No Idea

[cn-liu () USA NET (CN)]

Hello! Gurus,

I have been visiting a web site(a BBS?) where people can post messages   
discussing topics.

A hacker did not agree with another poster's point of view. He threatened that
poster that he would destory his machine if he did not stop posting. But that
poster ignored the warning.

One day, that hacker posted a messages saying that he had sent a "something"
to that victim, and he should be able to see an icon on his Windows95/98 and
his disk would be formatted within 10 minutes. Whether or not that victim's
disk was formatted by that virus, I have not seen any more posting from that
victim since then.

Later I posted a message to that site showing people how to protect from that
hacker's attack as follows:

* The web master should adjust his server software and stop displaying every
poster's IP address because the hacker saw and took it as a path of attack.

* For dialup Internet users, just disconnect the line from Internet
immediately after postings. And then re-connect the line back. Then, the
poster's IP address would differ from the one when he was posting.

* For non-Microsoft OS users, just ignore that hacker's threats.

* If a PC is attacked, at worst, resetting EPROM can still rescue it back.
There is no need to throw it way as told by that hacker.

* If the victim wanted, he could present the hacker's IP address shown on the
site to the court and he would be put behind the bar.

The next day, the hacker posted another message to the site in response to my
"receipe":

* He actually, in contrast to the way I thought, does not acquire posters' IP
addresses by viewing the posted messages displayed by the web server. He has
special channel(s)! Besides, the IP addresses shown along with his messages on
the web site were fake.

* He can virtually break any OS, and the tricks he uses do not differ much.

* His virus can reside in "virtual memory" and can still survive with disk
replaced and he has knowledge of backdoor viruses such as trojan.

Here are my questions:

* How did the hacker acquire posters' IP addresses without viewing the pages
sent by web server?

* How can a host with spoofed IP address post messages to web sites? I thought
the pages sent by httpd can not reach the hacker's host at all. The effect
would be that the hacker could not see any web page in the first place because
the packets sent from any httpd would lose their way when they start their
journey from the web site. This was because, I thought, routers between the
two hosts would forward the packets to wrong places since "destination IP
address" in the to-be-sent packets were incorrect (spoofed).

* Is it possible to trace a spoofed IP address and acquire its real one?

* How did the hacker aggressively send virus to victims without the victim's
involvement - only by knowing the victim's IP address? This trick has a great
deal of differences from those patterns of activities such as victims'
downloading files!

* Because the victim had been explicitly threatened before vanishing, I would
assume that the victim was not so stupid as to lauch the virus when he saw any
suspious program sent to his Windows. So what confuses me is: how did the
attacker launch (i.e. activate, run, or execute) the virus residing in a
victim's Windows - only by knowing the victim's IP address?

* The hacker claimed that he can do the same to Mac or Unix as he had just
done to Windows and all what he needs are a few efforts. Is that true?

Regards,

LCN

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1