HackFest Series: Reporting Encroachments

Lisa Kachold lisakachold at obnosis.com
Fri Mar 27 20:17:29 MST 2009 

Always build your systems with a nice warning:
This server is private property; you have no permission to access.

After catching some fly in your spider trap, grab their addresses for iptables immediately.  If you can't protect your adjacent machines, or are unsure of everything, turn down your machine and network. 

Always always always always report to the SWIP or Network hosting
authority (usually abuse at privatedns.org or abuse at cox.net) when you find
packet traffic on your systems.



Here's the addresses I caught via snort on my honeypot DMZ system (built for the PLUG Hamachi HackFest).

iptables -A INPUT -s 66.114.50.78 -j DROP
iptables -A INPUT -s 70.38.56.186  -j DROP
iptables -A INPUT -s 146.137.96.7 -j DROP
iptables -A INPUT -s 169.237.215.148 -j DROP
iptables -A INPUT -s 74.125.95.101 -j DROP
iptables -A INPUT -s 208.80.152.2 -j DROP
iptables -A INPUT -s 65.55.172.87 -j DROP
iptables -A INPUT -s 70.183.191.46 -j DROP
iptables -A INPUT -s 17.250.248.95 -j DROP
iptables -A INPUT -s 70.183.191.89 -j DROP
iptables -A INPUT -s 72.215.225.96 -j DROP
iptables -A INPUT -s 65.55.172.87 -j DROP

So step one is to lookup the address here: http://www.network-tools.com

Take a full snapshot of the log (using grep) for each person and send it off to the authority listed in DNS records, including time, date, and time zone.

It's very important that you rebuild all systems, revert to restore points, remove all browser settings, and reconfigure your routers including changing all passwords.  The whole process seems daunting, but once you pick up a case of these lusers, they love to continue to cyber stalk, and will find a way back in if you do not remove:

a) Possible XSS browser plugs
b) exploited root for any system where ssh or apache was open
c) All router configurations; they are probably not what they seem.  

A common side effect for systems people who are infested is a vague feeling that something is changing and they are not doing it.  If this is happening to your various firewall systems (which is trivial to do via XSS), you will be best to backup or note changes.  It's a good bet that you will need to rebuild everything.

NOTE: It's probable that you will not be able to run your systems in a secure manner and have them usable, so if you are targeted, you must report it.  The intention to get into a system will usually win out even with an ASA, and most of us cannot live without email - the greatest risk.  

I always report encroachments, I hope you will too.

Obnosis | (503)754-4452




PLUG Linux Security Labs 2nd Saturday Each Month at Noon - 3PM







_________________________________________________________________
Internet Explorer 8 – Get your Hotmail Accelerated.  Download free!
http://clk.atdmt.com/MRT/go/141323790/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090328/4817cc15/attachment.htm

More information about the PLUG-discuss mailing list