and the police are likely to be able to prove your guilt

    Don't do it. Vigilante justice is for Caped Crusaders and Superheroes!

    Note that the person didn't say they were going to hunt them down and do something bad. They specifically say "Like can I get them in jail or something?", whcih means going to the police.

  • Of course you can punish hackers. Just use a service like GeoBytes IP Locator to know their address. Drive there, knock on the door, and whoever opens, he/she must be the hacker. Then just go ahead and punish them for the bad girl/boy they are.

    Back to reality. Unfortunately, it's very likely that they'll go unpunished.

    Depending on your jurisdiction, your case might just be too minor to entice capable law enforcement agencies to track down your attacker. Of course, officially, they'll never tell you that. You'll report it, and they'll tell you they'll do the best they can.

    It's very likely that your attacker is using some anonymising service (Like Tor) which makes it very difficult and resource-consuming to track him.

    If I were you, I'd ask a security expert to assess my site and fix the vulnerabilities to prevent this from happening again.

  • There's no profit in it for you to punish the attacker. Your resources are best spent securing your server and getting on with business.

  • What you can do directly is sending an abuse mail to his ISP. Just lookup the ip in the database. In most cases there is an abuse mail listed for the owner of the IP.

    ISP take legit abuse mails seriously, at least in my opinion.

    Mailing abuse at his ISP...

    This is the easiest and most likely way to actually "punish" the hacker. Worst case the owner of another machine that was hacked will find out his machine has been compromised and will hopefully resolve the issue. Best case you cause issues with the hackers home ISP.

    This is how the Internet works. Doesn't everyone know about [email protected]? If this was everyone's response as soon as attacks are discovered we would have far fewer attackers.

  • What yo do is: Contact your local computer crime police office, file a complaint and press charges against unknown individuals, hand over the IP address and you might get lucky.

    In reality, chances are low anything will happen.

    Is there, anywhere in the world, such an august police office or station as this?

    I know we have a Federal Computer Crim Unit

  • If you have the time/knowledge/resources you can redirect the traffic from the attacker's IP to a honeypot and study the attack traffic eventually you'll find something useful to link to the responsible person.

    Make sure to keep an eye on your server to track attacks from new IP's and you should add the new range into the redirection list.

    Have fun

    Good intentions can result in a bad outcome. It's simply not how botnets operate - Command & Control doesn't care if one of their zombies suddenly stopped relaying requests on its behalf, it simply moves on to others when _any_ disruption is detected. And allowing the bot to continue relaying requests (even if sandboxed and not further affecting infected host) can be a dangerous path, and the one doing it held responsible for allowing it. I just wouldn't suggest it. Even Google's own team had big problems/reservations doing that.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM