 Regardles of how hard we try, our integrated Help subsystem for the HackerTracker product can't cover everything; if it did it'd be so big no one would bother looking at it. We occasionally get questions, and the following are those and the answers. | If you have any questions on our HackerTracker product, then we'll get you the answers. If your question is of interest to current or potential customers, then we'll add it and the answer to this page. |
I keep getting the message "Cannot Process An Active LogFile" This message occurs if: 1) the logfile is not a daily log; 2) the logfile's date-time stamp is the same as the report date ("today"); 3) the logfile has a lock on it. We do not want to process a log that is not completed, which typically occurs at 00:00:00 GMT. Logfiles other than 'daily' periods (e.g., weekly or monthly) cannot be processed until the date-time stamp is prior to the report date. |
|
I Have Some Hacker IP Addresses. What Do I Do Next? You can block them at the server, but the hacker knows that you're there, and your resources are still consumed processing the request. A better way is to block them at an incomming firewall by dropping the request on the floor; they don't know you're there, and their resources are being consumed.
What with spoofing and hijacking, etc., hackers are always moving, and having an IP address isin't sufficient by itself. However, the hacker's traffic was handled by ISPs, and you can do something about that, although it takes a some work. We haven't been able to automate it yet, but this is what we do when we get an IP address from an attack.
1. Manually do a look-up to find the IP issuing cognizance (using, for example, IP Lookup from Softnik Technologies). This information will have a contact email address, and many of them have a declaration of reporting abuses, usually with an email address that begins (not suprisingly) with abuse@.
2. Copy all the entries from the server log file that pertain to the attack and put them into an email message, to be sent to the contact/abuse found above. This is what our email looks like:
| TO: abuse@someisp.com
FROM: abuse@someisp.com
SUBJ: CEASE AND DESIST WEB ATTACK
An attack on our web server with the following signature has been detected. You are hereby enjoined to immediately cease these attacks, failure of which will result in further action. A formal complaint has been filed with the U.S. Federal Communications Commission listing the IPADDRESS HOLDER OF RECORD as cognizant and responsible.
ATTACK SIGNATURE
#Fields: date time c-ip ...
//-- log entries go here; you probably should remove your IP Address --//
IPADDRESS HOLDER OF RECORD
//-- information copied in toto from the lookup in 1), above --//
Note that the TO and FROM are the same. The email program used to send this should not include any header or other location information.
|
|
|
Why can't I move the columns around in the application to view an ip? I mean seeing modemcable126.1 is great, but where's the rest of the address? Your server is configured to look-up the url name instead of passing the url octetes directly. |
|
Why Can't I Examine A Server Log? The logfile cannot be "active", meaning that the logfile's timestamp value is within "today's" range, and the Cannot Process An Active Logfile! error message appears. This is to insure that a full day's log is processed. Typically, the end-of-day on most servers is set to 00:00:00 GMT. |
|
Why Can't I Purchase Multiple Copies On Your Website? Our HackerTracker registration is, in effect, a site license. HackerTracker does NOT need to be installed on the server(s), but typically is on a separate workstation that has access to, or copies of, the server(s) logs. HackerTracker's unattended operation as a scheduled task lends itself to having one copy look at all the servers in a server farm, one advantage to this being that there is one central repository for the attack signatures, caught hacker lists, history and archives, etc. If you have a single plant, then all you need is one installed HackerTracker license, regardless of how many servers you may have.
If you have more than one plant in multiple locations, and access to the disparate server logs cannot be done for some reason, then you would need multiple installed licenses, one for each location. | For lack of a better word, this "enterprise" license is something we don't currently offer, partly because we never envisioned a need for it, and partly because the license registration codes (currently generated automatically) are generated on a per-copy basis.
After all the above, if you determine that you need multiple licenses, then send us an email and we'll set up a special page by which this can be done. It won't be fully automated: The number of copies would be selected, the total price after discounts would be displayed for confirmation, the e-commerce transaction completed, and then we'd email the separate license registration keys. Off the bat, our BuyersReward would kick in for a 15% discount for the second and above copies, and we might try (again) to come up with a reasonable and fair tiered discount schedule more suitable for things like this, instead of our Billboard pricing, which starts at a hundred copies. |
|
|
Anti-Virus Program Considerations We strongly recommend you disengage any anti-virus program that you may be using during the installation and registration of all FutureWare products. There are known problems with anti-virus programs blocking database access and other file-based processing. If you continue to have problems, then we suggest that you disable the virus scans on the FutureWare product's installation folder. Once installed, all FutureWare products can detect when that have been tampered with. |
|
