Collecting Logs from Firewalls to Detect Crackers 138
Anonymous Coward writes "There is now a site dshield.org which collects firewall log excerpts to summarize and organize them
in a database.
The point is to single out script kiddies that scan large IP segments.
It could all end up saving ISPs a lot of time running after / responding to gazillions of reports from users.
Interesting: Right now, IPs used by @Home and RoadRunner to scan their users top the list. The site is only up for a couple of days. but already quite a bid of data has been collected. There is a little perl script that will automatically send Linux kernel log excerpts (ipchains style) to the sytem. ZoneAlarm logs can be processed as well."
php coders anyone? (Score:1)
Re:Blocking @Home and RoadRunner from scanning (Score:1)
Looks like we killed it (Score:1)
Just went to the site and got;
"Sorry, had to take the site temporarily down due to high traffic. Please try again tomorrow"
Re:Blocking @Home and RoadRunner from scanning (Score:1)
he had to stop when he got nasty phonecalls from @home asking why their machine would crash whenever they scaned his ip.
Re:Users Send in Their Logs? (Score:2)
sure! If @home even gave a shit about what their users do. I tried to report an @home user this summer for flooding my poor 56k connection and they ignored me. My ISP wouldn't give me a static IP to block it at the router, so I was basically screwed.
doing something like this really doesn't help anyone. The ISP's have to cooperate (on both ends) and they normally don't care to.
I wish that people would stop being gay and just use the net for what they should.
That is just my worthless
Re:Blocking @Home and RoadRunner from scanning (Score:1)
Re:what about dynamic ip's? (Score:1)
Justin Buist
Re:Blocking @Home and RoadRunner from scanning (Score:1)
Thanks for the correction!
Why 2048? (Score:2)
But what's 2048 used for? A Trojan?
Re:Blocking @Home and RoadRunner from scanning (Score:1)
Re:Honeypots (Score:1)
It seems obvious, but I've talked to folks who were proudly saying that they were implementing honeypots on their production networks to make sure that they caught the kiddies.....great....yeah, let's just invite the kiddies right into your private network...that's a great idea. Remember folks, honeypots are fun...but only if there's absolutely no way that an attacker who gets in to the honeypot can do any *real* damage.
Re:Why 2048? (Score:1)
From the port list at http://www.isi.edu/in-notes/iana/assignments/port- numbers [isi.edu]
A DLS server is a Dynamic Lookup Service server that is used by Netscape Conference to find out who's logged on to to a particular audioconference or videoconference.
No trojans use those ports as far as I know. Maybe some l33t hax0r has a script that hacks a DLS server for some reason?
Re:@Home scanners... (Score:5)
When you enable a Windows machine to share resources it needs to decide what machine on the network is the master browser (A machine that contains a table of all of the NETBIOS machines on the network).
When the machine starts it sends out some packets to decide who the master browser is. If nobody replies or if the present master browser is of a lower OS level than your machine, it will start an election to determine who the new master browser is.
I am an @home subscriber in Calgary (shaw @home). I get this stuff bouncing off of my firewall all the time.
Note: Please don't moderate as Funny. Yeah I know, it's rediculous but its' also how Windows OSs actually do this.
security hole? (Score:3)
Scans versus attacks (Score:2)
If only it were filtered (Score:5)
At first glance, of the top 10 reported "attackers", one was an authorized security scan from home.com, two were 10.x.x.x addresses, and one was a 169.254 Windows AutoIP non-routeable address (and no doubt the port that address was "attacking" was UDP port 53).
When all the world's cable modem users are encouraged to buy these "personal firewalls" which do nothing but trigger false alarms to show how "useful" they are, sites like this can't help but be drowned in a sea of noise.
Re:A few thoughts... (Score:1)
Is this really necessary? (Score:2)
.--bagel--.---------------.
| aim: | bagel is back |
| icq: | 158450 |
Re:Self-mod? (Score:1)
Re:Users Send in Their Logs? (Score:1)
That is a valid flaw in my reasoning. Fortunately, DDOS is not extermely easy (or else you'd see most of the net down weekly) right now. Unfortunately, with the vast proliferation of vapid sysadmins and closed source NOSs I think DDOS is going to become a major problem for ALL kinds of services on the 'net (not just the loss of service, but the permanent vandalism or destruction of service that can happen with faulty database information).
Sorry, its late and I can't come up with a decent solution to this problem today. Maybe later...
Re:Blocking @Home and RoadRunner from scanning (Score:2)
ipchains -s $scanner -p tcp -d $ipaddress ALL -j DENY
ipchains -s $scanner -p tcp -d $ipaddress 53 -j ALLOW
be a more elegant solution? (assuming you can block everything off, except port 53, and that the rules regarding precidence allow it) While I had originally stated that only 4000-6000 were hit, trust me; I got scans on top of scans of top of scans.
Admittedly, my ipchains experience is very fictional; though with DrawBridge for the secure BSD (Open? Free? I forget) you could do that.
Re:Black ICE Defender (Score:1)
Re:They forgot one letter... (Score:1)
a nice little DoS (Score:2)
Much more sensible is encouraging use of a proper logging package, i.e. iplog v2, with a good ruleset to remove false alarms.
skateboarding is not a crime (Score:1)
The SANS GIAC has been doing this for over a year (Score:2)
Re: getting "portscanned" by an @Home nameserver. (Score:2)
When your computer wants to look up an address using DNS, it will send a UDP "question" packet from some "high" port to port 53 of the nameserver. Then, after doing some magic to determine the address, the nameserver sends back a UDP "response" packet to the high port on your computer it got the question from.
So, if you're getting a UDP packet from port 53 of a nameserver to a high numbered port on your machine, it generally means that either: 1) you sent a "question" packet to the nameserver, and it is politely responding to you, or 2) someone else sent a bogus "question" packet to the nameserver, but managed to spoof your IP instead of their own into the header of the packet, and the nameserver is politely responding to you, or 3) someone else is sending a bogus "response" packet to you, but managed to spoof the nameserver's IP instead of their own into the header of packet.
There are probably a number of ways #2 (reply's to a question you didn't ask) could occur, ranging from normal network entropy, to some random dude mistakenly misconfiguring his machine, to some eleet hacker d00d sending out bogus "question" packets to the name server intentionally. With some imagination, I can construct scenarios where both #2 (spoofing the origin of the question) and #3 (spoofing the origin of the reply) might be beneficial to a hacker, but not in hacking your box. My imagination is fairly limited, though.
To answer your more specific questions:
But I'm inclined to believe that these packets are nothing more than standard DNS packets, possibly being returned from the "wrong" IP of a multi-ip'd nameserver. You probably have nothing to worry about.
Fasely targetting IPs (Score:2)
Example:
running "nmap -S<target-ip> -e eth0 -sS -P0 -F '24.*.*.*' " would pseudo-scan a large block of cablemodem ips with target-ip. Assuming a lot of people picked it up and reported it, target-ip would be blocked from a number of sites without ever really doing anything.
Course the whole packet spoofing thing _should_ be fixed in IPv6, but who knows when that's gonna happen.
Re:Blocking @Home and RoadRunner from scanning (Score:1)
If you really want them to stop, play dumb, pretend you don't know it was coming from their machines and report it to their abuse department. If enough people do that, they'll decide it isn't cost effective and stop doing it.
Heh, scoreboard (Score:3)
They're gonna spend all day trying to get their box to the top of "most active attacking IP".
Like getting a slashdot fp...
Re:Honeypots (Score:1)
Re:@Home scanners... (Score:2)
Turn up the OS level on Samba, enable Browse Master and Local Master, set it to share squat over the public Ethernet addy. DHCP ensures you can snag the correct machine/domain/workgroup. Snag all the machine names that now appear in your browse list. Import into a script that copies said file into startup and sends a SMB message at the same time.
I think the list will be shorter next time you run it.
