Hi Marek, of course it's a good thing to find out possible security threats in your networking neighbourhood or to help other admins to secure their systems if they appear to be wide open (which, in case of the system the attacks against your host came from, seems to be true). In your case, the responsible person for the host(s) which attacked you replied nicely to your mails, but this is not very common, at least not according to my experiences; I understand that there are numerous admins not very well trained securitywise and that some of them get very angry if someone else informs them about their weak system- and network security, even more if this someone uses certain techniques which the angry admin bluntly identifies as "hacking". Hackers/Crackers scan systems, security admins scan systems, but for an admin unskilled in network security both scans may seem to be illegal connection attempts and could send off a chain of unforeseen actions against you even if you just want to help. I for myself first gather any information available about the offending system (whois, nslookup, traceroute), then I thoroughly analyse the traffic data and send a couple of mails to abuse@, hostmaster@ or support@ with an exact summary of the attacks and the *offer* to conduct extensive security investigations against the particular host(s). If there's no reply and/or the attacks continue I again collect the corresponding traffic data, analyze it and send another complaint to the usual addresses with a cc: to the upstream provider of the hosts in question. If that still does not suffice I block the offending hosts from connecting to my systems, collect data again and go one step further by scanning and checking the attacker for any sec vulns, then write mail again with a more complete analysis and try to phone up some responsible people. This procedure is a bit more time consuming but lead to good results in the past. Boris --- On 24-Nov-00 Stiefenhofer, Marek ECOFIS wrote:
Hi security experts,
below some Email exchange as reaction to several attacks to our systems. My question: did I go to far? Would you agree In advising vulnarabilities on the attackeres systems. Any further comments?
Bye Marek
-----Urspr�ngliche Nachricht----- Von: Stiefenhofer, Marek ECOFIS Gesendet am: Freitag, 24. November 2000 10:03 An: 'attacker@somewhere.com' Betreff: AW: ABUSE: Attacks by one of your hosts
Warne,
thank you for your kind interest. I am responsible for IT-Security in one of Germanys largest non-public wide area networks. So you received my Email out of standard procedure (we use Intrusion-Detection-Systems and alert most hacking attempts).
I'm quite sure that our security is well set up. But you should consider implementing some more security systems and concepts to your site. The biggest problem you have is: your webservers are not protected by any kind of firewall. This offers attackers lots of possibilties. On webservers are usually more services running than just the http-service. As you don't use firewalls, everyone can check for this services and even use it and if someone has access to your server he can install new services such as trojan horses etc.
here's an actual check of 123.123.123.123:
21/tcp open ftp -> Microsoft FTP Possibility for Denial-of-Service Attacks 25/tcp open smtp -> Mail, no problem 53/tcp open domain -> DNS, maybe a problem 80/tcp open http -> Your IIS still provides possibilities to remotely write files and execute commands 110/tcp open pop-3 -> POP3, DoS 125/tcp filtered locus-map 134/tcp open ingres-net -> don't know 135/tcp filtered loc-srv 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 157/tcp filtered knet-cmp 443/tcp open https -> secure http, no problem 593/tcp filtered http-rpc-epmap 1030/tcp open iad1 -> don't know 5631/tcp open pcanywheredata -> either you use remote administration, or someone installed PC-Anywhere as trojan horse 8080/tcp open http-proxy -> http-proxy 12345/tcp open NetBus -> !!!!!NETBUS!!!!! This is a well-known trojan horse. Seems that someone has broken into your system 65301/tcp open pcanywhere -> see above
As you can see your technical staff has closed all netbios ports. These services are used by Windows-Systems for their specific network communication (called SMB). That's good effort but not enough. As I tried to explain I could still attack all running services on your system and even break into. A Firewall would protect your systems by denying all access from the internet except the needed services (http, https, ftp, smtp). But this is still not secure. Now we come to the requested part "passive server check".
As explained the firewall leaves the http service open. An attacker would search for bugs in the http-service. Such bugs are caused by the Operating System, by bad implemantations of the http-service or by customers scripts running on your server. Attackers use those bugs to create files on your webserver or remotely execute code. A passive scan is done by freely available tools (such as twwwscan) which check if certain files (usually scripts) exist on your webserver. An active scan checks how this files react to certain requests. Attackers use the found vulnarabilities to break into your systems. So one of the most important security issues is to learn about all known vulnarabilities and exploits and patch your internet-services.
