Slashdot Mirror
Dealing with Intruders?
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside.
The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
ignore them.
Unless they use a lot of bandwidth, that is the right decission to make.
The accepted way is to send an email to abuse@ or to the abuse contact listed by ARIN for the netblock you are trying to lart.
http://www.arin.net
or lookup the RADB abuse contact
http://www.dnsstuff.org
on my University's network more than once. I ran Linux and I got into the habit of logging in as root, and sometimes I'd try to log in without thinking just after starting a telnet session. I didn't receive any notice from the U, but in this post-9/11 hellmouth, I'm sure I'd have been reported to the FBI as a potential terrorist.
When I had this problem I simply sent a mail to the ISP:s abuse-people. Most ISP has an e-mail address like abuse@theisp.com. Then they can send the guy a warning or whatever.
Martin
intrusion attempt >> /dev/null
ignore it. forget it. script kiddiz...
If you give them a more attractive target for a while, you may find there really aren't all that many attackers left to go after the systems that matter. Not only that, but it would be considerably easier to set up such a system to log their attack techniques, since it isn't actually doing anything. Finally, if they do break through, who cares? Just re-image the drive and let them start over. If they manage to repeat it, you now have a known weakness you can correct.
Mal-2
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
You might consider sending a handwiten letter and use your own name, that would seem a bit more human. Also, most large companies will send polite-but-firm letters, so just threaten bodily harm to them and their pets, that should sound pretty un-corporate. I suppose only the first sugesstion is really a good one, but I like the second one more, so I'm not going to remove it from my comment.
Less look fast, more go fast.
I always write a really "nice" letter to the ISP of the intruder, where I explain the problem, and that it is causing my customers trouble and that it eats up valuable bandwidth. I ask them to take action, and if not, that I'll have to proceed further (never been needed once). I send the email from the admin account, sign it with my name + admin at my system and then I attach the logs pertaining the intrusion attempt.
... atleast nowadays), mostly for the more serious attempts (doing multiple attempts, different attempts, etc).
:)
So far, all of these "cease and desist" letters has resulted in action on the ISPs part, and in 50% of the cases, their admins write me back and give me feedback on the problem.
Ofcourse, I don't do this for every attempt (all depending on my mood
The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish. I actaully managed to get hold of the owner of the computer system that was scanning me and phoned him. Quite a hilarious experience. Needless to say, the portscanning stopped
Personally I tend to ignore the scans for ssh and so forth, as they're just SYN-packets and doesn't consume too much of my resources. Call me a lazy/non-caring bastard. However, it would surely be nice to send off a message to the ISP, as the machines the scans are originating from are probably cracked too.
.
.. it's days since the last virus from you! Keep up the good work!"
.. and so forth.
:)
I tend to report viruses. I grep my logs daily for viruses from various norwegian ISPs, to the mailserver I admin for my company. During the last five months I've sent daily virus reports to the largest ISP in norway, and they tend to reply within one business day - having notified their customer about the infection. If the customer gets several 'heads up' messages from the ISP without removing the virus, they get their port 25 access filtered until they've confirmed that they've removed the virus.
I tend to send emails such as this.
"
Hi there.
I've got several viruses from your customers today, and would appreciate it if you could notify your customers about the virus infections they probably have.
Here are the relevant snippets from my logs:
Virus: Netsky.B
Received: from at
Virus: Bagle.C
Received: from at
All timestamps on the server are NTP-sync'ed against
Thanks for your time
"
Recently I've also included a more personalized
"Oh, and I have to commend your ISPs efficiency, as since march - you've managed to reduce the number of virus sending users to us from about per day, to this
You could probably just adapt what I'm writing to something saying that a customer of theirs probably has been cracked, and that they are currently scanning for
If it's the actual cracker that's stupid enough to use his own computer, he'll get scared enough if they contact him telling him that his computers has been abused by others to scan people -- and will probably quit doing it.
"Rune Kristian Viken" - http://www.nwo.no - arca
Nothing beats the personal touch of hired goons...
or you'll spend half your time at work writing abuse letters. My logs at work show a constant barrage of windows attacks ( yes, code red is still there), 137 scans, numerous login hacks for any number of OS's, port scans that increment by 1 each time, etc. Sometimes it slows down. I am beginning to just consider it background noise. Just the cost of doing business on the web. As long as the probes arent massive or working, I just note and ignore. I only have so much time for this - it keeps me from downloading all that porn!
