Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
ignore them.
Unless they use a lot of bandwidth, that is the right decission to make.
Add their IPs to your firewall for a start.
Use the DMCA to... I don't know, scare them or something. Mention RIAA and MPAA to their ISPs too.
I haven't seen any similar increase in activity. Does your firm have enemies? For instance, does your first name rhyme with Carl?
The accepted way is to send an email to abuse@ or to the abuse contact listed by ARIN for the netblock you are trying to lart.
http://www.arin.net
or lookup the RADB abuse contact
http://www.dnsstuff.org
If you seem to be getting it from the same group of people make a honeypot but have some obvious hints once they get in, leave very little on the server and put the logs of their activity in an obvious place. Just be sure to isolate that machine from the rest of the network so if they do end up owning it they got no further then their failed attempt at your real machines.
Who'd have thought!
on my University's network more than once. I ran Linux and I got into the habit of logging in as root, and sometimes I'd try to log in without thinking just after starting a telnet session. I didn't receive any notice from the U, but in this post-9/11 hellmouth, I'm sure I'd have been reported to the FBI as a potential terrorist.
When I had this problem I simply sent a mail to the ISP:s abuse-people. Most ISP has an e-mail address like abuse@theisp.com. Then they can send the guy a warning or whatever.
Martin
intrusion attempt >> /dev/null
ignore it. forget it. script kiddiz...
Write in sloppy block letters: Ve know who you are. Do it vun more time und ve get NASTY!
The world is my oyster. That's why it's always in a stew.
If you give them a more attractive target for a while, you may find there really aren't all that many attackers left to go after the systems that matter. Not only that, but it would be considerably easier to set up such a system to log their attack techniques, since it isn't actually doing anything. Finally, if they do break through, who cares? Just re-image the drive and let them start over. If they manage to repeat it, you now have a known weakness you can correct.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Just ignore them. Focus on keeping your server software up to date and staying informed of possible security issues instead of waisting time trying to track down instrusion attempts.
These two will detect most automatic attempts and then add the IP's to a drop list on your Linux firewall. www.snort.org. Guardian is listed under 'other tools'
You might consider sending a handwiten letter and use your own name, that would seem a bit more human. Also, most large companies will send polite-but-firm letters, so just threaten bodily harm to them and their pets, that should sound pretty un-corporate. I suppose only the first sugesstion is really a good one, but I like the second one more, so I'm not going to remove it from my comment.
Less look fast, more go fast.
Best chance for a response is to keep it polite and request a notification of what action (if any) they will take. Don't fill your letter or email full of legalese and vauge threats and I'm sure most of the people in charge of a particular abuse department will take you seriously enough. Whether or not they have the clout to take action on your behalf is another matter entirely however.
Another thing to do is to just keep yourself patched, firewalled, and a close eye on your network. If the attempts are rising, someone thinks your network/servers is/are an easy target. Prove them wrong and perhaps you won't need to write that letter after all.
Good luck.
I always write a really "nice" letter to the ISP of the intruder, where I explain the problem, and that it is causing my customers trouble and that it eats up valuable bandwidth. I ask them to take action, and if not, that I'll have to proceed further (never been needed once). I send the email from the admin account, sign it with my name + admin at my system and then I attach the logs pertaining the intrusion attempt.
... atleast nowadays), mostly for the more serious attempts (doing multiple attempts, different attempts, etc).
:)
So far, all of these "cease and desist" letters has resulted in action on the ISPs part, and in 50% of the cases, their admins write me back and give me feedback on the problem.
Ofcourse, I don't do this for every attempt (all depending on my mood
The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish. I actaully managed to get hold of the owner of the computer system that was scanning me and phoned him. Quite a hilarious experience. Needless to say, the portscanning stopped
I had confidence in my setup, and no server I had control over was, to my knowledge, ever compromised.
We never had any sensitive data outside the firewall, anyway.
On two occasions it got serious (if an easily beaten DOS attack can be called serious) and even then it was only for 20 minutes or so. Our ISP (being a large telecom) was champing at the bit to go after people we had even a small scrap of evidence against, so on those two occasions we simply handed what information we'd gleaned to them, and they let out the dogs.
At some stage, you've got to stop worrying and learn how to love the internet!