To get it clear: it is still possible to execute code on your server via a vulnarability called "newdsn.exe". People can still break into your systems and can still install trojan horses to attack other parts of your network. It is quite sure that you have been compromised and still are abused (NETBUS).
Anyway I hope my answers will help you in securing your services. And don't hesitate to ask your technical staff to contact me.
Best regards,
Marek Stiefenhofer (IT Security) ECOFIS GmbH Tel.: (02 31) 75 45-1 17 FAX : (02 31) 75 45-2 22 e-mail: m.stiefenhofer@ecofis.de
Besuchen Sie auch unseren neuen Online-Dienst: http://www.alleco.de
-----Urspr�ngliche Nachricht----- Von: Warne [mailto:attacker@somewhere.com] Gesendet am: Donnerstag, 23. November 2000 22:28 An: Stiefenhofer, Marek ECOFIS Betreff: RE: ABUSE: Attacks by one of your hosts
Marek,
I have tried to contact you by telephone, but have been unsuccessful.
To introduce myself, my name is Warne Boulton, the General Manager and part owner of appHosting.com
I was most concerned to receieve your email re the attack on your system via one of our servers.
First, I hope that your security was better than ours and that no damage was done to your server or systems.
Our technical people are have worked on the issue and tell me that all is ok. I was interested in the 'passive' test that was instigated. Can you provide me details (in laymans terms as I'm not technical) of how to run this test so that I can arrange for it to be re-run against our servers to ensure this doesn't happen again.
Thank you and best regards
Warne
-----Original Message----- From: Stiefenhofer, Marek ECOFIS [mailto:m.stiefenhofer@ecofis.de] Sent: Wednesday, 22 November 2000 1:05 AM To: 'support@somewhere.com'; 'webmaster@somewhere.com'; 'abuse@somewhere.com'; 'postmaster@somewhere.com' Subject: ABUSE: Attacks by one of your hosts
*** PGP Signature Status: good *** Signer: Marek Stiefenhofer
*** Signed: 21.11.00 15:08:38 *** Verified: 24.11.00 08:54:16 *** BEGIN PGP VERIFIED MESSAGE *** Ladies and gentleman,
according to our logfiles, one of your hosts (attacker.somewhere.com 123.123.123.123]) is the origin of several common attacks on our webservers.
For the exact type of attacks and time (GMT+1) see attached log file.
We understand such traffic as unauthorized access to our network and internal data and so far as criminal act. We may enforce you to stop those attempts in the future.
A passive check of your webserver shows that there are several well-known possibilities for breaking into your system (see below). You should consider this host already being hacked and abused by third parties. We recommend to shut down the server and check for trojan horses etc. At least you should apply all patches provided by Microsoft to secure the IIS-Webserver.
Checking: Remote File create,IIS DoS(newdsn.exe) !!! FOUND !!! Checking: Frontpage98 Hole(_vti_inf.html) !!! FOUND !!! Checking: IIS (showcode.asp) Hole !!! FOUND !!! Checking: RDS Securty Hole(msadcs.dll) !!! FOUND !!! Checking: IIS Path Reveal(anything.idq) !!! FOUND !!! Checking: IIS Path Reveal(anything.ida) !!! FOUND !!! Checking: Malformed Hit-Highlighting Argument !!! FOUND !!! Checking: Index Server Security Hole(null.htw) !!! FOUND !!! Checking: FrontPage 2k <=1.1 Path vul !!! FOUND !!! Checking: FrontPage 2k,IIS Multiple (shtml.dll) !!! FOUND !!! Checking: FrontPage MS-DOS Device DoS(shtml.exe) !!! FOUND !!!
You are appreciated for calling or mailing me directly to get further information...
Please acknowledge the receipt of this message.
Kind Regards,
Marek Stiefenhofer (IT Security) ECOFIS GmbH Tel.: +49-2 31 75 45-1 17 FAX : +49-2 31 75 45-2 22 e-mail: m.stiefenhofer@ecofis.de
Besuchen Sie auch unseren neuen Online-Dienst: http://www.alleco.de
*** END PGP VERIFIED MESSAGE *** �
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com