Re: Have you been hacked? Then strike back

[InfoSec News <isn () C4I ORG>]

Forwarded By: Russell Coker <russell () coker com au>

On Wed, 20 Sep 2000, InfoSec News wrote:
> http://www8.zdnet.com/eweek/stories/general/0,11011,2627050,00.html
>
> By Brett Arquette, eWEEK
> September 17, 2000 9:00 PM PT
>
> In the past few months, my system administrator has noticed a marked
> increase in port scans made against our network. By analyzing firewall
> logs, we were able to tell that seven separate kiddies scanned us over
> a single weekend. Almost without fail, every night we're being scanned
> at least once. The most popular ports they scan are Sun RPC, FTP, POP3
> and IMAP4. If we're being scanned, you can almost bet that your site
> is being scanned as well. The scans are originating from organizations
> such as the University of Maryland, Verio and BellSouth and from
> within countries such as South Korea and Sweden.
>
> Is there reason to worry? If you were sitting at home and noticed
> someone outside, testing all your doors to see if they were unlocked,
> you'd be on the phone to the police in a nanosecond.

I think that a more appropriate analogy is to compare port-scanning to
looking in the windows of houses.  Looking in the windows is something
that a criminal will do as preparation for burglary, but if they are
standing in the street and they don't spend excessive time in the
street in front of your house then they aren't breaking any laws. If
you call the police about trivial issues then you just waste their
time and prevent them from working on more serious issues.  Also if
they identify you as someone who makes frivolous complaints then they
will be more sceptical if you happen to report a serious crime...

> So, when we're scanned, we look up the IP addresses of the scanners
> and find out whom the addresses belong to. Then we send an e-mail to
> the originators telling them we were scanned, provide them with the
> information about the scanner, and encourage them to track down the
> user responsible and take action against him or her. This reporting
> process may benefit these sites themselves, since they may have been
> hacked and the port scans are going out without them ever knowing it.

If they are so lame as to be hacked by script-kiddies then they will
probably disregard your email.  The postmaster account at their domain
probably won't even work!

> Still, poring over your network logs, finding the script kiddies,
> looking up where the attack came from and sending out e-mail takes a
> lot of time. It would be great if someone wrote software that
> automated the process. One way or another, I hope you agree, it's time
> to attack the hack and put some of these kiddies to bed.

Writing such software is trivial and would take <30 minutes for
someone who is any good at writing Perl or shell scripting.  Here's
how to do it: Have a port open that you never use and have a TCP
wrapper rule to deny all access (this gives log entries).  Every day
have a cron job that greps for such log entries and sorts them by IP
address (to ensure no more than one message per day per IP).

Have a script that does "soa ZZ.XX.YY.in-addr.arpa" (where the IP
address is WW.XX.YY.ZZ) and then extracts the email address from the
output and sends a polite email concerning the system.

If I thought port scanning was a problem I'd have written such a
script years ago.

Now the tcp wrappers solution only works for port scanning using
"strobe", people who use "nmap" or other more powerful tools can get
around it, that's when you use kernel firewall entries which can
produce similar data.

One amusing thing about the people who try and stop port scanners is
the negative end result.  It teaches the kiddies about the value of
using other people's IP addresses and of sending a dozen probes from
random addresses for each probe from a valid address while not having
any chance of getting them punished (unless you consider changing ISPs
as punishment).  This results in more skilled malicious hackers in
future.


Russell Coker


P.S. If you complain to an ISP about being portscanned and get a
response saying "the user's account has been terminated" it means that
they are pretending to have killed the account to stop you whinging.
No ISP will kill an account based on a single report of port scanning.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".