Honeypots (Score:5)
Another article entitled Honey pot networks can gather evidence for catching and prosecuting hackers. [infoworld.com] is also on InfoWorld
The site these articles are based off of is located here [enteract.com]. There are a lot of interesting whitepapers and other materials including the scan of the month to enthrall the slashdot crowds
Re:Users Send in Their Logs? (Score:2)
8080 (Score:1)
--------
Re:Is this really necessary? (Score:3)
Wait! Does this mean routers need privacy policy? (Score:2)
Re:Heh, scoreboard (Score:3)
I just had a thought (Yea, I know, first time for everything). Would these very same script kiddies on cablemodems be called @homeboys?
Can we get a shell script for "small" systems? (Score:2)
Is this a good idea or a security hole? (Score:2)
Is this really a good idea? I keep thinking there has got to be a security hole in here someplace. I can't figgure out where, but I can't convince myself that there isn't some risk (not nessicarly security though that comes to mind) running this.
Re:Black ICE Defender (Score:2)
Re:Blocking @Home and RoadRunner from scanning (Score:1)
http://www.insecure.org/nmap/index.html
right? I didn't read the specs on it; I thought it's main use was fingerprinting OSes remotely by TCP/IP stack analysis. Thanks for the tip!
Re:Blocking @Home and RoadRunner from scanning (Score:2)
But if @Home is actually responsible for the packets, I can't imagine any reason they would do anything besides check to see if the port is open and unprotected, and the simplest way to do that is to try to set up a plain, vanilla connect() scan (beginning with a "SYN" packet, not an "ACK"). If anything as "clandestine" as unexpected bare "ACK" packets show up from random @Home hosts, I'd be suprised if @Home were actually responsible (unless they somehow hired an incompetent script kiddy as a sys admin, which might not be that suprising).
Re: getting "portscanned" by an @Home nameserver. (Score:1)
I'm not the original poster, but I'd just like to say thanks for the enlightenment. DSL is coming my way soon so I'm trying to brush up on firewall issues so as not to get burnt.
Re:Blocking @Home and RoadRunner from scanning (Score:3)
As an @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers (either primary or secondary, forget which one). When I phoned to complain, here is the reasons I got for it:
1) They were verifying my connection.
2) They were checking to see if I had any illicit servers in that range (from UDP 4000-6000, got to make sure that I don't have a rogue licensing server there)
3) They were sending packet data to my cable modem, NOT my computer.
After I heard excuse number three, I realised the advanced level of stupid I was dealing with, and promptly disengaged the phone call.
Still leaving me with the original problem; that @Home's DNS servers are port probing me.
What are the legal ramifications of this? This is unwanted traffic; doesn't that constitute cracking? Isn't that illegal? Can I talk @Home to court for this?
Re:Users Send in Their Logs? (Score:1)
Re:Blocking @Home and RoadRunner from scanning (Score:1)
Re:Bad boys (Score:1)
Re:Issues (Score:1)
The security of his neighbor's houses doesn't directly affect him, or his security (though it could indirectly encourage burglars to try his house also). However, an insecure web-server - which would contain his personal information, likely including credit card details - would have a direct effect on him. Therefore, running your own tests is a reasonable thing to do.
It's comparable to a credit company running checks on you to see if you are trustworthy.
No NNTP scanner? (Score:1)
You are not allowed to run an NNTP server?
--
Re:It's going to be useless for a while because... (Score:1)
besides, most hackers are naive script kiddies or knowledgeable but naive *nix users. Sure there are some talented and gifted folks out there, but just look at the ones who get caught and become darlings of the press. If it cuts down on the number of script kiddies who pull off the amazing feat of bringing down a website, i say use it.
--
Re:what about dynamic ip's? (Score:2)
Public Service Announcement: Log entries are usually recorded using your local time, so you should always include a mention of your timezone when mailing the ISP your logfiles.
As for dshield.org, according to this [he.net], their internal format doesn't bother with the time of the incident; only the date. This, unfortunately, means that dshield is pretty impotent when it comes to dealing with dynamic IPs. If I remember, I'll try getting in touch with the guy who's running it after the Slashdot tide dies down. If run properly, I could see this easily becoming the anti-script kiddie equivilant to SpamCop [spamcop.net].
