Have you been hacked? Then strike back

[InfoSec News <isn () C4I ORG>]

http://www8.zdnet.com/eweek/stories/general/0,11011,2627050,00.html

By Brett Arquette, eWEEK
September 17, 2000 9:00 PM PT

Knock, knock. Who's there? Script kiddie. Script kiddie... who?
Unfortunately, script kiddies are no joke. The term "script kiddie" is
what network people call hackers who run scripts to challenge your
network security. They believe that most of these hackers are young
people (kids) who have either written a script or downloaded one off
the Net.

Using the script, they type in a range of IP addresses and let it go.
If your network's IP addresses fall within the range they've entered,
the script will knock on the door of each of your ports and test to
see if you've left any of them unprotected. If so, you can count on
the kiddies coming on in to have a look around, and then it's
playtime.

In the past few months, my system administrator has noticed a marked
increase in port scans made against our network. By analyzing firewall
logs, we were able to tell that seven separate kiddies scanned us over
a single weekend. Almost without fail, every night we're being scanned
at least once. The most popular ports they scan are Sun RPC, FTP, POP3
and IMAP4. If we're being scanned, you can almost bet that your site
is being scanned as well. The scans are originating from organizations
such as the University of Maryland, Verio and BellSouth and from
within countries such as South Korea and Sweden.

Is there reason to worry? If you were sitting at home and noticed
someone outside, testing all your doors to see if they were unlocked,
you'd be on the phone to the police in a nanosecond.

So, when we're scanned, we look up the IP addresses of the scanners
and find out whom the addresses belong to. Then we send an e-mail to
the originators telling them we were scanned, provide them with the
information about the scanner, and encourage them to track down the
user responsible and take action against him or her. This reporting
process may benefit these sites themselves, since they may have been
hacked and the port scans are going out without them ever knowing it.

Still, poring over your network logs, finding the script kiddies,
looking up where the attack came from and sending out e-mail takes a
lot of time. It would be great if someone wrote software that
automated the process. One way or another, I hope you agree, it's time
to attack the hack and put some of these kiddies to bed.

Brett Arquette is chief technology officer for the 9th Judicial
Circuit Court, Orange and Osceola counties, Florida. You can e-mail
him at barq () iag net.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".