Friday, January 13, 2006

Decidedly unfriendly behavior


Our friends over at uscourts.gov have suddenly decided to be bad neighbors. After days of using nagios-plugins 1.4.2 to troll the blog every three minutes (which I don't mind, btw), they attempted a port scan on my web server (which I do mind). See the picture for the log of the event. I've blacklisted them from that server. Can any of you security guys out there venture a guess at what they were attempting?

--Doug

Comments:
Truly, an honest man has nothing to fear...... Now move along, nothing here to see...

Actually, the CIA has discovered that the LANL blog is a secret communications back channel to the terrorists and all our communications are now monitored.
 
Wrong org, Snake Lips. It ain't CIA; it's NSA.

...tap...tap...tap.tap...
 
You are assuming this particular machine has not been taken over by a bot/virus as a means of obfuscation. For all one would know, they could be clueless.
 
I am not assuming anything, merely reporting that a port scan was launched from that machine against one of mine.

-Doug
 
Doug,

The fact that this system is doing port scans strongly leans towards the
"US Courts" system having some sort of viral infection. Port scans by
outside systems is considered very unfriendly activity. In fact, if you
do this from your PC at LANL to other LANL systems, you will quickly
have your IP account de-activated by the network administrators. Seems
as if some system administrators over at DOJ aren't doing their jobs.
Let's hope that no dangerous leaks of info are also happening with this
same DOJ-owned computer.
 
Update:

I was put in touch with one of the IT folks at the US DOJ, who promised to look into this.

-Doug
 
Doug,
For those of us unblessed with an advanced degree in computer science, could you explain what a "port scan on a web server" is? What significance does it have?

Signed,
stupid ignorant chemist
 
Bernie:

Let's turn to our old friend, wikipedia.com:

http://en.wikipedia.org/wiki/Port_scan

Bottom line, port scanners are what hackers use to figure out how to break into a target computer.

-Doug

"A port scanner is a piece of software designed to search a network host for open ports. This is often used by administrators to check the security of their networks and by hackers to compromise it.

The protocol stack that is most common on the Internet today is TCP/IP. In this system, hosts are referenced using two components: an address and a port number. There are 65535 distinct and usable port numbers. Most services use a limited range of numbers; these numbers eventually become assigned by the IANA when the service becomes important enough.

Some port scanners only scan the most common, or most commonly vulnerable, port numbers on a given host. See: List of well-known ports (computing).

The result of a scan on a port is usually generalized into one of three categories:

* Accepted or Open: The host sent a reply indicating that a service is listening on the port.
* Denied or Closed: The host sent a reply indicating that connections will be denied to the port.
* Dropped or Blocked: There was no reply from the host.

Open ports present two vulnerabilities of which administrators must be wary:

1. Security and stability concerns associated with the program responsible for delivering the service.
2. Security and stability concerns associated with the operating system that is running on the host.

Closed ports only present the latter of the two vulnerabilities that open ports do. Blocked ports do not present any reasonable vulnerabilities. Of course, there is the possibility that there are no (yet) known vulnerabilities in either the software or operating system.

The information gathered by a port scan has many legitimate uses, including the ability to verify the security of a network. Port scanning can however also be used by those who intend to compromise security. Many exploits rely upon port scans to find open ports and send large quantities of data in an attempt to trigger a condition known as a buffer overflow. Such behavior can compromise the security of a network and the computers therein, resulting in the loss or exposure of sensitive information and the ability to do work.

Many Internet service providers deny their customers the ability to perform port scans outside of their home networks. This is usually covered in the Terms of Service or Acceptable Use Policy to which the customer must have already agreed. Most public and private networks also place such limitations upon their users.
[edit]

Port Scanners

* nmap is a popular port scanning tool for many platforms.
* Scanmetender Standard is a portscanner with Microsoft® Windows® XP style and many functions for beginners and professionals!
* Superscan is a popular port scanning tool for Microsoft Windows.
* Angry IP Scanner
* Unicornscan is an advanced port scanning tool for Unix-like systems.


[edit]

Online Portscanner

* Sygate Online Scan extended security check (Stealth Scan, Trojan Scan)
* Planet Security Firewall-Check Fast, extended check, checks currently high-endangered ports
* Crucialtests concise, incl. advisor
* ShieldsUP (Gibson Research Corporation) Quick Scanner, clearly laid out
* DerKeiler's Port Scanner You can only scan your IP, useful when you are in an internet cafe with many restrictions.

[edit]

See also

* Computer insecurity
* Secure computing
* Cracking
* TCP/IP
* Internet
"

 
Doug,

Port 65 is TACACS support.. they must have turned on some other nagios or nessus module to see what had open. Hopefully the DOJ SIRT team will be able to figure that out.
 
Thanks, GG. The big question, of course, is who was running the tool that did the scan: A DOJ employee, or somebody who was just "borrowing" their equipment.

Supposedly I will be getting an answer to that on Tuesday.

-Doug
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?