Personally I tend to ignore the scans for ssh and so forth, as they're just SYN-packets and doesn't consume too much of my resources. Call me a lazy/non-caring bastard. However, it would surely be nice to send off a message to the ISP, as the machines the scans are originating from are probably cracked too.
.
.. it's days since the last virus from you! Keep up the good work!"
.. and so forth.
:)
I tend to report viruses. I grep my logs daily for viruses from various norwegian ISPs, to the mailserver I admin for my company. During the last five months I've sent daily virus reports to the largest ISP in norway, and they tend to reply within one business day - having notified their customer about the infection. If the customer gets several 'heads up' messages from the ISP without removing the virus, they get their port 25 access filtered until they've confirmed that they've removed the virus.
I tend to send emails such as this.
"
Hi there.
I've got several viruses from your customers today, and would appreciate it if you could notify your customers about the virus infections they probably have.
Here are the relevant snippets from my logs:
Virus: Netsky.B
Received: from at
Virus: Bagle.C
Received: from at
All timestamps on the server are NTP-sync'ed against
Thanks for your time
"
Recently I've also included a more personalized
"Oh, and I have to commend your ISPs efficiency, as since march - you've managed to reduce the number of virus sending users to us from about per day, to this
You could probably just adapt what I'm writing to something saying that a customer of theirs probably has been cracked, and that they are currently scanning for
If it's the actual cracker that's stupid enough to use his own computer, he'll get scared enough if they contact him telling him that his computers has been abused by others to scan people -- and will probably quit doing it.
"Rune Kristian Viken" - http://www.nwo.no - arca
Nothing beats the personal touch of hired goons...
or you'll spend half your time at work writing abuse letters. My logs at work show a constant barrage of windows attacks ( yes, code red is still there), 137 scans, numerous login hacks for any number of OS's, port scans that increment by 1 each time, etc. Sometimes it slows down. I am beginning to just consider it background noise. Just the cost of doing business on the web. As long as the probes arent massive or working, I just note and ignore. I only have so much time for this - it keeps me from downloading all that porn!
This kind of stuff is all over the place. Odds are most of these are automated worms and similar crap. Unless it's really a concerted attack on your machines, as opposed to random scanning, it's not worth the effort to do anything about it except maybe firewall the IP.
I don't understand why you'd care how you come off to the people trying to crack into your system.
They're out to do you harm. If one of them gets through and does some damage, you could lose your job.
Hi,
As several posters have already stated you should complain to the abuse address for their ISP. Ideally, you should include logs of the attempt.
You should also be aware that that the machines which are attempting to connect to your network are probably zombies. There are a number of trojans and security holes which can be exploited to allow a remote user to take over a poorly secured system. The owners probably don't even realise that their machines have been compromised.
I'm not sure there's much an ISP can do other than try to find out which customer had been assigned that IP address at the time and write to them. Banning someone for having poor security on their machine is probably a bit harsh, even in these post-9/11 times.
Keith.
Just don't tell my mom! She'll take away my Compaq, or make me install SP2!
...the attempted intrusion detection package.
It's wasting your time.
It makes you worry.
It makes you ask silly questions on slashdot.
The solution is to trash it, you don't need it, Linux is unbreakable anyway.
try http://www.mynetwatchman.com/ works like a champ for me.
the system automatically sends a warning to the isp
Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.
I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer..
I don't read your sig, why do you read mine?
True story: About 8 years some friends and I were getting o3ned DAILY by a hacker. One of these friends had a buddy in IBM's security division, who somehow got us a name and phone # of our hacker. We felt like asses when we found out we were getting beat down by a 15 years old. But we called his dad, explained what was going on, and that we knew where he lived. Problem SOLVED :)
Religion is a gateway psychosis. -- Dave Foley
I didn't know that I was that big of a problem to your company, I shall stop. Sorry for any inconveinience.
-------
Support Indy Music. Buy
mid july or so there were a bunch of random automated-looking and weak looking ssh login attempts all over the place ....
....
threads on the full disclosure mailing list archives and dslreports forums about that
wonder if this is what the topic poster was encountering?
Be sure though to include *all* relevant log files too. I've sent a couple of mails in the past to ISPs and i think i got a response from about 50% of the ISPs contacted, from which only one responded once by saying they contacted the individual and took appropriate actions ... whatever that may mean.
You'd be better off configuring your security better though.
US Democracy:The best person for the job (among These pre-selected choices...)
Last week I managed to login as root into a machine (from a chinese domain, as usual) for which I had packets logged in my firewall's log. Then, I installed in that machine chkrootkit: lots of executables were wrong (rootkits). Then, someone logged in remotely and left in /root a "readme.txt" message warning me not to log in other's computers .... Finally I did three things:
1.- Send an e-mail to the contact-addresses retrieved from APNIC
2.- Copied my shutdown executable to that machine (the original was obviosly tricked)
3.- Remotely, executed @> shutdown -h now
Just a suggestion.
Complaining to people won't get you anywhere, unless you go to the government and claim that you believe they are terrorists. That will get you some action.
My advise is to firewall them.
Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )
So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.
Whatever they're doing to you have a go back at them... chances are their system isn't as secure as yours.
At the very least it's more fun than writting an e-mail!
It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.
As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.
Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:
packetstorm security
Security Focus
Somewhat offtopic, but how do people deal with DOS attacks? /.ers deal with situations like this?
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.
Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.
These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.
Avantslash: low-bandwidth mobile slashdot.
I'm surprised nobody has suggested this before but I would recommend a tactical nuclear strike against the intruder. I've found that this simple step typically quells the attack.
Hi,
I ran one of the first ISPs in the UK with live IP and since we went live about 10 years ago we have endured on average maybe one attack per minute or higher all that time.
So 10 years ago I wrote my own firewall with some traffic shaping and logging; it died recently I replaced it with a Cisco or two with more or less the same rules.
Now, even when no longer an ISP I still have to turn away 35,000+ SPAMs per day from my network which now hosts just two people, so I wrote my own reverse SMTP proxy to deal with the problem. (The source is available in SourceForge BTW.)
People continually attempt to steal the entire content of one of my free Web sites, and used to bring it and my connection to the Net to their knees, so I wrote a simple transparent servlet filter to detect and lock out f**kits who exhibited pathological behaviour.
All of these tools are mainly automatic with a few general rules and a very few specific data entries to keep out especially egregious people.
Don't play "whack-a-mole", and don't waste too much time trying to contact the idiot's ISP; even if they care, which sometimes they do, it'll end up being expensive and slow to stop.
Rgds
Damon
http://m.earth.org.uk/
You said, YOU are running a server for ONE client. Who is it that needs SSH access to the machine - YOU. What i would do is limit access to port 22 to IP adresses I am going to use. Add your normal internet adresses to the list (like your ISPs IP-block, work, girlfriends isp, ...) And of course you need to add a machine that is alwas up and has no such firewall restrictions (i.e. shell access to your server at home, i know you have one ;-)). This way you can login to the server from your most common locations, and login indirectly to the server using another box as "proxy" in case you are on vacation sitting in an internet-cafe.
i think it's also good practice to generally disallow direct root-logins in ssh-config and only allow shell users having group wheel to su to root.
Look up HTB on the net (Heuristic Token Bucket) - a firewall rule that limits network abuse while not obstructing normal network usage - every IP gets a pool of "tokens". One token is removed from the pool when a packet is sent, packets won't be sent as long as the pool is empty, but it gets refilled at constant, slow rate, until it's "full" again. So a user can download, say, 500K in one rapid burst at maximum network capacity, then his connection bandwidth goes down to some 5K. If he waits 100s he will be able to get 500K in similar burst again. This way, one page loads really fast. User reads the page, goes back, loads another one (minute later) very fast again. A loser who keeps reloading, exceeds his 500K bucket content in 2-3 reloads and then gets a constant drip of 5K upstream, hardly disturbing the others.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Good advice. Just ignore that script kiddies are trying stuff. Until one of them gets a 0-day exploit, roots one of your critical machines, and wipes out all your data.
Serious? Seriousness is well above my pay grade.
Don't you use a firewall? You can't attempt to log in remotely if you're blocking the typical remote access ports -- SSH, telnet, etc.
So you've got a machine sitting on the internet, home to a million and one active worms, and are surprised that it gets scanned constantly?
Don't bother with the abuse reports -- more than likely it's just worm activity from computers whose clueless owners don't realize have been infected. A more recent one attempts SSH logins, which may be what you're seeing.
It it was a _real_ crack attempt then you:
1: Wouldn't know about it.
2: Would be unable to pin it down. It would be bounced through several victim networks, so your ability to see where it's "coming from" is really just the last victim machine in the chain.
Third possibility is script kiddies, in which case you would know about it and where they were coming from, but they would have no chance of success unless you are unwilling to keep up on patches and follow basic security practices like decent passwords.
Best would be to close off remote-login ports altogether. If you need remote login then block for all but the address range you'd be coming from. If you need remote access from random locations, then at least consider using a heavily locked down system (e.g.: OpenBSD) or work _really hard_ to get your systems firewall/logging/etc. set up well.
One OpenBSD/pf feature you might be interested in (also available from other systems) is the ability to tie Snort into the pf ruleset so that remote scanners, once detected, are ignored.
"But actually trying to use m4 as a general-purpose langage would be deeply perverse" --ESR
Set up tripwire to detect incomming conenctions to 139, 1433 and other ports that people shouldn't be attempting to reach.
Any attempts to open got a IPTABLES rule added against their IP
Every couple of weeks I'd clear it down and let it build up again
There would be better ways to do this, but it was mainly for basic home security and I wasn't worried about blocking whole companies (because of NAT/Proxy) because of one dick in the place. YMMV.
All those moments will be lost in time, like tears in rain.
In my opinon, Tom Hudson's way of dealing with these critters, is far more entertaining, than just ignoring them.
Don't scan my ports!
I fail to see how scanning ports is akin to robbery. Actually a port scan by itself is a completely legitimate activity as it simply is querying what services are available.
Personally I am the view point that if you have a port open with a service that is easily accessible without a password, or the default password, (like NFS, say) then anybody using it is not in the wrong, as how are they to tell that the service is not intended for the public especially since it is on the PUBLIC internet.
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
I mean some of you guys sound like the ignorant dude that setup an RSS feed and then got pissed when a service used it as intended. The difference with him is that he learned the error of his ways.
I also fail to see how someone using the word "syber" can run any server safely.
Post the name and address here as AC.
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
This is really good advice, but you can do more. :-)
Most ISPs really appreciate the complete header of the mail, and sometimes even the body in case of spam. First of all it adds to the authenticity, and second they'll be able to forward your complaint to the responsible ISPs if you had too much beer while reading a spoofed header (more so for spam than virus mails). Some ISPs are quite helpful in this regard.
To aid in identifying the correct abuse addresses I can recommend the hinfo utility as a complement to whois. Oh and if you're stuck with a standard whois, consider replacing it with the one made by Marco d'Itri - it's the default in Debian, and has the ability to guess the correct whois hosts to ask.
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
How? When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The attacks dropped off rapidly after a few weeks. And since shed kept notes about who she talked with, when and about what, there was very little runaround. When she started that, it took about 45 minutes per day, but by the end it was down to around 15 on average.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
1) Tripwire is a file integrity checker. I suppose you mean portsentry or similar. 2) Automatic firewalling a VERY bad idea. Remember that most modern scanning techniques do not require a full TCP connection, and are therefore eminently spoofable. Not imagine someone spoofing a syn scan from the IPs of google.com. BOOM! No more google for you, you just firewalled it off yourself. BOOM! No more slashdot. BOOM! No more quake server. You get the idea.
Pathman, Free (as in GPL) 3D Pac Man
Seems like me posting that link, has resulted in it exceeding its allowed bandwidth. Here's the Google Cache.
Back when I was 13 or so, one of my friends had convinced me that trying something like this would be fun. I was a bit reluctant, but I had some knowledge of Unix and networking, and it did sound like fun.
We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.
And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
Preferably the job should be outsourced to a 3rd party subcontractor of foreign origin
Ack! Now even slashdot is promoting offshoring!!! Ugh...
Full-Featured GPL Web Hosting Control Panel
So if you leave the front door of your house open (by mistake or on purpose), it is okay for anyone to come in, check out what you have in the fridge, use your bathroom, etc.?
Incidentally, this is similar to what happened to me yesterday. After hearing the noise coming from the other end of the apartment, I went to check it out and found a stranger in my bathroom. She followed some woman's directions and came to my bathroom, thinking it's a public bathroom, simply because I didn't lock my front door. I was polite, but I showed her the way out. I certainly couldn't just ignore her and let her be, could I?
Simpy
True, port scanning in and of itself is not comparable to robbery. Rather, it is like casing the joint: trying the doors to see if they're locked; testing the windows (ahem) for a good seal; checking all the security cameras to see where they're pointed, or if they're turned on at all.
A business owner who saw someone doing that type of thing at their bricks and mortar presence might be a little suspicious. Sure, the 'port scanner' isn't doing anything illegal at the moment, but there are few applications for the information gathered that are legitimate. Most businesses (on- and offline) don't have much use or sympathy for freelance 'security consultants' providing convenient and unsolicited 'security audits' for them.
The individuals attempting to login as root are admittedly being decidedly unsubtle, and are probably relatively harmless due to their lack of skill. On the other hand, if there was a mentally deficient individual wandering the neighbourhood trying to pull open front doors on random homes...wouldn't you want someone to at least keep an eye on him, even if you did keep your own door locked?
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
What conclusions, pray, should be drawn from multiple attempts to gain root access to someone else's boxen? The original poster also specifically asked for an appropriate message to send that didn't sound like a corporate cease & desist--he just wants a 'kid, stop rattling my doorknob' message, to make the point that the 'investigator' has crossed from your 'public' internet on to a decidedly 'private' server.
~Idarubicin
You fool! You had a strange woman just walk in and use your bathroom, and you let her get away? Arrrgg!
The online cartoons - once again - show us how the world works. Here you can find the difference between Hollywoods form of dealing with intruders, and The Real Worlds:
Bigger Than CheeseFree PC version of ChipWits at http://www.breueronline.de/klaus/chipwits/
When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.
The problem with your suggestion is that human response doesn't scale. At her average low of 15 mins per day dealing with the problem manually or socially, the rate of intrusions only has to increase 32-fold before it takes up an entire 8-hour normal working day. How many thousands of network admins are you going to hire to handle a DDoS attack from 100K sources? There is no limit to the number of owned Windows boxes out there.
It doesn't scale and it doesn't help. It is far better to spend your network admin's time on making your systems ever more impervious to attack, and if she has any time left over, to teach others how to do likewise. Ultimately, if all sites are securely tied down then it doesn't matter what the cracker kiddies are doing.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
> Personally I am the view point that if you have a port open with a service that is easily accessible without a password, or the default password, (like NFS, say) then anybody using it is not in the wrong, as how are they to tell that the service is not intended for the public especially since it is on the PUBLIC internet
If you have a radio controlled garage door opener
and someone drives by your house, transmits all
the possible codes sequentially, opens your garage
door and starts looking through your stuff
would you say 'because I didn't buy a sufficiently
advanced garage door opener or engineer my own
I invited the public into my garage'. Of course
you wouldn't. Their intent is obviously to
commit a crime.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
Comment removed based on user account deletion
Data integrity is more important than catching them. Rememeber that first.
5 708681/104-7409931-6853536?v=glance
1) Make notes about what you've found
2) Report the the abuse as per the WHOIS info for the offenders
3) Block their IPs at your border
If you're using a firewall, great. If not--get one.
If you haven't read Frisch's "Essential System Admnistration" read it:
http://www.oreilly.com/catalog/esa3/index.html
If you haven't read Stephen Northcutt's "Network Intrusion Detection" you should probably give it a good read as well:
http://www.amazon.com/exec/obidos/tg/detail/-/073
There are some good articles all over the web regarding Linux security. A few google searches will help uncover them.
Patch. It's not just for Windows.
Limit services with ACLs and host restriction.
Harden your system by partitioning read/write slices away from static mountpoints where your binaries are by mounting the read only ones as read only.
chattr +i on your binaries--makes it tougher for skript kiddies.
Talk to other admins--every day is a school day.
AND
Face the fact that you're not as smart as the crackers so you just have to create layers of security that keep you from being an easy target.
I might know what I'm talkin' about, but then again, this is Slashdot...
It would be nice to adopt a routing protocol extension where you could ask an upstream router to block packets meeting a given criteria (*only to yourself, of course*). This would destroy DDOS attacks, which are currently the only really unstoppable attacks in existance, say you're getting flooded by ICMP from 250 hosts, and you just tell the upstream router to block ICMP traffic from the hosts in question (or for convenience sake, altogether, whatever really) It'd pretty much leave you scot free, in fact if it was extended further, DDOS zombies might get to the point that all their outbound traffic was blocked at their closest non controlled router point, which might clue in the users as to the status of their machines.
Patent Pending!
Casing the joint would be when you then attempt to connect to each open port in turn, and try to verify the version of the server running on each port, perhaps by submitting malformed requests and looking for characteristic responses.
That would be indicitave of someone trying to find a way in.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
What the hell! Why not?
::ffff:203.186.65.92 ::ffff:203.186.65.92 port 4570 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39378 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39462 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39609 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39742 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 39878 ssh2 ::ffff:217.115.83.1 port 40005 ssh2 ::ffff:217.115.83.1 port 40145 ssh2 ::ffff:217.115.83.1 port 40277 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 40412 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49595 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49726 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49861 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 49983 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 50117 ssh2 ::ffff:217.115.83.1 port 50257 ssh2 ::ffff:217.115.83.1 port 50398 ssh2 ::ffff:217.115.83.1 port 50546 ssh2 ::ffff:217.115.83.1 ::ffff:217.115.83.1 port 50678 ssh2 ::ffff:202.129.52.50 ::ffff:202.129.52.50 port 3258 ssh2
Aug 12 05:08:28 pokey sshd[7534]: Illegal user test from
Aug 12 05:08:31 pokey sshd[7534]: Failed password for illegal user test from
Aug 12 10:51:33 pokey sshd[7615]: Illegal user test from
Aug 12 10:51:35 pokey sshd[7615]: Failed password for illegal user test from
Aug 12 10:51:39 pokey sshd[7617]: Illegal user guest from
Aug 12 10:51:41 pokey sshd[7617]: Failed password for illegal user guest from
Aug 12 10:51:48 pokey sshd[7619]: Illegal user admin from
Aug 12 10:51:50 pokey sshd[7619]: Failed password for illegal user admin from
Aug 12 10:51:54 pokey sshd[7621]: Illegal user admin from
Aug 12 10:51:57 pokey sshd[7621]: Failed password for illegal user admin from
Aug 12 10:52:01 pokey sshd[7623]: Illegal user user from
Aug 12 10:52:03 pokey sshd[7623]: Failed password for illegal user user from
Aug 12 10:52:10 pokey sshd[7625]: Failed password for root from
Aug 12 10:52:16 pokey sshd[7627]: Failed password for root from
Aug 12 10:52:23 pokey sshd[7629]: Failed password for root from
Aug 12 10:52:27 pokey sshd[7631]: Illegal user test from
Aug 12 10:52:29 pokey sshd[7631]: Failed password for illegal user test from
Aug 12 11:01:41 pokey sshd[7659]: Illegal user test from
Aug 12 11:01:44 pokey sshd[7659]: Failed password for illegal user test from
Aug 12 11:01:48 pokey sshd[7661]: Illegal user guest from
Aug 12 11:01:50 pokey sshd[7661]: Failed password for illegal user guest from
Aug 12 11:01:54 pokey sshd[7663]: Illegal user admin from
Aug 12 11:01:57 pokey sshd[7663]: Failed password for illegal user admin from
Aug 12 11:02:01 pokey sshd[7665]: Illegal user admin from
Aug 12 11:02:03 pokey sshd[7665]: Failed password for illegal user admin from
Aug 12 11:02:07 pokey sshd[7667]: Illegal user user from
Aug 12 11:02:10 pokey sshd[7667]: Failed password for illegal user user from
Aug 12 11:02:16 pokey sshd[7669]: Failed password for root from
Aug 12 11:02:22 pokey sshd[7671]: Failed password for root from
Aug 12 11:02:29 pokey sshd[7673]: Failed password for root from
Aug 12 11:02:33 pokey sshd[7675]: Illegal user test from
Aug 12 11:02:35 pokey sshd[7675]: Failed password for illegal user test from
Aug 12 12:23:19 pokey sshd[7703]: Illegal user test from
Aug 12 12:23:22 pokey sshd[7703]: Failed password for illegal user test from
Aug 12 12:23:26 pokey sshd[7705]: Illegal user guest from
You apparently misstyped the URL of your porn server. Please resend.
