Internet Security, Be Serious!
An Internet intruder attacked the firewall of our office today. I had read about such attacks but for me it was the first one to see in real. Not to mention that I was quite thrilled while handling it.
After a thorough investigation I managed to find that initially some automated robot from the internet attempted to connect with random combination of user and passwords. While doing so, it managed to crack a weak password of a non root user. Then, after some time someone from another location on the internet connected with the same user and managed to perform critical tasks. The attacker changed many system commands with its own binaries, deleted logs, installed packet sniffers, stopped syslog, installed its own version of ssh server and did many things like wise. Even when I connected to machine over ssh, it managed to sniff my root password. While looking around I found my root password sniffed in a text file. I tried deleting that immediately but the intruder was too smart, he had overridden the rm command as well. For an immediate rescue I managed to cat the /dev/null to the sniffed log file.
My traceroute results showed that the automated robot, which initially cracked the password, was from Chili (South America) and then later somebody connected either from Taiwan or Australia. To my surprise, later I found that one of the binaries installed by the intruder had established continuous connection with a server in Switzerland. All these results reveal that the attacker was a master minded. My conclusion is that he already had many machines on the Internet under his attack and he connected to our machine using few of those. If I couldn't have detected it, he might have started using our machine to intrude else where on the Internet.
You can imagine the level of this attack. It was fortunate that there was no real data on the firewall. It was just a dumb machine to protect the LAN and it did its job. The lesson from this event is to be more security cautious now. If you use your home PC to surf the net then its highly recommended to use the firewall. If you are not firewalled and roaming on the Internet then it's like leaving your house open and going to watch the cinema. You will probably never do that, then why do it with your Internet connection.
Don't forget - Prevention Is Better Than Cure. Its better to act before it becomes to late to act.
After a thorough investigation I managed to find that initially some automated robot from the internet attempted to connect with random combination of user and passwords. While doing so, it managed to crack a weak password of a non root user. Then, after some time someone from another location on the internet connected with the same user and managed to perform critical tasks. The attacker changed many system commands with its own binaries, deleted logs, installed packet sniffers, stopped syslog, installed its own version of ssh server and did many things like wise. Even when I connected to machine over ssh, it managed to sniff my root password. While looking around I found my root password sniffed in a text file. I tried deleting that immediately but the intruder was too smart, he had overridden the rm command as well. For an immediate rescue I managed to cat the /dev/null to the sniffed log file.
My traceroute results showed that the automated robot, which initially cracked the password, was from Chili (South America) and then later somebody connected either from Taiwan or Australia. To my surprise, later I found that one of the binaries installed by the intruder had established continuous connection with a server in Switzerland. All these results reveal that the attacker was a master minded. My conclusion is that he already had many machines on the Internet under his attack and he connected to our machine using few of those. If I couldn't have detected it, he might have started using our machine to intrude else where on the Internet.
You can imagine the level of this attack. It was fortunate that there was no real data on the firewall. It was just a dumb machine to protect the LAN and it did its job. The lesson from this event is to be more security cautious now. If you use your home PC to surf the net then its highly recommended to use the firewall. If you are not firewalled and roaming on the Internet then it's like leaving your house open and going to watch the cinema. You will probably never do that, then why do it with your Internet connection.
Don't forget - Prevention Is Better Than Cure. Its better to act before it becomes to late to act.
posted by Shiva Nand at
3:10 PM
0 Comments:
Post a Comment
<< Home