Why?
If they are just sending of SYN-requests, then who cares? They'll get a few RST-responses. Having your firewall bogged down by rules just to ignore some dialup user that'll probably have switched IPs the next day will just decrease others chances of contacting you.
Secure your network. Have a nice firewall with okay rules, but there should be no need to add individual IPs to your ruleset all the time -- that just increases complexity and maintainability.
"Rune Kristian Viken" - http://www.nwo.no - arca
True story: About 8 years some friends and I were getting o3ned DAILY by a hacker. One of these friends had a buddy in IBM's security division, who somehow got us a name and phone # of our hacker. We felt like asses when we found out we were getting beat down by a 15 years old. But we called his dad, explained what was going on, and that we knew where he lived. Problem SOLVED :)
Religion is a gateway psychosis. -- Dave Foley
IMHO - If you're not completely sure your network is 101% secure, or you don't have several free hours a day it would be a bad idea to drop a honeypot anywhere near your network.
Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
If your hacker is serious, he's gonna be really pissed about this.
Secure your network & keep it secure - no need to stir 'em up.
Actually, most of the machines attacking me recently have been compromised static-ip servers at various hosting providers.
.. not necessary.
It depends on what kind of 'attack' we're talking about, of course. If it's just an automated attack which scans large ranges of IP-addresses for common vulnerabilities which you've patched against, there really isn't any need to add them to your firewall ruleset, unless they're pretty invasive.
By invasive I mean that they grope and poke, and grope and poke. If it's just a couple of packets - why care at all? You can always fire off an email to the hosting provider, but adding them to your firewall is just
Take the recent increase in SSH scans for the 'test' and 'guest' accounts without password, or whatever it was one came into agreement that it was.. if you've got a patched SSH daemon, why care? Let them scan - and get rejected. Why bog down the firewall with hundreds, if not thousands, of extra matching rules?
If it's likely that you've got vulnerabile machines on that port, block it entirely - or just allow it from specific IPs. Playing whack-a-mole against scanners are just a waste of time.
Patch the system, have a good general firewall ruleset that covers what needs to be covered - and let the scanners that isn't actually continously filling your log files just scan on.
I've had to block _one_ abusive scanner during the last year. It was someone scanning for open http-proxies from Israel. They were hitting my machines several times per seconds, filling my apache logs with relay-attempts to mailservers. Which was quite frankly annoying.
Those scans were from four IP's within the same subnet, and their ISP didn't care. I got the ISP null routed due to their customers filling my logs (and my company doesn't do business in Israel at the moment, so it wasn't a loss anyways).
A few packets now and then on the other hand.. playing whack-a-mole with such is just a waste of time.
"Rune Kristian Viken" - http://www.nwo.no - arca
It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.
As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.
Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:
packetstorm security
Security Focus
Somewhat offtopic, but how do people deal with DOS attacks? /.ers deal with situations like this?
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.
Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.
These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.
Avantslash: low-bandwidth mobile slashdot.
Look up HTB on the net (Heuristic Token Bucket) - a firewall rule that limits network abuse while not obstructing normal network usage - every IP gets a pool of "tokens". One token is removed from the pool when a packet is sent, packets won't be sent as long as the pool is empty, but it gets refilled at constant, slow rate, until it's "full" again. So a user can download, say, 500K in one rapid burst at maximum network capacity, then his connection bandwidth goes down to some 5K. If he waits 100s he will be able to get 500K in similar burst again. This way, one page loads really fast. User reads the page, goes back, loads another one (minute later) very fast again. A loser who keeps reloading, exceeds his 500K bucket content in 2-3 reloads and then gets a constant drip of 5K upstream, hardly disturbing the others.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
Don't scan my ports!
I fail to see how scanning ports is akin to robbery. Actually a port scan by itself is a completely legitimate activity as it simply is querying what services are available.
Personally I am the view point that if you have a port open with a service that is easily accessible without a password, or the default password, (like NFS, say) then anybody using it is not in the wrong, as how are they to tell that the service is not intended for the public especially since it is on the PUBLIC internet.
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
I mean some of you guys sound like the ignorant dude that setup an RSS feed and then got pissed when a service used it as intended. The difference with him is that he learned the error of his ways.
I also fail to see how someone using the word "syber" can run any server safely.
