Break-In Attempt -- Now What?

Tue Nov 30 19:34:28 UTC 2004

On Tue, 30 Nov 2004, Peter King wrote:

> Yesterday someone tried to break into my system (behind a firewall with
> only port 22 open for ssh), apparently running some sort of kit: a few
> thousand attempts in about seven minutes, most trying for "obvious"
> names (web server root admin and so on). I caught this about two hours
> later while reviewing my logfiles, which, in addition to faithfully
> logging all the break-in attempts, also snagged the intruder's IP
> address.

> Two hours later? Well, what the hell, I thought, and ran traceroute on
> it. And there it was: the computer from which the attacks had been

It could be spoofed or it could be a box with dynamic dialup address, so
you may be tracrouting the wrong box, however based on what you say
later, in this case you may have the right box.

> Lo and behold, a Linux 2.4.7 system with a spate of wide-open ports,
> including ftp (!). I tried it, and it permitted anonymous ftp, though
> apparently chrooted: I couldn't discover anything about its identity.
> Also imap, pop3, ssh, and a few filtered ports (irc and the netbios
> suite among them).
>
> Okay, NOW WHAT?

In these cases I try to find someone responsible for the box.  If you
telnet to port 25 it may announce a domain name.  You can then email
numerous addresses at that domain (root, postmaster, hostmaster,
webmaster, etc).  Also, you can use whois to determine who owns the
address range and possibly contact them (depends on what result you get).

I have done this and often receive a reply within minutes.  One German
group thanked me for pointing out one of their servers had been hacked and
a large Brazillian ISP proved very prompt in responding another day.

> I found the computer, and even have limited access to it; apart from
> wanting to take it down as payback, I had and have no clue what to do

This is unlawful.  I'd avoid even trying this.  The box has probably beein
hijacked in order to launch further attacks (as you allude to) and taking
it down will only cover the tracks of the baddie.

> next. The Voice Over My Shoulder told me to give it up and go back to
> rechecking those firewall rules. But I can't help but think if I just
> knew a bit more, I could do something -- like find out the guy's ISP and
> send them a note about cracker attempts.

Here is an example of using whois.  My external IP here is 66.11.142.143.
This command shows my ISP:

whois -h whois.arin.net 66.11.182.in-addr.arpa

Interestingly this is a different format from that used by most whois
servers.  This seems to be an oddity of ARIN that I had not noticed
before.  Normally the IP address is reversed in an in-addr.arpa address.

I shall mail a friend of mine who is a senior sysadmin at a registry.

Rob

-- 
Robert Brockway B.Sc.
Senior Technical Consultant, OpenTrend Solutions Ltd.
Phone: 416-669-3073, Email: rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org, http://www.opentrend.net
OpenTrend Solutions: Reliable, secure solutions to real world problems.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml