Information Security News mailing list archives
Re: Have you been hacked? Then strike back
From: InfoSec News <isn () C4I ORG>
Date: Sat, 23 Sep 2000 15:32:36 -0500
Forwarded By: Russell Coker <russell () coker com au> On Wed, 20 Sep 2000, InfoSec News wrote:
http://www8.zdnet.com/eweek/stories/general/0,11011,2627050,00.html By Brett Arquette, eWEEK September 17, 2000 9:00 PM PT In the past few months, my system administrator has noticed a marked increase in port scans made against our network. By analyzing firewall logs, we were able to tell that seven separate kiddies scanned us over a single weekend. Almost without fail, every night we're being scanned at least once. The most popular ports they scan are Sun RPC, FTP, POP3 and IMAP4. If we're being scanned, you can almost bet that your site is being scanned as well. The scans are originating from organizations such as the University of Maryland, Verio and BellSouth and from within countries such as South Korea and Sweden. Is there reason to worry? If you were sitting at home and noticed someone outside, testing all your doors to see if they were unlocked, you'd be on the phone to the police in a nanosecond.
I think that a more appropriate analogy is to compare port-scanning to looking in the windows of houses. Looking in the windows is something that a criminal will do as preparation for burglary, but if they are standing in the street and they don't spend excessive time in the street in front of your house then they aren't breaking any laws. If you call the police about trivial issues then you just waste their time and prevent them from working on more serious issues. Also if they identify you as someone who makes frivolous complaints then they will be more sceptical if you happen to report a serious crime...
So, when we're scanned, we look up the IP addresses of the scanners and find out whom the addresses belong to. Then we send an e-mail to the originators telling them we were scanned, provide them with the information about the scanner, and encourage them to track down the user responsible and take action against him or her. This reporting process may benefit these sites themselves, since they may have been hacked and the port scans are going out without them ever knowing it.
If they are so lame as to be hacked by script-kiddies then they will probably disregard your email. The postmaster account at their domain probably won't even work!
Still, poring over your network logs, finding the script kiddies, looking up where the attack came from and sending out e-mail takes a lot of time. It would be great if someone wrote software that automated the process. One way or another, I hope you agree, it's time to attack the hack and put some of these kiddies to bed.
Writing such software is trivial and would take <30 minutes for someone who is any good at writing Perl or shell scripting. Here's how to do it: Have a port open that you never use and have a TCP wrapper rule to deny all access (this gives log entries). Every day have a cron job that greps for such log entries and sorts them by IP address (to ensure no more than one message per day per IP). Have a script that does "soa ZZ.XX.YY.in-addr.arpa" (where the IP address is WW.XX.YY.ZZ) and then extracts the email address from the output and sends a polite email concerning the system. If I thought port scanning was a problem I'd have written such a script years ago. Now the tcp wrappers solution only works for port scanning using "strobe", people who use "nmap" or other more powerful tools can get around it, that's when you use kernel firewall entries which can produce similar data. One amusing thing about the people who try and stop port scanners is the negative end result. It teaches the kiddies about the value of using other people's IP addresses and of sending a dozen probes from random addresses for each probe from a valid address while not having any chance of getting them punished (unless you consider changing ISPs as punishment). This results in more skilled malicious hackers in future. Russell Coker P.S. If you complain to an ISP about being portscanned and get a response saying "the user's account has been terminated" it means that they are pretending to have killed the account to stop you whinging. No ISP will kill an account based on a single report of port scanning. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Have you been hacked? Then strike back InfoSec News (Sep 20)
- <Possible follow-ups>
- Re: Have you been hacked? Then strike back InfoSec News (Sep 24)