Crackers and correlations

Brian Densmore DensmoreB at ctbsonline.com
Fri Oct 29 13:37:42 CDT 2004 

I get this type of attack also. The latest one is
different in both the length of time spent on it and the
distinct characteristic of only attempting to gain root access.

By all indications, this was a scripted attack. The port numbers
used seemed to follow a general upward trend with a pseudo-random
reset to a lower port. I'm sure there are multiple scripts for
running brute force attacks of this kind. I expect the scripted
attacks to grow ever more sophisticated over time, as there is
definitely a professional bent to system cracking these days.

I do have a question for y'all. Is there some non-crippling
thing I can do to my system to detect an attack and :
1) send me an email (optionally),
2) log the conversation for xxx seconds,
3) automatically update the firewall to block the offending
user/script.
Keep in mind I'm running on an antique here: Pentium Pro 200 MHz @
40MB RAM w/ ~8 GB of disk.

P.S. - I have an email and phone call in to the good people at the
USDA and will update you all on anything I may find out. Assuming
they will ever admit that one of their PCs has been compromised.


> -----Original Message-----
> From: Dustin Decker .
> 
> I've been seeing a lot of traffic that behaves in similar 
> fashion, across
> sensors deployed on various ISP's for which the only common 
> link is being a
> client of mine, and the attacks.  I (and more importantly my 
> clients) stay
> off the radar pretty well, so I am inclined to think this is 
> a scripted
> process, executed after a root-kit is installed etc. to further the
> conquest.
> 
> If you watch the behavior, and the ascending port numbers, it 
> looks more and
> more like I am correct.  What I find interesting is the 
> sources change over
> time, and then we see the script trying an even larger number 
> of user names.
> 
> Another reference point - I see this a lot more on roadrunner 
> clients than
> any others.  Someone is ramping up for something, looking for launch
> platforms is my guess.  Anyone interested in seeing the 
> entire conversations
> (rather than the logged info below) can drop me an e-mail and I will
> obfuscate things and offer 'em up.  Due to confidentiality 
> clauses in my
> contracts, I will have to munge the IPs that I am protecting, 
> and make a
> mess of the checksums etc.
>

More information about the Kclug mailing list