Re:Rather like a blood alcohol meter in a bar ... (Score:1)
Re:Users Send in Their Logs? (Score:4)
Well, since the faked logs are unlikely to be widespread (or even if they are, the "reverse attacked" IPs are all going to be different) you could simply have a maximum attack count per host. Say, if a host is reported by someone more than twice per day, no more attacks are counted against that machine from the other machine for that week.
While script kiddies are losers that want to ruin these datasets, they all have different people they'd like to see kicked (usually some kid at school, or their next door neighbour). Unless they all ganged up together (and, by definition of being a loner/cowboy cracker that virtually never happens) and attacked one person, there'd be no problem.
You could also set the DB up to auto-ignore entries from a host if they go over "magic" trigger levels. Say a host reports 100 attacks from random IPs a second for the past 24 hours. No way that would happen. Plonk them onto the month long blacklist-blacklist.
A nice idea would be a complaints procedure whereby a user who is repeatedly listed as running scanners could request dsheild to investigate. Maybe if only certain IPs (over similar physical localities) _ever_ reported any cracking attemps they'd consider putting the IP on some form of a "limited ban" list.
They could also implement some form of peer evaluation system where certain "good" or "longtime" users get "points" to boost or lower values on the list... Sorta like slashdot moderation. [Perhaps this isn't such a hot idea after all.]
Not only that, but IMHO it is truly impossible that multiple script kiddies across multiple subnets across the world are going to lie about the same IP. If slashdot.org's reporting is correct (that would be a near first), that is what dsheild wants to do. List users who abuse big subnets.
I'd see what dsheild actually says, but I can't even get past the 502 on their front page. Uggghh...
Re:Users Send in Their Logs? (Score:1)
what about dynamic ip's? (Score:5)
But what about dynamic ip addresses? Most of the scans I get are from such connections... so if I would send my logs to dshields, they would log this ip as an attacker? unreasonable... that's like saying I'm the serial murderer because I sat in the same seat he did a few weeks ago in the bus...
Patrix.
Bad boys (Score:2)
We know how the hacker community was born. We know that we are not saints, but our sins do not give the right to someone to outlaw people, because there were/are mistakes being made. I myself broke/crack/hacked things 15 years ago, much the same way these kids play now. I know that some of my best colleagues and friends were among the darkest crackers at the beginning of the 90's. To be sincere with you people, I also passed a good time, somewhere in this world, as some "The BlackStar" on the dark underground of the hacker community (Hey I'm not hijacking names, I know that there are a few BlackStars and some are much more notorious and thougher than me, but I choose the name originally. In fact, I still use it but in other translation). Frankly to the script kiddies I would say one thing. Yeah it is great to scan and crack things. But that's child's play. Frankly people didn't worry too much about such kind of things. The worse is not when you destroy but when you build. Because it is much harder to do it. And the worst of all when you show that you're damn good at buidling something. That was the moment when bullets started to fly around, because for some people it is better to live on the swamp of ignorance and mischief. Cracking and breaking programs gives some knowledge, but you don't get far with it. Wanna be a hacker? A damn good hacker? Stop harassing your neighbour as he has ten other kiddies to deal with. Build something, help people. But beware, that's the time when other will start to really envy you and be scared of you... Knowledge is a dangerous weapon to live with.
I would act this way. Meanwhile, such lists, are only ground for a new "geek jerks" generation. buy a mug with a penguin, install Linux (after tenth attempt with some help from the side), and say you're in the community...
Re:Issues (Score:2)
> so when you move into a neighborhood, do you
>twist everyones doorknob and car door and try to
>open everyones window, just to "know
> what kind of security they have in place"?
Before I loan you any equipment, I'd like to know
that you keep your doors locked, etc.
And at a professional level, I like to make sure
that you can be a responsible caretaker for musical instruments, recording gear, etc.
As a neighbor, I wouldn't loan you any tools if I
thought you'd leave them out in the driveway, or in an unlocked garage.
How is this "twisting doorknobs and trying to open windows?"
