Welcome to Cyborg`s ASP Anti-Scriptkidpage

by Cyborg

as you can read here it`s hard to decide if incoming packets are normal or used for hacking in any form. This paper is an addon for my comment about above article.

The hacker/scriptkid first has to get informations about the host to hack, before he/she can use the correct exploit to hack in. A scriptkid normaly gets a new exploit somewhere and then tries to find a vulnerable host by NETSCANING a single port in the whole addressspace of an domain, or tries to get information about vulnerable ports in general to have it ready when the needed exploit is ready.
This looks like this: 

                  NETSCAN from O U T S I D E 

 Jul 24 08:28:57 tcp 217.229.156.121 (3291) -> x.x.200.65 (21)
 Jul 24 08:29:05 tcp 217.229.156.121 (3296) -> x.x.200.67 (21)
 Jul 24 08:29:26 tcp 217.229.156.121 (3994) -> x.x.200.108 (21)
 Jul 24 08:29:26 tcp 217.229.156.121 (3808) -> x.x.200.94 (21)
 Jul 24 08:30:35 tcp 217.229.156.121 (1046) -> x.x.200.157 (21)
 Jul 24 08:30:36 tcp 217.229.156.121 (1415) -> x.x.200.178 (21)
 Jul 24 08:30:37 tcp 217.229.156.121 (1209) -> x.x.200.165 (21)
 Jul 24 08:30:45 tcp 217.229.156.121 (1227) -> x.x.200.167 (21)
 Jul 24 08:30:46 tcp 217.229.156.121 (1579) -> x.x.200.188 (21)
 Jul 24 08:30:47 tcp 217.229.156.121 (1396) -> x.x.200.175 (21)
 Jul 24 08:31:08 tcp 217.229.156.121 (1733) -> x.x.200.196 (21)
 Jul 24 08:31:15 tcp 217.229.156.121 (1745) -> x.x.200.197 (21)
 Jul 24 08:31:16 tcp 217.229.156.121 (2090) -> x.x.200.218 (21)
 Jul 24 08:31:18 tcp 217.229.156.121 (1893) -> x.x.200.206 (21)
 Jul 24 08:31:48 tcp 217.229.156.121 (2426) -> x.x.200.236 (21)
 Jul 24 09:51:32 tcp 65.68.200.87 (1609) -> x.x.82.227 (25)
 Jul 24 09:51:34 tcp 65.68.200.87 (1628) -> x.x.82.86 (25)
 Jul 24 09:51:35 tcp 65.68.200.87 (1669) -> x.x.82.82 (25)
 Jul 24 09:51:50 tcp 65.68.200.87 (1740) -> x.x.82.94 (25)
 Jul 24 09:51:53 tcp 65.68.200.87 (1756) -> x.x.82.90 (25)
 Jul 24 09:51:54 tcp 65.68.200.87 (1761) -> x.x.82.91 (25)
 Jul 24 09:51:57 tcp 65.68.200.87 (1777) -> x.x.82.93 (25)
 Jul 24 09:51:58 tcp 65.68.200.87 (1779) -> x.x.82.94 (25)
 Jul 24 09:52:00 tcp 65.68.200.87 (1796) -> x.x.82.95 (25)
 Jul 24 09:52:31 tcp 65.68.200.87 (1953) -> x.x.82.102 (25)
 Jul 24 09:52:38 tcp 65.68.200.87 (1958) -> x.x.82.98 (25)
 Jul 24 09:52:39 tcp 65.68.200.87 (1964) -> x.x.82.100 (25)
 Jul 24 09:52:47 tcp 65.68.200.87 (1968) -> x.x.82.103 (25)
 Jul 24 09:52:48 tcp 65.68.200.87 (1982) -> x.x.82.104 (25)
 Jul 24 09:53:00 tcp 65.68.200.87 (2009) -> x.x.82.100 (25)
 Jul 24 09:53:04 tcp 65.68.200.87 (2024) -> x.x.82.105 (25)
 Jul 24 09:53:19 tcp 65.68.200.87 (2106) -> x.x.82.108 (25)
 Jul 24 09:53:22 tcp 65.68.200.87 (2154) -> x.x.82.110 (25)
 Jul 24 09:53:31 tcp 65.68.200.87 (2194) -> x.x.82.111 (25)
 Jul 24 09:53:34 tcp 65.68.200.87 (2197) -> x.x.82.112 (25)
 Jul 24 09:53:41 tcp 65.68.200.87 (2333) -> x.x.82.113 (25)
 Jul 24 09:53:43 tcp 65.68.200.87 (2442) -> x.x.82.114 (25)
 Jul 24 10:08:22 tcp 65.68.200.87 (3724) -> x.x.82.31 (25)
 Jul 24 10:31:43 tcp 65.68.200.87 (4482) -> x.x.82.199 (25)
 Jul 24 10:31:59 tcp 65.68.200.87 (4550) -> x.x.82.203 (25)
 Jul 24 10:32:01 tcp 65.68.200.87 (4589) -> x.x.82.203 (25)
 Jul 24 10:32:03 tcp 65.68.200.87 (4641) -> x.x.82.206 (25)
 Jul 24 10:32:24 tcp 65.68.200.87 (4782) -> x.x.82.210 (25)
 Jul 24 10:32:39 tcp 65.68.200.87 (4781) -> x.x.82.209 (25)
 Jul 24 10:32:42 tcp 65.68.200.87 (4783) -> x.x.82.211 (25)
 Jul 24 13:22:11 tcp 65.68.200.87 (1913) -> x.x.82.176 (25)
 Jul 24 13:22:13 tcp 65.68.200.87 (1935) -> x.x.82.233 (25)
 Jul 24 13:22:14 tcp 65.68.200.87 (1942) -> x.x.82.232 (25)
 Jul 24 13:22:15 tcp 65.68.200.87 (2076) -> x.x.82.235 (25)
 Jul 24 13:22:17 tcp 65.68.200.87 (2126) -> x.x.82.236 (25)
 Jul 24 13:22:19 tcp 65.68.200.87 (2183) -> x.x.82.236 (25)
 Jul 24 13:23:02 tcp 65.68.200.87 (2367) -> x.x.82.242 (25)
 Jul 24 13:23:08 tcp 65.68.200.87 (2383) -> x.x.82.239 (25)
 Jul 24 13:23:09 tcp 65.68.200.87 (2411) -> x.x.82.244 (25)
 Jul 24 13:23:27 tcp 65.68.200.87 (2494) -> x.x.82.245 (25)
 Jul 24 13:23:30 tcp 65.68.200.87 (2544) -> x.x.82.245 (25)
 Jul 24 13:23:31 tcp 65.68.200.87 (2738) -> x.x.82.246 (25)

How can you find this?

Simple answere, log all packets to none existings hosts and let firelogger analyse the log.

What if the attacker uses our Nameserver?

Install a log for that and analyze it with firelogger for TCP-FLOOD-PING`s of the nameserver. With other words, for heavy traffic to one single ip.

back to ASP