--LordPixie
Apparently there is a lot of talk here about involving law enforcement, the law, etc.
What a lot of you don't know, which I learned via hard knocks, was that unless you are a large corporate entity with gross yearly earnings in excess of $500k, there is NOTHING that you can do with any judge, law enforcement, or the FBI. They simply tell you to "deal with it".
This is why the issues of hacking and open spam relays, and all the other jazz will never go away, because it's not profitable or should I say; "chargable" under current statutes.
Good luck!
All content in this message is copyright (c) 2008. All rights reserved. RIAA is prohibited here.
The real value of a honeypot is not a slap in the fact to the hacker.
The real value is in observing what kinds of attacks are being uses, especially to see if any NEW type of attacks are being used that your real systems may not have been secured against.
I'll see your senator, and I'll raise you two judges.
Why not create a honey pot that is weak enough for them to compromise it? Then you have evidence of a break in and the grounds to prosecute. Assuming you can identify the offender through the ISP you can make some serious threats with definite consequences.
Of course you should make your box as secure as possible. Ignoring automated attack attempts is probably the wisest course of action, as well, otherwise you waste a lot of time and only draw more more attention to your network, making it a bigger target.
But for those intrusion attempts that appear to have a human being on the other end, a virtual smack upside the head would do the world some good. If it's some script kiddie, then let them know their feeble attempts do not go unnoticed, and are by no means appreciated, and chances are they'll find something more constructive to do before they get themselves into real trouble. If it's someone more hardcore, well, I guess it won't matter either way.
A post a day keeps productivity at bay.
So, being a good guy, I never respond in kind (I could, but 1) it's wrong, 2) it affects more than just the target and 3) I don't feel like going to pound-me-in-the-ass prison), I just log every single packet I can, and when the attack is over find the worst offenders (typically the packets are not spoofed) and use Spamcop and whois to find the responsible parties for each one, and send them all an email.
Many (most?) emails elicit an automatic response.
Perhaps 10% get a personalized response, but usually this response says that I should contact the ISP of the offender (when in fact that's exactly what I'm doing.) Perhaps half of the responses I do get say they'll do something about it, which is good -- usually these are compromised drone/zombie machines, and need cleaning anyways.
Quite often, the attacker is stupid enough to ping my machine from his home machine (so he can see how it's going), not thinking I'll notice that. When this happens, I can also email his home ISP, the people who really know who he is, and the people who can really hit him where it hurts. Except that they ignore my email too, and if they do email me back, they just tell me that the attack did not come from their ISP so they can't do anything, or there's no proof that the pinging is related to the attack.
Phone calls are much more effective than emails, but you really need to make them during the attack for them to take them seriously. And often the attacks happen outside of business hours, so there's nobody to call. And they're very time consuming.
Though I did succeed in nailing at least one guy. He was in Romania, and he messaged me a few weeks after the attack basically pleading with me that it wasn't him, but his brother using his computer. Apparantly the police (in Romania) were questioning him, and one of the things they showed him was my email. The police had never contacted me -- I'm guessing that my email was just one of many pieces of evidence they had against the guy. I felt a bit bad for him, but not that bad. Not that I had any control over what was happening to him at that point -- it was out of my hands the moment I sent my email.
So, if it happens again, I'll do the same thing. I know it's not likely that anything substantial will come from my emails, but there's still a chance. Every time it happens, I know I nail at least some of his compromised machines, and have a chance at getting him. I'll win eventually -- either that, or he'll hit puberty, in which case we both win.
"Arabs, technically, are caucasians. They're just curly haired, tanned white people. Not entirely unlike Italians."
;-)
WTF? Italians are white people?
I thought that is why we have routers.
My routers block all unused ports and use nat. i dont controll the web server so im not sure what goes on there. but i always believed that proper firewall and router configs can stop these kind of things before they start, please correct me if im wrong.
