Break-In Attempt -- Now What?

Fraser Campbell fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Wed Dec 1 04:59:57 UTC 2004 

On Tuesday 30 November 2004 11:00, Peter King wrote:

> Lo and behold, a Linux 2.4.7 system with a spate of wide-open ports,
> including ftp (!). I tried it, and it permitted anonymous ftp, though
> apparently chrooted: I couldn't discover anything about its identity.
> Also imap, pop3, ssh, and a few filtered ports (irc and the netbios
> suite among them).

Sounds like a typical Redhat 7.2 system.  Some company trying out "the Linux 
thing" enabled every service possible and stuck it on the net.  Hack remotely 
via your choice of telnet, wuftpd, ssh or sendmail.  Most likely it's still 
doing their mail/firewall/print/fileserving/website duties so they are 
happily oblivious.

> Okay, NOW WHAT?

Being a good net citizen you might lookup who owns that IP address and 
complain to the ISP.  For example one of my more recent attackers:

  whois 218.89.36.106    

  inetnum:      218.88.0.0 - 218.89.255.255
  netname:      CHINANET-SC
  descr:        CHINANET sichuan province network
  descr:        Data Communication Division
  descr:        China Telecom
  country:      CN
  admin-c:      CH93-AP
  tech-c:       XS16-AP
  mnt-by:       MAINT-CHINANET
  mnt-lower:    MAINT-CHINANET-SC
  status:       ALLOCATED NON-PORTABLE
  changed:      hostmaster-lMKbp7bQTWtk7FefFpB7g6xOck334EZe at public.gmane.org 20020408
  changed:      hm-changed-kQgggeSMbpBeoWH0uzbU5w at public.gmane.org 20040927
  changed:      hm-changed-kQgggeSMbpBeoWH0uzbU5w at public.gmane.org 20041126
  source:       APNIC

My box constantly gets login attempts from Korea and China (once last week 
there were 4,000+ attempts in 50 minutes).

I used to complain but I've found out that it's worthless, small ISPs might 
care and might resolve the issue but unfortunately most ISPs are large and (I 
guess) either don't care or cannot afford to care.  I did get good responses 
from North America and Europe when complaining about viruses and hacking in 
the past, I've never had a single response from emailing asian ISPs, perhaps 
it's a language barrier or perhaps the whois information isn't pointing at 
the right people.

> Advice? Suggestions? (Other than "Get a life" I mean.)

Forget about it, put some of that energy into keeping your machine 
unattractive:

- keep all software up to date (libraries can be just as important as the
  daemons)
- keep software that doesn't need to be accessible inaccessible
- keep software features that you don't need turned off where possible (i.e.
  mod_* in apache)
- secure ssh as others have mentioned
- be careful about what you install.  Php webapps are a dime a dozen as are
  CGI scripts, rarely are the programmers thinking about security

Know what your machine is doing:

- install and tune logcheck so that you get emailed  the  interesting logs
- monitor and alert on interesting things (automatically of course) like size
  of mail queue, free disk space, hard drive temperature, unusual logins,
  volume of traffic, modifications to binaries (tripwire is nice for this)

Other than that, sleep well ;-)

-- 
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list