Med litt flaks har inntrengerne vært inne for å se på nettsidene både før og etter innbruddet, og aller helst fra sin egen maskin og via sin egen nettforbindelse. Dermed har de lagt igjen en IP-adresse i web-loggen som er langt lettere å spore, ettersom vi antar at inntrengerne er norske eller nordiske.
Server-hopping
Selve innbruddet skjedde via en del «hjelpeservere» som har blitt hacket og brukt som base for videre angrep. Dette er en relativt effektiv måte å skjule sine spor på. For å lete seg tilbake er man da avhengig av velvilje fra opp til flere server-eiere rundt i verden. Mange av disse er ikke spesielt hjelpsomme, og vil ikke en gang erkjenne at de har hatt innbrudd på sin server. Mange vet det ikke heller.
Har hackerne vært kalde og dyktige har de kun sett på den nye siden fra ITavisens server. Dette har de gjort, som det fremgår av den uthevede linja i loggen nedenfor.
Sammenfallende IP-adresser?
Det vi leter etter er IP-adresser som har vært brukt både før og etter innbruddet. Dette kan meget godt være – og er sannsynligvis – vanlige lesere av ITavisen. Men både sikkerhetsselskaper og Økokrim kan nok sammenkoble denne informasjonen med annen informasjon de har, og kanskje komme nærmere inntrengerne.
Annonse
Her kommer i alle fall utdrag loggene i tidsrommet 8. oktober kl. 04:00 til 07:00.
Den hackede index-fila har tid 05:45, og filstørrelse 336 bytes
Vi understreker at flesteparten av IP-adressene nedenfor etter all sannsynlighet kommer fra legitime lesere av ITavisen, og at ingen av dem foreløpig er å betrakte som mistenkelige.
Sortert kronologisk:
(Trykk her for listen sortert etter IP-adresse)
193.91.191.245 – – [08/Oct/2000:05:46:14 +0200] “GET / HTTP/1.0” 200 33624.162.240.105 – – [08/Oct/2000:05:54:00 +0200] “GET / HTTP/1.0” 200 336208.225.201.200 – – [08/Oct/2000:05:54:20 +0200] “GET / HTTP/1.0” 200 336195.92.67.55 – – [08/Oct/2000:05:57:55 +0200] “GET / HTTP/1.1” 200 348193.213.238.20 – – [08/Oct/2000:05:58:54 +0200] “GET / HTTP/1.0” 200 336212.45.182.132 – – [08/Oct/2000:05:58:56 +0200] “GET / HTTP/1.1” 200 348212.45.182.132 – – [08/Oct/2000:05:59:21 +0200] “GET / HTTP/1.1” 200 348212.45.182.132 – – [08/Oct/2000:05:59:50 +0200] “GET / HTTP/1.1” 200 35737212.125.167.13 – – [08/Oct/2000:06:00:28 +0200] “GET / HTTP/1.1” 200 348198.76.30.34 – – [08/Oct/2000:06:02:54 +0200] “GET / HTTP/1.0” 200 336212.125.167.13 – – [08/Oct/2000:06:03:11 +0200] “GET / HTTP/1.1” 200 35737195.139.71.65 – – [08/Oct/2000:06:04:34 +0200] “GET / HTTP/1.0” 200 336213.46.198.220 – – [08/Oct/2000:06:08:23 +0200] “GET / HTTP/1.1” 200 348193.213.239.80 – – [08/Oct/2000:06:08:39 +0200] “GET / HTTP/1.0” 200 336193.213.239.80 – – [08/Oct/2000:06:09:08 +0200] “GET / HTTP/1.0” 200 336213.188.8.2 – – [08/Oct/2000:06:09:16 +0200] “GET / HTTP/1.0” 200 336212.78.195.4 – – [08/Oct/2000:06:11:22 +0200] “GET / HTTP/1.0” 200 336129.241.151.123 – – [08/Oct/2000:06:18:01 +0200] “GET / HTTP/1.1” 200 348129.241.150.167 – – [08/Oct/2000:06:18:57 +0200] “GET / HTTP/1.1” 200 348129.241.151.123 – – [08/Oct/2000:06:19:09 +0200] “GET / HTTP/1.1” 200 348129.241.150.176 – – [08/Oct/2000:06:19:23 +0200] “GET / HTTP/1.1” 200 348129.241.151.123 – – [08/Oct/2000:06:19:58 +0200] “GET / HTTP/1.1” 200 348130.102.42.99 – – [08/Oct/2000:06:20:49 +0200] “GET / HTTP/1.0” 200 336130.102.42.99 – – [08/Oct/2000:06:21:44 +0200] “GET / HTTP/1.0” 200 33662.92.125.130 – – [08/Oct/2000:06:21:44 +0200] “GET / HTTP/1.1” 200 348129.241.151.123 – – [08/Oct/2000:06:22:31 +0200] “GET / HTTP/1.1” 200 348193.159.115.228 – – [08/Oct/2000:06:22:48 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:24:32 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:24:35 +0200] “GET / HTTP/1.0” 200 33662.26.161.66 – – [08/Oct/2000:06:25:01 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:25:12 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:25:20 +0200] “GET / HTTP/1.0” 200 336129.240.62.100 – – [08/Oct/2000:06:26:27 +0200] “GET / HTTP/1.0” 200 336130.67.96.204 – – [08/Oct/2000:06:26:39 +0200] “GET / HTTP/1.1” 200 34862.70.242.232 – – [08/Oct/2000:06:26:48 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:27:01 +0200] “GET / HTTP/1.0” 200 336212.17.130.194 – – [08/Oct/2000:06:27:09 +0200] “GET / HTTP/1.1” 200 1249130.67.108.63 – – [08/Oct/2000:06:28:33 +0200] “GET / HTTP/1.0” 200 33662.70.240.46 – – [08/Oct/2000:06:30:01 +0200] “GET / HTTP/1.0” 200 336130.67.108.63 – – [08/Oct/2000:06:31:38 +0200] “GET / HTTP/1.0” 200 336213.188.8.2 – – [08/Oct/2000:06:32:32 +0200] “GET / HTTP/1.0” 200 35597130.67.188.83 – – [08/Oct/2000:06:32:53 +0200] “GET / HTTP/1.1” 200 348130.67.101.142 – – [08/Oct/2000:06:35:33 +0200] “GET / HTTP/1.0” 200 336195.159.1.198 – – [08/Oct/2000:06:36:24 +0200] “GET / HTTP/1.0” 200 336130.102.42.99 – – [08/Oct/2000:06:36:44 +0200] “GET / HTTP/1.0” 200 336129.241.151.123 – – [08/Oct/2000:06:38:47 +0200] “GET / HTTP/1.1” 200 348130.67.101.142 – – [08/Oct/2000:06:38:48 +0200] “GET / HTTP/1.0” 200 336193.217.75.12 – – [08/Oct/2000:06:39:00 +0200] “GET / HTTP/1.0” 200 336200.35.99.78 – – [08/Oct/2000:06:40:00 +0200] “GET / HTTP/1.1” 200 348129.241.151.123 – – [08/Oct/2000:06:41:05 +0200] “GET / HTTP/1.1” 200 34862.70.245.178 – – [08/Oct/2000:06:41:05 +0200] “GET / HTTP/1.1” 200 348130.67.101.142 – – [08/Oct/2000:06:41:09 +0200] “GET / HTTP/1.0” 200 336129.241.151.123 – – [08/Oct/2000:06:41:59 +0200] “GET / HTTP/1.1” 200 348129.241.151.123 – – [08/Oct/2000:06:42:01 +0200] “GET / HTTP/1.1” 200 348129.241.151.123 – – [08/Oct/2000:06:42:29 +0200] “GET / HTTP/1.1” 200 348129.241.151.135 – – [08/Oct/2000:06:43:13 +0200] “GET / HTTP/1.0” 200 336129.241.151.123 – – [08/Oct/2000:06:43:30 +0200] “GET / HTTP/1.1” 200 348200.35.99.78 – – [08/Oct/2000:06:45:12 +0200] “GET / HTTP/1.1” 200 35735129.241.151.123 – – [08/Oct/2000:06:45:56 +0200] “GET / HTTP/1.1” 200 348130.67.101.142 – – [08/Oct/2000:06:47:38 +0200] “GET / HTTP/1.0” 200 336130.67.96.204 – – [08/Oct/2000:06:47:41 +0200] “GET / HTTP/1.1” 200 34862.66.246.94 – – [08/Oct/2000:06:49:52 +0200] “GET / HTTP/1.1” 200 348195.67.86.25 – – [08/Oct/2000:06:51:05 +0200] “GET / HTTP/1.0” 200 336200.35.99.78 – – [08/Oct/2000:06:52:21 +0200] “GET / HTTP/1.1” 200 348209.86.187.170 – – [08/Oct/2000:06:55:06 +0200] “GET / HTTP/1.1” 200 348193.227.204.10 – – [08/Oct/2000:06:58:20 +0200] “GET / HTTP/1.1” 200 348213.142.80.129 – – [08/Oct/2000:06:58:29 +0200] “GET / HTTP/1.1” 200 348212.37.244.186 – – [08/Oct/2000:06:58:36 +0200] “GET / HTTP/1.1” 200 348213.142.79.105 – – [08/Oct/2000:06:58:36 +0200] “GET / HTTP/1.1” 200 348193.227.204.10 – – [08/Oct/2000:06:59:27 +0200] “GET / HTTP/1.1″ 200 348”); ?>
Sortert etter IP-adresse:
(Trykk her for listen sortert kronologisk)
193.91.191.245 – – [08/Oct/2000:05:46:14 +0200] “GET / HTTP/1.0” 200 336194.248.164.162 – – [08/Oct/2000:05:16:39 +0200] “GET / HTTP/1.0” 200 44289195.139.239.27 – – [08/Oct/2000:04:13:49 +0200] “GET / HTTP/1.1” 200 44462195.139.71.65 – – [08/Oct/2000:04:50:16 +0200] “GET / HTTP/1.0” 200 44287195.139.71.65 – – [08/Oct/2000:06:04:34 +0200] “GET / HTTP/1.0” 200 336195.159.1.191 – – [08/Oct/2000:04:59:25 +0200] “GET / HTTP/1.0” 200 1245195.159.1.198 – – [08/Oct/2000:04:36:18 +0200] “GET / HTTP/1.0” 200 44287195.159.1.198 – – [08/Oct/2000:05:36:22 +0200] “GET / HTTP/1.0” 200 44287195.159.1.198 – – [08/Oct/2000:06:36:24 +0200] “GET / HTTP/1.0” 200 336195.67.86.25 – – [08/Oct/2000:05:29:37 +0200] “GET / HTTP/1.0” 200 35598195.67.86.25 – – [08/Oct/2000:06:51:05 +0200] “GET / HTTP/1.0” 200 336195.92.67.55 – – [08/Oct/2000:05:57:55 +0200] “GET / HTTP/1.1” 200 348198.76.30.34 – – [08/Oct/2000:06:02:54 +0200] “GET / HTTP/1.0” 200 336200.35.99.78 – – [08/Oct/2000:06:40:00 +0200] “GET / HTTP/1.1” 200 348200.35.99.78 – – [08/Oct/2000:06:45:12 +0200] “GET / HTTP/1.1” 200 35735200.35.99.78 – – [08/Oct/2000:06:52:21 +0200] “GET / HTTP/1.1” 200 348203.96.111.201 – – [08/Oct/2000:04:30:38 +0200] “GET / HTTP/1.0” 200 44311203.96.111.201 – – [08/Oct/2000:04:49:18 +0200] “GET / HTTP/1.0” 200 44288203.96.111.201 – – [08/Oct/2000:04:53:19 +0200] “GET / HTTP/1.0” 200 44288203.96.111.201 – – [08/Oct/2000:04:59:29 +0200] “GET / HTTP/1.0” 200 44288208.225.201.200 – – [08/Oct/2000:05:54:20 +0200] “GET / HTTP/1.0” 200 336209.185.143.206 – – [08/Oct/2000:04:48:40 +0200] “GET / HTTP/1.0” 200 1245209.86.187.170 – – [08/Oct/2000:06:55:06 +0200] “GET / HTTP/1.1” 200 348212.125.167.13 – – [08/Oct/2000:06:00:28 +0200] “GET / HTTP/1.1” 200 348212.125.167.13 – – [08/Oct/2000:06:03:11 +0200] “GET / HTTP/1.1” 200 35737212.17.130.194 – – [08/Oct/2000:05:09:29 +0200] “GET / HTTP/1.1” 200 35716212.17.130.194 – – [08/Oct/2000:06:27:09 +0200] “GET / HTTP/1.1” 200 1249212.186.255.3 – – [08/Oct/2000:05:34:12 +0200] “GET / HTTP/1.0” 200 44310212.37.244.186 – – [08/Oct/2000:06:58:36 +0200] “GET / HTTP/1.1” 200 348212.45.182.132 – – [08/Oct/2000:05:58:56 +0200] “GET / HTTP/1.1” 200 348212.45.182.132 – – [08/Oct/2000:05:59:21 +0200] “GET / HTTP/1.1” 200 348212.45.182.132 – – [08/Oct/2000:05:59:50 +0200] “GET / HTTP/1.1” 200 35737212.62.224.5 – – [08/Oct/2000:04:39:02 +0200] “GET / HTTP/1.0” 200 44286212.67.112.77 – – [08/Oct/2000:04:49:02 +0200] “GET / HTTP/1.1” 200 44461212.78.195.4 – – [08/Oct/2000:06:11:22 +0200] “GET / HTTP/1.0” 200 336213.142.68.99 – – [08/Oct/2000:04:40:44 +0200] “GET / HTTP/1.1” 200 44461213.142.79.105 – – [08/Oct/2000:06:58:36 +0200] “GET / HTTP/1.1” 200 348213.142.80.129 – – [08/Oct/2000:06:58:29 +0200] “GET / HTTP/1.1” 200 348213.188.8.2 – – [08/Oct/2000:05:35:24 +0200] “GET / HTTP/1.0” 200 44285213.188.8.2 – – [08/Oct/2000:06:09:16 +0200] “GET / HTTP/1.0” 200 336213.188.8.2 – – [08/Oct/2000:06:32:32 +0200] “GET / HTTP/1.0” 200 35597213.46.198.201 – – [08/Oct/2000:04:05:46 +0200] “GET / HTTP/1.1” 200 44462213.46.198.220 – – [08/Oct/2000:06:08:23 +0200] “GET / HTTP/1.1” 200 348213.93.227.101 – – [08/Oct/2000:05:36:30 +0200] “GET / HTTP/1.0” 200 44288216.34.42.216 – – [08/Oct/2000:04:33:25 +0200] “GET / HTTP/1.1” 200 3571524.162.240.105 – – [08/Oct/2000:05:54:00 +0200] “GET / HTTP/1.0” 200 33624.4.254.67 – – [08/Oct/2000:04:11:37 +0200] “GET / HTTP/1.0” 200 4430862.26.161.66 – – [08/Oct/2000:06:25:01 +0200] “GET / HTTP/1.0” 200 33662.66.240.103 – – [08/Oct/2000:04:53:24 +0200] “GET / HTTP/1.1” 200 4446162.66.240.246 – – [08/Oct/2000:04:44:20 +0200] “GET / HTTP/1.1” 200 4446162.66.246.94 – – [08/Oct/2000:06:49:52 +0200] “GET / HTTP/1.1” 200 34862.66.248.13 – – [08/Oct/2000:05:00:02 +0200] “GET / HTTP/1.1” 200 4446062.66.248.13 – – [08/Oct/2000:05:04:18 +0200] “GET / HTTP/1.1” 200 4446062.66.249.7 – – [08/Oct/2000:04:55:29 +0200] “GET / HTTP/1.1” 200 3573462.70.240.46 – – [08/Oct/2000:06:30:01 +0200] “GET / HTTP/1.0” 200 33662.70.242.232 – – [08/Oct/2000:06:26:48 +0200] “GET / HTTP/1.0” 200 33662.70.243.72 – – [08/Oct/2000:05:04:21 +0200] “GET / HTTP/1.0” 200 4428662.70.245.178 – – [08/Oct/2000:05:38:50 +0200] “GET / HTTP/1.1” 200 4446162.70.245.178 – – [08/Oct/2000:06:41:05 +0200] “GET / HTTP/1.1” 200 34862.70.245.93 – – [08/Oct/2000:06:24:32 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:24:35 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:25:12 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:25:20 +0200] “GET / HTTP/1.0” 200 33662.70.245.93 – – [08/Oct/2000:06:27:01 +0200] “GET / HTTP/1.0” 200 33662.92.120.29 – – [08/Oct/2000:04:04:55 +0200] “GET / HTTP/1.0” 200 4430962.92.125.130 – – [08/Oct/2000:06:21:44 +0200] “GET / HTTP/1.1” 200 34862.92.57.66 – – [08/Oct/2000:04:08:30 +0200] “GET / HTTP/1.1” 200 4445962.92.57.66 – – [08/Oct/2000:04:12:44 +0200] “GET / HTTP/1.1″ 200 44459”); ?>
Annonse
