Welcome to Cyborg`s ASP Comments

SMH: over 6.000 Hacks a week

Comment by Cyborg

I don`t believe that >6000 hackattempts a week are realistic. That would make 54 hackattempts per hour , with 16 hours online 7 days a week. That`s far too high for a dialup system where you change your ip with every new dial-in, even if he has a fixed ip. Most unexpected incoming packets are not for you, they are for the last(last(last(...))) owner of your ip address, who maybe has connected to a service who checks in regular timeperiods if the host is still there. This could be a webproxie, a mailserver or everything else.

How can you be sure it`s not a hackattempts ?

You can not be sure, but you can make a quick check about the host which send the packet.

  1. install a whois command , a nslookup command and maybe tcpscanner.
  2. check with nslookup if the foreign host has a nameserverentry.
  3. if the nameserverentry exists and does not have terms like 'dialup' in it, you can check if it`s a webserver by using tcpscanner "-p 80 foreignhostip", if it`s a webserver, you should not worry about the packet, what does not mean that it`s not a hackattempts*.
  4. If you have a nameserver entry found and it does not have a webserver running, and you can not see a normal serverfunction like MAIL.domain.de oder news..... , you can contact the systemsadmin to say something about our logs ( which you shoud send them first) and don`t forget your ip at that time, that will make it easier for them.
  5. if you don`t get a nameserverentry , you can get the provider where the packet comes from by asking the whois databases with "whois -h whois.server.net foreignhostip". There are several whois server , first check whois.arin.net , which is a good place to start, than you can try whois.ripe.net aso. most whois servers will tell you to use the whoisserver for the requested ip so read carefully before procceding. At the end of your search you will find a abuse@domain.xxx email adress to inform the system`s admin.

you can see two lines of my firewall log from this morning: 

06.08.01 09:08:06 Access from host 212.244.200.174 to port tcp/1214 allowed.
06.08.01 09:08:07 Access from host 212.244.200.174 to port tcp/1214 allowed.
06.08.01 09:08:08 Access from host 212.244.200.174 to port tcp/1214 allowed.

These lines are from a host without a nameserverentry and are a check for a trojan or a rootshell as far as i can see it. The four next lines below show, that this port is checked more then one time a week , which makes it sure a vulnerable service ( i don`t have a service entry for that ) or a trojan/rootshell port. This makes the three packets equal to a hackattempts* , i would say it was the vulnerability check before the real hack. 

02.08.01 20:07:41 Access from host 65.10.220.21 to port tcp/1214 allowed.
02.08.01 20:07:41 Access from host 65.10.220.21 to port tcp/1214 allowed.
02.08.01 20:07:43 Access from host 65.10.220.21 to port tcp/1214 allowed.
02.08.01 20:07:43 Access from host 65.10.220.21 to port tcp/1214 allowed.
05.08.01 18:37:22 Access from host 172.179.119.198 to port tcp/1214 allowed.
05.08.01 18:37:28 Access from host 172.179.119.198 to port tcp/1214 allowed.
05.08.01 18:37:31 Access from host 172.179.119.198 to port tcp/1214 allowed.

These lines are a from another vulnerability check 32 minutes later. 

06.08.01 09:40:16 Access from host 195.126.220.54 to port tcp/21 rejected.
06.08.01 09:40:16 Access from host 195.126.220.54 to port tcp/21 rejected.
06.08.01 09:40:17 Access from host 195.126.220.54 to port tcp/21 rejected.

All these connects are harmless to the amiga. I just thought about sending such scriptkidds a nice 20 MB mp3 as signature of my ftp server :-)))) With a flatrate is this no problem ;-)

You now know how to determine a hackattempts from normal traffic, but don`t believe you know everything, mostly it is useless to mail a sysadmin. Just do that if you are sure you are meant.

* a hackattempts mentioned here can also so be a simple portscan. Mostly a portscan is the first step in trying to hack a host. See how scriptskids work.

Don`t break the rules, scan a host only if they tried to scan you first!

That makes yourself safer against other paranoid sysadmins who send in abusemails to your provider. Keep your logs! that can be important.

back to ASP