Chances are that you are not being directly hacked, but automatically probed by a system already infected with a root-kit installed.
There are alot of people out there who have no idea that their computer is infected with a root-kit and many would be greatfull to be told so.
I think it would be neat to have a program that could be easily installed on a box, that would act as the firewall for the system. Traffic that a firewall would normally allow is passed normally. Traffic that would normally be dropped, such as a query to a port that is not open on the firewall, would not be dropped but instead be passed to the honeypot module of the program, and from there responded to in a way set by the user through a scripting interface.
Example: You aren't running a telnet server on your box, so normally a connection attempt to port 23 would be dropped. Here you set your honeypot controls to engage a script that you have made (or that came pre-packaged with the software) showing them a fake login prompt that looks like whatever software you wish them to think you are using. Script appropriate responses to possible actions the hacker might try, based on what software they think you have. Let them appear to login with 'admin/admin' or whatever, and show them fake file directories and whatnot. Certain often-targetted files could be spoofed so the cracker can actually 'read' them and not be tipped off. Basically have the software fuck with them for awhile before revealing that "it's all been logged you luser, the Matrix has you, disconnect before things get worse"
You could make a windows box look like anything else to mess with them, if your arsenal of scripts is deep enough. The program could come with a whole whack of pre-defined scripts, and users could create and upload new scripts to a website for others to install in their systems. And when someone installs and runs the program for the first time, they are *forced* to choose a computer name, OS, and other details, so that every out-of-the-box install of this thing doesn't look like every other one out there, making it less easy to detect.
You'd have to make the main code smart enough to not bother if the intrustion appears to be a worm, otherwise such a machine would likely get pretty bogged down. I don't know how to do any of this, I would just like to have the software.
Please? Somebody?
> You connect to the public Internet, you open a port to a service, and you allow anyone anywhere to connect to it.
In the majority of cases this is not true.
People who use computers as an appliance, the
majority of Windows users, do not *choose* to
open ports. They don't know the port is open,
what a port is, how to close it, nor are they
presented with the option to NOT run the services
that open the ports at install time.
> there's nothing wrong with my entering your house if you've put a sign in your front yard saying "Open House".
All of the ports marked 'Open House' are already
quite well known. There's no need to scan for the
port for the web server. Anyone port scanning
is NOT looking for an open house sign in my yard,
they're snooping in my back yard looking for a
unsecured entrance to break in.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
this will only suppress people trying to get into your various info servers (telnet, ftp etc...) you will still get the vast script kiddie assault every day on port 80. you can allow people you want to connect to you on vpn or other services by adding their static ip to the file.
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
/bin/echo "Eat a dog poop. You are not welcome to use %d from %h..."
hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for portmap(8).
ALL : 127.0.0.1 : allow
# internal ip
ALL : 192.168.1.100 : allow
ALL : 192.168.1.200 : allow
ALL : 192.168.1.201 : allow
ALL : 192.168.1.202 : allow
ALL : 192.168.1.203 : allow
ALL : 192.168.1.204 : allow
ALL : 192.168.1.205 : allow
ALL : 192.168.1.206 : allow
ALL : 192.168.1.207 : allow
ALL : 192.168.1.208 : allow
ALL : 192.168.1.209 : allow
ALL : 192.168.1.210 : allow
# other people you like go here
ALL : 00.000.000.00 : allow
# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
: spawn (echo Finger. | \
: deny
hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
# The rest of the daemons are protected.
ALL : ALL \
: severity auth.info \
: twist
In the physical-analogy sense, it would be more akin to closing your restaurant without putting up the "closed" sign. When people walk by and try to open the door, you got no business being offended - they're attempting to take advantage of the public service you appear to be offering.
And if you were really dumb and forgot to lock the door too, you've got no business being upset when they walk in and start wondering where the waiter is.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
not that i'm an expert or anything. But when i've found others doing ill/breaking the law on the net and informed their ISP... The ISP is unwilling to do anything. Unless your the cops with a warrent they do nothing, and if you are the cops with one, all they will do is give you info on the person. The ISP won't do diddely. I Think they should just like you but they won't and don't.
Linux Works