[SGVLUG] Who is that knocking on my ports?

Sean O'Donnell sean at seanodonnell.com
Tue Jan 13 12:21:39 PST 2009


Claude Felizardo wrote:
> On Mon, Jan 12, 2009 at 5:50 PM, John E. Kreznar <jek at ininx.com> wrote:
>   
>>
>> Another thing you can do is launch an nmap scan against the offending
>> address.  This has often enough led to prompt cessation of the attack
>> that I think it's actually sometimes noticed on the other end in real
>> time.
>>     
>
> What if that host is at a government facility that doesn't know they have been
> compromised yet but that port scan from you would definitely get their
> attention.
>   
I think in such a case, they may or may not notice. Chances are, if they
didn't notice the break-in, they won't notice the port scan, as it
probably took a few port scans to establish a break-in point, depending
on how they broke-in. Regardless, though, if the nmap scan does draw
their attention, then it may also allow them to notice the break-in,
which should be of more concern to them.

I've noticed attacks on my home network and done the same thing, which
sometimes promptly ends the attacks. I assume those attacks were
manually-run attacks, and noticeable on the other end, although that is
not always the case.

The good thing about nmap'ing-back, is it sometimes reveals whether or
not the machine is a proxy server being hijacked remotely by the
attacker, or if it's the attacker's machine directly. I've found often
it appears to be hijacked Russian and Chinese proxy systems.

There are quite a number of "bots" that run 24/7 trying to brute-force
crack SSH server accounts, and alot of the time, they too run on these
hijacked machines, either through some IRC botnet, or some other
automated (XSS-injected) script.

When configuring an SSH Server, the 1st thing should always be disabling
'root' login access, and run sshd on a non-standard port. Most of the
"bots" that run autonomously (usually) only attack port 22, therefor are
easily defeated.


More information about the SGVLUG mailing list