|
-
September 10th, 2002, 07:08 PM
#1
 Response
Hey good people. After some searching (including Ennis' Newbie FAQ - great read), I decided to post this for myself and all others new to Security. I would like to have some recommendations on response to the information gathering stage of hacking. Basically, I would like to have some suggestions on what to do when your external IDS picks up scans on a block of about 30 or so IP addresses for things like the SubSeven backdoor trojan. I know that there is not much that you can do if the packets were dropped and nothing came of it immediately, but are there any recommendations for stopping any further activity, even if the initial occurence was not actually intrusive? One thing I have picked up on is looking the attackers IP up on ARIN and getting in touch with the point of contact for that block of IPs. I also usually do a Neo Trace on them to get an idea where they may be. Of course, they could be using someone else's machine as a zombie, but you get the idea. I was thinking about putting together a simple database/spreadsheet tracking probes and scans from different IPs just to get an idea of who is really trying to get in. Are there any other suggestions for this? What tactics do you guys use? I would definitely like to be proactive in protecting the network. I see no point in waiting around for something to be hacked. I want to remain productive. I appreciate any suggestions guys and gals.
-
September 10th, 2002, 07:18 PM
#2
Might consider one or more of the following:
1) report offenders to their ISP, providing the ISP relevant information if possible
2) block the offenders if possible (possibilities are routers/firewalls/personal firewalls)
3) look at Dshield. It basically correlates attack logs provided by people all over the world, can be particularly interesting when nasty worms are on the loose (code red for example). You could always report the results there and become part of it. They also have a fight back section that will report offenders and the such.
4) If the attacks are severe or particularly troublesome, you could always report them to the FBI cybercrime division or some other enforcement agency. There are also some non-lawenforcement entities around who specialize in following these up.
5) I would recommend AGAINST taking any action towards the scanner directly, including a traceroute, but this is a personal opinion. I would rather a hacker or even script kiddie get bored and move on to someone else, rather than have their interest peaked when I start probing back (and yes sometimes traceroute is considered by certain organizations to be a probe). Furthermore, if they are scanning you they are probably scanning others, and it would make it alot harder for them to know exactly who turned them in (and hence possibly make you a target).
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 10th, 2002, 07:29 PM
#3
One thing you might consider is setting up a Linux box running portsentry. Portsentry will bind itself to several commonly probed ports and listen for portscans, and if it detects one it can automatically configure iptables to drop all packets from the offending host to *any* port on your network. If you have a web server on port 80, but this guy is probing you on BO, sub-7, and all that other crap, it's a fair bet he doesn't have any business accessing your web page, either.
Do what you want with the girl, but leave me alone!
-
September 10th, 2002, 07:33 PM
#4
Senior Member
Well, if you're really really interested in gathering data, maybe you should think about putting up a honeynet. This will no doubt give you all the info you desire....as long as you're keeping a good eye on it.
Check out this site. It might inspire you to do sometihng of this sort. Or maybe it'll show you that a honynet would not suit your needs.
Just an idea! 
-
September 10th, 2002, 07:40 PM
#5
Second problemchilds recommendation. Portsentry is not only good because it can block an intruder once it detects someone trying to scan (be careful or you can block legit traffic), but you could also set it up to NOT be stealthy in dropping packets. In otherwords, you could have it listening to quite a few known trojan ports and have some serious fun with the scanners portscan results 
I have given my network admin a few minor pre-heartattack pains when they did a portscan
Neb
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
September 10th, 2002, 08:58 PM
#6
Thanks to all for the great suggestions.
Opinions are like  holes - everybody\'s got\'em.
Smile
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