DHCP ? (Score:2)
Re:@Home scanners... (Score:3)
So, I will urge everyone to check their computer, mostly windoze users, for this kind of trojan. It's kind of sticky and fast breeding.
Re:a nice little DoS (Score:2)
In other news.... (Score:3)
dshield.org, a new service designed to analyze firewall logs to look for suspicious activity, submitted its own firewall logs for analysis. To their great surprise, they appeared to be the subject of a giant DOS attack that lasted for 24 hours, as out of nowwhere, nearly 700,000 computers around the world accessed the website.
Due to the enourmous hits, the site was frequently unavailable for legitimate users. Officials suspect foul play, but have been unable to determine a motive for the unprecedented attack. "This is precisely the reason we developed this system; to expose the origins of potential attackers and allow the user to take appropriate action". When asked if it was possible they were simply the victim of the feared "slashdot effect", those allegations were denied. "As soon as our bandwidth returned to normal, we checked out this slashdot.org but saw no mention of the site anywhere on the front page. We checked the logs and found only one refrence from slashdot.org. Although it appears right before the attack began, we are certain that this is only a coincedence.
:)
-Restil
I wonder.... (Score:5)
From: subscriber@home.net
Subject: Repeated attacks
Hello,
Your system scanners has repeatedly triggered alarms on my firewall. These are unauthorized access of my personal computer
Please terminate these scans immediately or I will have no other choice but to apply a $10 discount to my @Home bill for each security incident.
Yours truly, @home customer
From: @HOME tech support
To: @HOME customer
Subject: RE: Repeated attacks
Hhhhhhhhhhmmmmmmpfffffffffrrrrrrrr BHAHAHAHAHAHAH!!
Pay your fucking bill in full now or we'll TOSs ya.
@home techie
---
Inanimate Carbon Rod thanks you for your support. See you in 2004!
Re:If only it were filtered (Score:3)
Re:Users Send in Their Logs? (Score:2)
Re:@Home scanners... (Score:3)
Re:Users Send in Their Logs? (Score:2)
Re:Issues (Score:4)
nslookup slashdot.org
Server: localhost
Address: 127.0.0.1
Non-authoritative answer:
Name: slashdot.org
Address: 64.28.67.48
Heh,
root@localhost> nmap -S 64.28.67.48 -e eth0 -sS -sU -p 0-65535 www.nsa.gov www.fbi.gov www.cia.gov '*.*.*.*'
(hits enter end runs...)
For those which don't know and are to lazy to look up, an exerpt from nmap manpage:
making assumptions (Score:2)
most reports will be useless (Score:3)
@Home scanning for news servers.
an occasional ping
Napster.
I have my rules set up to the best of my (experienced) ability to eliminate irrelevant stuff. By default, most of the logging packages log everything (i.e. ftp-data connections).
If you ever read some of the newsgroups where the same users who will be using dshield.org post, you'll see that they don't know how to tell an attack from normal activity. Unforunately I can't find some of the usual "NOTICE TO WHOEVER PINGED ME: SEND ME A PING AGAIN AND I'M CALLING THE FBI AND GETTING YOU CUT OFF FROM AOL NOW LET'S BURN THE WITCH" postings today in athome.discussion-security, but they're usually there.
The "firewall" programs that most users use don't give them any help in telling the difference between a genuine 'attack' and between their web browser downloading a file using *gasp* an ftp-date connection.
just to point out why you're all over-reacting: (Score:2)
1) Logs can be forged
2) They're showing the @home portscanners, and reserved netblocks on their top ten (bwuhahaha, look at them, they're so stupid)
in response to 1) there are hundreds of ways any reasonably intelligent coder could check the submitted data, to make sure the logs make logical sense.
On top of that, the whole POINT of this service is to identify people scanning whole netblocks, and then submit that report to some other agency (who would then, what? Automatically say, "well, this site said so, let's unplug the little fucker" without doing their own background check? I think not). This is all about COMPILING data, to try to learn some really interesting things about who and how many netscans there are in a given day.
