Hacking Attempts

I faithfully check my linux logs everyday for hacking attempts. However,
until today, I never checked my router logs. I was surprised to find that I
someone rattles a doorknob here about 3 or 4 times an hour. My router
doesn't list times ,stupidly enough, but it is very frequent. They appear to
be interested in ports 4899 and 1026 which seem to be MSFT remote access
ports.

I am curious if the frequency of attempts is normal? How do they get IP
addresses? I know they can pull it from the headers of this email, but do
they go mining for this info? Do they pass around hit lists? Most of the
attempts seem to come from the Pacific Rim. Should I force an IP address
change, and use a web-based newsgroup front-end, and protect my IP address?

Sorry for all the questions. I am just a little unnerved at all the
doorknob rattles.

In article <dz4yd.57790$Jk5.43155@lakeread01>,
Buck Turgidson <jc_va@hotmail.com> wrote:
>I faithfully check my linux logs everyday for hacking attempts. However,
>until today, I never checked my router logs. I was surprised to find that I
>someone rattles a doorknob here about 3 or 4 times an hour. My router
>doesn't list times ,stupidly enough, but it is very frequent. They appear to
>be interested in ports 4899 and 1026 which seem to be MSFT remote access
>ports.
>
>I am curious if the frequency of attempts is normal?

It's probably pretty normal. It might even be a little on the light side.

>How do they get IP addresses?

They scan all IP addresses (more or less). Don't feel too special... ;^)

>I know they can pull it from the headers of this email, but do
>they go mining for this info?

No, that's too much work.

>Do they pass around hit lists?

Probably, but only of systems that they've actually cracked I suspect.

>Most of the attempts seem to come from the Pacific Rim.

Gee, there's a surprise (rolls eyes)!

>Should I force an IP address change, and use a web-based newsgroup
>front-end, and protect my IP address?

Nope. It won't make any difference. If you change your IP address,
you doorknob will be rattling again in no time.

>Sorry for all the questions. I am just a little unnerved at all the
>doorknob rattles.

Get used to it and be glad you have a router at all. They act as excellent
firewalls. Windows machines are filled with holes waiting for hackers when
there's nothing between them and the Internet.

========= For LAN/WAN Protocol Analysis, check out PacketView Pro! =========
Patrick Klos Email: patrick@klos.com
Klos Technologies, Inc. Web: http://www.klos.com/
==================== What goes around, comes around... =====================

On Tue, 21 Dec 2004 21:00:29 -0500, Buck Turgidson wrote:
> I faithfully check my linux logs everyday for hacking attempts. However,
> until today, I never checked my router logs. I was surprised to find that I
> someone rattles a doorknob here about 3 or 4 times an hour.

Pretty slow rattling.

> I am curious if the frequency of attempts is normal?

Going to depend on malware of the day.

You want plots and graphs, http://www.dshield.org/

> How do they get IP addresses?

Do you mean 68.100.188.19

> I know they can pull it from the headers of this email,

This is not an email, it is a usenet post.

> but do they go mining for this info

Hey, kick up something like leafnode, and the posts can be run
through a filter to snarf your ip address.

> Do they pass around hit lists?

If they did, I would bet they would be caught a lot quicker.

> Most of the
> attempts seem to come from the Pacific Rim. Should I force an IP address
> change, and use a web-based newsgroup front-end, and protect my IP address?

Nope, some of the malware will infect a pc, the malware will then
hunt on that node's network then start hunting farther in the same
network.

> Sorry for all the questions. I am just a little unnerved at all the
> doorknob rattles.

Here is an 11 day tally of the ones I do not even bother to see in my
logs, they are thrown into the bit bucket.

Chain blacklst (2 references)
pkts bytes type port
17 860 tcp dpt:21
12 576 tcp dpt:25
182 8831 tcp dpt:80
6 288 tcp dpt:901
45 2164 tcp dpt:1023
290 13996 tcp dpt:1025
908 759K udp dpts:1026:1029 <=== port range
95 38380 udp dpt:1434
259 12472 tcp dpt:1433
2 88 tcp dpt:1521
60 2928 tcp dpt:2082
262 12636 tcp dpt:2745
138 6676 tcp dpt:3127
45 2144 tcp dpt:3128
11 532 tcp dpt:3389
87 4180 tcp dpt:3410
14 668 tcp dpt:4000
502 24396 tcp dpt:4899
70 3376 tcp dpt:5000
123 5924 tcp dpt:5554
149 7168 tcp dpt:6129
129 6200 tcp dpt:9898
53 2552 tcp dpt:12345
4 192 tcp dpt:17300
18 864 tcp dpt:27374
3 144 tcp dpt:65506

Can't they these hackers think of better hobbies, like stamp collecting or
something.....

On Tue, 21 Dec 2004 21:58:27 -0500, Buck Turgidson wrote:
> Can't they these hackers think of better hobbies, like stamp collecting or
> something.....

They are trying to get as many cracked boxes into their botnets.
They then sell advertising email bots to spammers. :(

The rest are script kiddies munging current mailware.

I would think it will peak for christmas. Looking for all those new
computers that do not come with SP2 installed on that M$ OS.

In article <Cp5yd.57794$Jk5.34414@lakeread01>, "Buck Turgidson" <jc_va@hotmail.com> wrote:
>Can't they these hackers think of better hobbies, like stamp collecting or
>something.....

Maybe they are collecting IP addresses? ;-)

--
Jørn Dahl-Stamnes
Homepage: http://www.dahl-stamnes.net/dahls/

On 2004-12-22, Jørn Dahl-Stamnes <DELETEnewsman@REMOVEdahl-stamnes.net> wrote:
>
> Maybe they are collecting IP addresses? ;-)
>
I cannot remember where I saw it (probably steakandcheese.com) but someone
had made a screen shot that included:

1. a visual basic project development of a number of simple 'for' loops that
generated every IP address ( 0.0.0.0 -> 255.255.255.255 ) you could
get and dump the results to a file

2. the text file copied to his P2P share directory

3. his favourite P2P software running

4. _six_ people actually downloading the list of the ip addresses, the file
was called something like 'all the ip addresses on the internet.txt'

Cheers

Alex

On 2004-12-22, Bit Twister <BitTwister@mouse-potato.com> wrote:
> On Tue, 21 Dec 2004 21:00:29 -0500, Buck Turgidson wrote:
>> I faithfully check my linux logs everyday for hacking attempts. However,
>> until today, I never checked my router logs. I was surprised to find that I
>> someone rattles a doorknob here about 3 or 4 times an hour.
>
> Pretty slow rattling.
>
we normally see 3 or 4 per IP address per minute (I work for an ISP). That
result surprised me too.

>> How do they get IP addresses?
>
> Do you mean 68.100.188.19
>
pah, useless. What about 54.12.64.23 or 123.123.123.123?

Cheers

Alex

On 2004-12-22, Buck Turgidson <jc_va@hotmail.com> wrote:

> Can't they these hackers think of better hobbies, like stamp collecting or
> something.....

They're not hobbyists anymore -- it's now a quite lucrative business
finding exploitable machines and selling access to them to spammers and
such.

--

John (john@os2.dhs.org)

On Wed, 22 Dec 2004 03:09:13 GMT, Bit Twister wrote:
> On Tue, 21 Dec 2004 21:58:27 -0500, Buck Turgidson wrote:
>> Can't they these hackers think of better hobbies, like stamp collecting or
>> something.....
>
> They are trying to get as many cracked boxes into their botnets.
> They then sell advertising email bots to spammers. :(
>
> The rest are script kiddies munging current mailware.
>
> I would think it will peak for christmas. Looking for all those
> new computers that do not come with SP2 installed on that M$ OS.

Even _if_ SP2 is installed:

http://www.eweek.com/article2/0,1759,1745642,00.asp

http://news.com.com/Chinese+firm+fin...3-5502534.html

http://www.usatoday.com/tech/news/co...winholes_x.htm

The exploits du jour.

Jonesy
--
| Marvin L Jones | jonz | W3DHJ | linux
| Gunnison, Colorado | @ | Jonesy | OS/2 __
| 7,703' -- 2,345m | config.com | DM68mn SK