semi careful, very patient attacker

[sinster () BALLTECH NET (Jon Paul, Nollmann)]

Since January 14th, I've been monitoring a careful attacker against my
network.  He's gained no access of any kind, but it's interesting how
careful he's being.  He only makes a couple probes a day, and the
probes are relatively far apart.  His probes have never yet come from
the same host twice.  They appear roughly evenly throughout the day.
All the source IP addresses are dialups or otherwise insecure access
points.

All his probes have been against three specific machines in my
network.

These three machines are all part of a high profile project, and word
has been spreading quite far in certain restricted communities since
early this year, so it's not surprising that the attacker chose these
three machines for the probe: if he were to try any of these machines,
he'd have hit it randomly (and would only hit one of those machines), or
he heard about them through the press releases and therefore knows of
all three.  He hasn't probed or otherwise knocked on the doors of ANY
other machines in my network.

Incomplete details follow:

On January 14 at 23:15:20 UTC and again at 23:15:23 UTC he made TCP
RPC queries against each of the three machines.  The queries came from
206.107.248.20, with varied ports.  That IP belongs to the dial-up
pool at sprintlink.

On January 15 at 02:30:44 UTC, 02:30:54 UTC, 02:31:04 UTC, and
02:31:14 UTC he pinged machines b and c (notice the 10 second
separation between each ping).  The source address in the pings was
209.31.36.24.  This is mail.faraday-usa.com, hosted by concentric
networks.

Then at 02:34:29 UTC, 02:34:32 UTC, 02:34:38 UTC, 02:34:50 UTC, and
02:35:14 he tried a telnet login to machine a.  Notice that the time
delay doubles between each packet here (3 seconds, 6 seconds, 12
seconds, then 24 seconds).  This was, again, from 209.31.36.24, which
isn't surprising since it was only 3 minutes 15 seconds after the last
ping attempt.

This was followed at 02:35:44 UTC, 02:35:47 UTC, 02:35:53 UTC, 02:36:05
UTC, and 02:36:29 UTC by more TCP RPC queries.  Once again, against
machine a.

And, then, at 02:37:02 UTC, 02:37:08 UTC, 02:37:20 UTC, and 02:37:44 UTC,
attempts at imap2 connections.  6 seconds, 12 seconds, then 24 seconds.
Maybe the 3 second try ended up in the bit bucket somewhere.  *shrug* That
happens.

Not yet ready to give up, at 02:38:14 UTC, 02:38:17 UTC, 02:38:23 UTC,
02:38:35 UTC, and 02:38:59 UTC (3, 6, 12, and 24 seconds), he tried
ftp connections.

Clearly he found something interesting on machine a, but finally gave
up after only 9 minutes of trying.

On January 15, at 09:41:07 UTC, he tried TCP SNMP connections on all
three machines.  Just one probe each.  This came from 209.154.229.104.
That IP is a UUNet/MCI-Worldcom address.

On January 19, at 19:55:57 UTC, he tried a DNS probe against all three
machines.  This from 206.16.75.190, which my DNS reports as being
www.blacktop.com...  Though that is 75.16.206.in-addr.arpa, so something
screwy's going on there.

And January 21, at 01:15:50 UTC, he probed port 31789 (UDP) on all 3
machines.  I dunno what that might be for.  Source IP was 212.62.36.184,
assigned to sprintlink.net.

On January 22, 11:21:58 UTC, and 11:22:01 UTC he probed DNS again (TCP).
> From208.32.1.120.  Another sprintlink address.

January 23, 06:50:30 UTC, he probed all three machines with telnet, smtp,
imap2, and then pop-3 (all TCP) in that order.  All the packets came within
1 second.

I believe that this is the same guy, simply because nearly all of these
probes are repeated identically against all three machines.  The attacks
are scattered throughout the day, so either he has a script running, or
he occasionally has a late night.

--
Jon Paul Nollmann ne' Darren Senn                      sinster () balltech net
Unsolicited commercial email will be archived at $1/byte/day.
"Tis better to remain silent and be thought a fool, than to speak up and
remove all doubt."                                        Benjamin Franklin