In my personal opinion, this is a far more useful and important security measure, than anything security focus, or any of the other SUBMISSION based security alert services give, because they're collecting TONS of data.
Think about it for a minute, if everyone starts submitting their logs, the minor forged log every now and again will be ignored by virtue of the immense amount of legitimate information streaming in...
on the second complaint: Get over yourselves! Just because you weren't ambitious enough to start a project like this, doesn't mean that you're smarter than they are. Don't you think they'll start to make corrections once they start analysing their data? It takes time, and submissions, people.
Just think about the potential security gain if this is successful. This is a user driven ORBS database, which could, with a little HELPFUL nudging be very useful for the security minded.
Re:Blocking @Home and RoadRunner from scanning (Score:2)
As am @Home subscriber, I am routinely probed at high (>1024) ports for TCP *and* UDP by the @Home *DNS* servers
I hate to break it to you, but that's not a portscan. If you are running a forwarding nameserver, put the following in your configuration and I bet anything that will go away:
query-source address * port 53;
Basically, you are sending them DNS requests from that port, they are replying, and you are denying the replies. This line makes all DNS queries come from the domain port. They will then shift their replies to be addressed to your domain port.
@Home does do portscans, yes. But not from their DNS servers. Back when I used to pay attention to such things, they quite annoyed me. But I just blocked 24.0.94.130 (authorized-scan.security.home.net) and they went away.
Re:Scanning from Private IP??? (Score:4)
Preventing fakes (Score:5)
It looks like you have to sign up with these guys, and get an ID from them, before you can contribute. Therefor, anybody wishing to poison the database must give a valid e-mail. Presumably, the only way an IP will get in the top ten is if MORE THAN ONE person reports it. Also, I'm sure that any e-mail address that is found to be submitting bogus data will be dropped in a heartbeat.
However, I'd want to put a little "noise filtering" on the scripts from my system: I frequently have www.grc.com scan my system to make sure nothing gets screwed up, and I'd hate to get Gibson Research in trouble. Also, on occasion one of my friends machines will trip my firewall.
What we need is for this data to be collected and the offending ISPs made to solve the problem. Too many ISPs have the attitude of "not my yob": unless you grab their testicles with a rusty pair of pliers and threaten to have your laywer twist if they don't take action, they do nothing.
Re:Users Send in Their Logs? (Score:2)
A public blacklist would work if you have enough contributors that you can verify that many of them, including some trusted contributors, feel that the IP in question should be blacklisted. If you can have a reasonable belief that the majority of data on the system is valid, then the blacklist will be more-or-less effective.
For example, how many people have been framed in such a manner onto the RBL? Sure, there are plenty of cases of people who feel that they shouldn't be on the RBL because they weren't really spamming. But how often do several people conspire to accuse an IP of being a spammer or an unsecured relay just to get back at that IP? Not too often, I imagine.
Just like any online collaboration, from the RBL to online gaming matchups to /., you can gauge the reliability of the community's input based on a trust rating that you assign to contributors based on their past performance.
Issues (Score:3)
A few issues comes to mind:
Forged logs
It's very trivial to fake logs to make it appear
that a attack originated from a specific source.
Innocent traffic
I can't count the times I've been wrongly accused of
"port hunting" after looking for a service on a friends box.
Even a single ping can sometimes trigger a sites IDS
and mark my IP as a threath.
This may be a good idea, but without at least
some background checking and auditing
of submitted logs, I wouldn't trust it one bit.
Re:8080 - wingate (Score:2)
What about BlackICE? (Score:2)
The summary said that ZoneAlarm logs can be posted. What about BlackICE Defender?
Re:If only it were filtered (Score:3)
-B
/. effect (Score:2)
Sorry, had to take the site temporarily down due to high traffic. Please try again tomorrow
ummm.... yeah...
Re:They forgot one letter... (Score:2)
Is it worth the time? (Score:2)
The sites I worked at got portscanned at least twice a day, usually from a cable modem user running Redhat Linux (easily found out by telnetting back to their IP, which has almost every service still enabled). These are script kiddies, and really I don't think I should waste time on someone who downloaded nmap.
