howto backtrack hacker?

Help!
I have some unknown assailant, on a regular timed basis, connecting to my
network, posing as one of my machines but his (apparent) IP is the local IP
of my router. His connection attempt is rejected but how can i determine
where this is comming from?
Thanks
Eric

"Eric" <(E-Mail Removed)> schreef in bericht
news:CtUIb.30430$xX.98731@attbi_s02...
> Help!
> I have some unknown assailant, on a regular timed basis, connecting to my
> network, posing as one of my machines but his (apparent) IP is the local
IP
> of my router. His connection attempt is rejected but how can i determine
> where this is comming from?
> Thanks
> Eric

Most likely it IS comming from your router. Since what sence would it make
for anyone to attempt to reach your network, if the answers are sent back to
your router and not to them?

Richard Boekamp wrote:

>
> "Eric" <(E-Mail Removed)> schreef in bericht
> news:CtUIb.30430$xX.98731@attbi_s02...
>> Help!
>> I have some unknown assailant, on a regular timed basis, connecting to my
>> network, posing as one of my machines but his (apparent) IP is the local
> IP
>> of my router. His connection attempt is rejected but how can i determine
>> where this is comming from?
>> Thanks
>> Eric
>
> Most likely it IS comming from your router. Since what sence would it make
> for anyone to attempt to reach your network, if the answers are sent back
> to your router and not to them?

Yes, i mean, what i want to do is identify the real IP. He must be sending
some kind of spoofed packet so that it appears to come from a source of IP
that is the same as my router. The problem with that is that i only know it
is comming from outside my network (ie the internet). As it is he will not
be able to do much of anything except what he is doing now. Its just that i
now have to figure out a way to keep this crap out of my logs. Postfix is
logging every attempt he makes. If i cant ID him how can i "-j DROP" him
with an iptables rule? or redirect him to something else?
Thanks
Eric

Eric wrote:

> Help!
> I have some unknown assailant, on a regular timed basis, connecting to my
> network, posing as one of my machines but his (apparent) IP is the local
> IP of my router. His connection attempt is rejected but how can i
> determine where this is comming from?
> Thanks
> Eric

Hi
well first of all you should report this to your network administrator.
There is a chance that he is "responsible" for this. What it's possible is
that e is performing a port scan which is is allowed to do. Firewalls tend
to prompt these actions as attacks. Port scans intend to identify which
port a user is currently using. Http, ftp, and so are "legal" ports. But if
you are using any p2p software port scans are a way of finding who's
behaving "naughty".

If your net admin isn't the one behind this (which is unlikely since the ip
is the one of the rooter) you don't have much chance of tracing him. You
can try "traceroute ip" or to run xtraceroute but you don't have much
chance with software firewalls. A good trace can be achieved by hardware
firewalls.

I wouldn't worry if i were you. Since your firewall was able to stop "an
attack" that means that the attacker has failed and that's that. Just bear
in mind that in the future you should update your linux box and especially
with new versions for dhcp, ppp, ethernet, mail clients, web browsers and
of course the firewall. As you keep updating there's hardly any chance that
you'll ever be compromised

>but how can i determine
> where this is comming from?
> Thanks
> Eric


Well you need to sniff the packet off the interfaces that you can sniff.


You could go straight to the router connected to the internet, and sniff
there.

if you can see it on the internet link, it comes off the internet, if it can
only be seen on the local side, its locally produced.