The Chip Board
Custom Search
   


The Chip Board Archive 02

THE AL CAPONE STORY CONTINUED [Long Post]

"Al Capone" the sometime Ebay dealer of fantasy stuff sent me the following letter that I then sent on to my server folk. Those of you interested can read below. But the short answer is that his charge was "BS."

">>> Al Capone <xghzqtk@ameritech.net> 11/28/99 08:54PM >>>
It has occurred to me that since we have been having this e mail
disution my computer has been hacked (or attemted to be hacked)

"I contacted my ISP and this is what they came up with:

"Number Reply Time (ms)
1 206.141.206.127 tnt15.chicago.il.ameritech.net 77ms
2 206.141.192.203 ar1-1.chicago.il.ameritech.net 64ms
3 137.39.130.97 903.Hssi3-0-0.GW3.CHI1.ALTER.NET 98ms
4 146.188.208.54 104.ATM3-0.XR2.CHI4.ALTER.NET 67ms
5 146.188.208.5 194.ATM10-0-0.BR1.CHI1.ALTER.NET 80ms
6 137.39.250.6 gw14-chi-8-0.sprintlink.net 80ms
7 144.232.10.157 sl-bb11-chi-2-1.sprintlink.net 66ms
8 144.232.9.121 sl-bb11-chi-4-1.sprintlink.net 161ms
9 144.232.6.90 sl-bb10-sea-9-0.sprintlink.net 120ms
10 144.232.9.142 sl-bb11-pen-7-1.sprintlink.net 155ms
11 144.232.5.154 sl-bb10-pen-10-0.sprintlink.net 125ms
12 144.232.5.2 sl-bb11-pen-10-0.sprintlink.net 172ms
13 169.130.1.137 169.130.1.137 341ms
14 169.130.2.101 169.130.2.101 136ms
15 169.130.33.10 169.130.33.10 130ms
16 128.230.146.2 128.230.146.2 127ms
17 128.230.165.1 syr0-0100.syr.edu 142ms
18 128.230.171.80 gw1.syr.edu Reached
gw1.syr.edu reached in 18 hops. (expected: 143)

"OOOPPPPS Looks like it ends at YOU. Don't forget not to alter my e
mail if you forward it. AND please read the diclaimer at each one of
my e mail messages.

"Now don't attempt to hack my computer And watch out for slander
lawsuites - as well as extortion!

*SOLUTION:
12/1/99 15:31 rjkopp
The information sent to the client "Travis H.D. Lewin", by " >>> Al Capone
<xghzqtk@ameritech.net> 11/28/99..." is a traceroute. Basically it shows the
path to a host. You might use traceroute to find a path to a host that you
suspect, the thing that ruins this guy's theory (Al Capone's) is that the trace
ends at gw1.syr.edu, which is the Group Wise Server! No one has any permission
to be able to do anything that could be construed as hacking from that server,
basically all any client can do with this GroupWise server is send mail, and
since
it is not a relay agent it also could not even be the base of a relay or mail
bomb
attack!

The tool the ISP used to trace this is not a tool that should be used to track a
hack attempt. There are other tools which any ISP should know about. Second
the
trace is not proof, it doesn't show anything about what the person actually did
to him,
in fact my question to the Mr. Capone would be where did they come up with the
host to
trace? What caused them to pick gw1.syr.edu (or it's IP number) to trace. The
log
or data they had that they extracted that address (gw1.syr.edu) from is what
should
be the proof, not the traceroute! Traceroute is an "after the fact" tool and
subject to human error!

I would tend to support Mr. Lewin's claim. If Mr. Capone has something else,
then
he should use that to send to us to show a violation.

I also verified with Peter Morrissey that the two intermediate listings
128.230.146.2
and 128.230.165.1 are both router ports, the last is the gw1 server. I verified
with
Sean Laroque-Doherty that there is no way that someone could launch any attack
from
GW1, no-one would have any privaledges to do anything but their email.


Copyright 2022 David Spragg