A smart cracker won't blindly portscan your machine, because that pretty much gives him (and his skill) away. I think portscans are a fact of life. The ones to worry about are the quiet crackers, who only give away few signs that they are attempting an attack.
What is more interesting to me is the signature of attacks. I don't think analysis of this sort can be done by looking at an IP, as you may see a pattern in your firewall logs that involve many IPs or spans many days. The trick is putting all of the information together in some sort of analytical way to determine if it is a threat or not.
Users Send in Their Logs? (Score:4)
The reason this upsets me (at least SLIGHTLY) is that logs can ALWAYS be faked. That, and get a few different users around the country to send in "altered" logs and some poor @home guy could be out of his account.
Is there anyway to make sure that this will not happen?
Blocking @Home and RoadRunner from scanning (Score:2)
Charter cable here hasn't started doing that (yet), but if I were an @Home/RR customer, that's exactly what I'd do... 'cause you *know* what would happen if we tried to pr0tsc@n them.
I have to laugh... (Score:3)
27/Nov/2000 16:00
Current Most Active
Attacking IP: 24.0.94.130
Then...
nslookup 24.0.94.130
Server: localhost
Address: 127.0.0.1
Name: authorized-scan.security.home.net
Address: 24.0.94.130
Ohh yeah, this is useful information
Re:Users Send in Their Logs? (Score:2)
Re:Preventing fakes (Score:3)
As for the comment about my suggested solution being "a bit extreme": no. A bit extreme would involve molten lead, a funnel, and the services of a proctologist.
That would only be a bit extreme.
Re:I have to laugh... (Score:2)
Except, who authorized it? Did the people it was scanning authorize it? It probably has a (mostly) innocent purpose, but the machine's name doesn't necessairly mean anything
Personally, I think that it's still useful information to know, say, if you don't want home.net scanning your box.
Re:Issues (Score:2)
Who are these folks? (Score:2)
Going on means going far
Going far means returning
Slashdotted, here's the PERL script for grokking (Score:3)
# Linux DShield Client. V 0.0.2
#
# This script will extract relevant lines form the log file and
# send them to 'report@dshield.org'.
#
# It should run from cron regularly to look for new entries. See
# 'parameters' for more details.
#
# Parameters:
#
$userid="0"; # replace with your userid if you have one.
$email="none"; # replace with your e-mail address.
$to='report@dshield.org'; # send log to this address. Change for testing.
$local_log='/tmp/dshield.log'; # keep a local copy here for revie
$filter="input DENY"; # we only care for lines that contain this line.
$state="/var/tmp/dshield"; # file that is used to store length of log file.
$logfile="/var/log/messages"; # location of log file.
# setup a halfway safe
srand(time);
$tmp="/tmp/dshield".$$.rand(1000);
$last_count=0;
#
# the 'state' file contains the length of the log file
# in lines the last time the script ran.
#
if ( -e $state ) {
$last_count=`cat $state`;
chmod $last_count;
}
#
# get the current length of the logfile
#
$length=`wc -l $logfile | sed 's/[^0-9]//g'`;
chomp $length;
#
# if the log file size 'shrank', we assume that the entire file
# is relevant. This will not catch log rotations where the
# log file grows rapidly.
#
$last_count=0 if ($length<$last_count);
$count=$length-$last_count;
#
# remove stale tmp files. This should never happen, as
# the temp file name is generated randomly
if (-s $tmp) {
system ("rm $tmp");
}
#
# this line 'does the work' of extracting relevant lines
#
system("tail -$count $logfile | grep '$filter' > $tmp");
# send the file. Only bother if there is something to
# report.
if ( -s $tmp) {
open (MAIL,"|
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
if ($local) {
open (MAIL,"> $local");
print MAIL "To: $to\n";
print MAIL "From: $email\n";
print MAIL "Subject: FORMAT LINUX USERID $userid\n\n";
print MAIL `cat $tmp`;
close MAIL;
}
}
#
# cleanup the temp file and write a new state file
#
system ("rm $tmp");
system ("echo $length > $state");
DOS (Score:3)
Have you ever submitted an article about a company you hate just to create a
Yes, I'm satan spawn.
