A friend of mine recently had a visit from "The Audisoft Hacker Team of Chilean Defacers" who, apart from replacing his website with graffiti, placed a c99shell backdoor in an obscure directory.
His visitors were kind enough to display their hacker alias names on the graffiti and, looking at log files, we have discovered the time the attack occurred and the IP Address from which it came also, after having a poke around his backup files, think we know the application they hacked to gain entry.
So what do we do now?
I suppose theoretically he should report it to some authority but neither of us knows to whom, nor do we suspect they would show the slightest interest even if we did.
The backdoor has been placed in an obscure location which would only be known by the original hackers and associates they have told. It would be impossible to guess or stumble upon accidentally. We are therefore confident that anyone who visits this backdoor has illegal intentions.
So what would ALUGers suggest we do?
Being in mind anyone who tries to accesses the backdoor has illegal intentions, and from log files we notice most are using Microsoft Internet Explorer, we have had all kinds of evil thoughts about replacing the backdoor with some kind of infected software... but this would bring us down to their level and possibly also be illegal. It would however be interesting to replace the backdoor webpage with some software which is capable of more detailed logging of visitors.
What would more experienced ALUGers do if they were in our situation?
Is there any specific piece of logging (or other) software ALUGers would suggest we replace the backdoor with as it is still receiving visitors?
Sagr.
PS: The application the hackers used to gain entry was an old piece of software he had forgotten was still on his website and so we haven't bothered to put it back on.