1) Tripwire is a file integrity checker. I suppose you mean portsentry or similar. 2) Automatic firewalling a VERY bad idea. Remember that most modern scanning techniques do not require a full TCP connection, and are therefore eminently spoofable. Not imagine someone spoofing a syn scan from the IPs of google.com. BOOM! No more google for you, you just firewalled it off yourself. BOOM! No more slashdot. BOOM! No more quake server. You get the idea.
Pathman, Free (as in GPL) 3D Pac Man
I swear, just like a women to take a technical problem and solving it by nagging someone's ear off
Back when I was 13 or so, one of my friends had convinced me that trying something like this would be fun. I was a bit reluctant, but I had some knowledge of Unix and networking, and it did sound like fun.
We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.
And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
Yeah I know the gentleman's approach.
I don't subscribe to it. I look at it like this:
To drive a car, you need a licence. You have to follow rules. You drive on the correct side of the road. You don't drink and drive. You obey the speed limit. And why do we have to follow the fules? It's because there are other people who also want to use the road, and therefore all drivers have a responsibility to ensure that the safety of others is protected.
Sounds like common sense, right? Well the same should apply to placing computers on the internet. If you want to have viruses and backdoors and worms etc running on your home PC, then fine. Whatever. But if you put your home PC on the internet and take absolutely no fucking responsibility for what you are doing then you are waiving all rights you have over the the safety of your computer. If your computer now pisses me off, I'll 'smbdie' it off the internet. If you're fine with all the rest of the shit that's infecting your PC, then you don't really have any right to complain about me rebooting it once every 5 minutes. And yes I'm doing everyone a service. Firstly, the computer is on the internet for less time than it otherwise would have been, so there's less chance of others being infected. Also, the idiot who owns the computer will be far more likely to do a complete re-install, or at least get a god-damned virus checker and get Windows up-to-date.
Do you know how many people come bitching and complaining to me about their PC being rooted, and when I boot it up find that they're running Windows 2000 SP1 and NO virus protection at all? It's not good enough. And the only ways to get them to take responsibility for their computer are:
a) Legislate. No-one wants legislation covering their computer. It will screw things up for the responsible among us and have no effect on the rest.
b) Make it so unconfortable to run an unprotected computer that they get the hint and protect it.
Having said all this, I know most people will still disagree with me. That's fine. Be angels. Just keep your damned computer secure and you've got nothing to worry about.
True, port scanning in and of itself is not comparable to robbery. Rather, it is like casing the joint: trying the doors to see if they're locked; testing the windows (ahem) for a good seal; checking all the security cameras to see where they're pointed, or if they're turned on at all.
A business owner who saw someone doing that type of thing at their bricks and mortar presence might be a little suspicious. Sure, the 'port scanner' isn't doing anything illegal at the moment, but there are few applications for the information gathered that are legitimate. Most businesses (on- and offline) don't have much use or sympathy for freelance 'security consultants' providing convenient and unsolicited 'security audits' for them.
The individuals attempting to login as root are admittedly being decidedly unsubtle, and are probably relatively harmless due to their lack of skill. On the other hand, if there was a mentally deficient individual wandering the neighbourhood trying to pull open front doors on random homes...wouldn't you want someone to at least keep an eye on him, even if you did keep your own door locked?
I mean really, unless an attacker is DoSing your site due to resource issues I don't see how you can really conclude that the actions are malicious.
What conclusions, pray, should be drawn from multiple attempts to gain root access to someone else's boxen? The original poster also specifically asked for an appropriate message to send that didn't sound like a corporate cease & desist--he just wants a 'kid, stop rattling my doorknob' message, to make the point that the 'investigator' has crossed from your 'public' internet on to a decidedly 'private' server.
~Idarubicin
You fool! You had a strange woman just walk in and use your bathroom, and you let her get away? Arrrgg!
Port scanning is akin to looking to see what doors the house has, if any are open, and if any have "LEMONADE SOLD INSIDE" signs on them.
If you find a machine with port 139 (or whatever the netbios port on it) open, and they've got their C drive shared, don't touch--it wasn't meant for you.
If you find a machine with port 80 open, then you're not doing any harm to pull http://xxx.xxx.xxx.xxx/index.html and see what lives there.
Common sense and common courtesy are really all it takes: if it looks like someone meant to make something accessible, then use it. If someone takes any steps to secure something (even if they're ineffective) or wouldn't be offering it if they knew what they were doing (like the shared C drive), stay away.