No, I'm a virgin or
No, I was with CowboyNeal at a gay bar.
I like to read the articles before posting. Unfortunately it's something I rarely get to do because of the herd affect of
got to love
Re:Wait! Does this mean routers need privacy polic (Score:2)
Re:Is this a good idea or a security hole? (Score:2)
Re:Blocking @Home and RoadRunner from scanning (Score:2)
ipaddress=[YOUR IP HERE];
ipchains -s $scanner -p tcp -d $ipaddress 4000:6000 -j DENY
Wouldn't that do the trick? (assuming you have a Linux firewall) Better yet, put the -l (log) tag at the end, so if you DO decide to sue, you at least can prove the "hack attempts" made against your machine...
cat
I have a Pacific Bell static DSL and while the servers they provide crash constantly, making me use my firewall box for most of my services, (DNS, E-mail, etc) I've had NO TROUBLE AT ALL with stuff like this. They really and truly DON'T SEEM TO CARE what I do! (and if they did, they'd lose my business in a flat second because their services are so horrible)
(But don't bother trying to call them with a problem - hold times > 2 hours!)
Like most, I get attacks daily - Netbios 139 being the most frequent, it seems. Since I started dropping ALL icmp packets to/from my public interface, port scans have all but ceased.
-Ben
Re:Slashdotted, here's the PERL script for grokkin (Score:2)
Hmm. Actually, looking again, there's a much more serious reason I'd call it a crappy Perl script.
$userid="0";
srand(time);
$tmp="/tmp/dshield".$$.rand(1000); if (-s $tmp) {
sy stem (rm $tmp");
}
system("tail -$count $logfile | grep '$filter' > $tmp");
So...in other words, while running as root, it picks a filename based solely on its PID (easy to guess) and the current time (easy to guess, especially since they recommend running it from cron at scheduled times). They remove this file but then tail into it blindly...if you are quick about it (inbetween the remove and tail), you can create a symlink there and get root to overwrite any file on the system. Bugtraq advisories are regularly issued about this type of thing.
They also give you a false sense of security in that there is a place to fill out a userid, but it does not use it for anything but the subject of an email. So it always runs as root, though if you quickly configured it you might think otherwise.
Re:@Home scanners... (Score:5)
YOU SCAN ME ONE MORE TIME AND I'LL COME TO YOUR HOUSE, RIP OUT YOUR CPU, AND SHOVE IT DOWN YOUR DOG'S THROAT
Or something similar. If your real lucky you'll see the results on their webcam. :-)
Re:Scanning from Private IP??? (Score:2)
@Home scanners... (Score:5)
One thing I noticed on the top 10 "Most Wanted" is 24.0.94.130 and 24.0.0.203 : Both of these are official @Home scanner IPs that they use to scan subscribers PCs (i.e. only people in the @Home network should be scanned by these addresses). 24.0.0.203 usually is used to scan for NNTP servers (I get scanned every two hours pretty much to the minute) which was put into place after the big Usenet threats against @Home. 24.0.94.130 scans clients for most known trojans and backdoors. If they find either they, as far as I have heard, shut down your connection until you fix it and contact them when they'll recheck to verify. Great service to avoid people being their worst enemy.
As a sidenote I previously disagreed with someone regarding whether there is a lot of NetBIOS traffic on @Home. At the time I claimed that I didn't get scanned for NetBIOS traffic. Turns out that it was the region I was in previously (Rogers@Home) where they filter out all NetBIOS traffic. Now that I'm in a different region (Cogeco@Home) I find that I'm getting NetBIOS scanned all the time. Out of curiousity occassionally I'll do a \\IP.IP.IP.IP back and find someone sharing their C, D, etc. drives. I don't know if it's an owned machine, or someone with a honeypot, but it's pretty funny nonetheless.
They forgot one letter... (Score:2)
Instead of mysql_connect(), they should've used mysql_pconnect().
--