Tuesday, April 26, 2005

Current Events: Server Compromise

This past weekend I noticed a huge amount of traffic from one IP trying to break into my SSH server at home. After some investigation, I discovered that this IP had made over 1100 intrusion attempts. The attacker was a script-kiddie using a dictionary attack. I performed an aggressive nmap on the IP to discover the type of machine attacking me with the following command:

nmap -sS -sV -O -v -T5 'ip address'

After discovering that the IP had a tempting number of services available, in addition to several IRC servers running, I attempted to view the web page that the server was serving by viewing it in Firefox. I was suprised to discover that the web site was an e-commerce site that belonged to a religious organization. Armed with this new information, I was convinced that the site had been compromised and that they needed to be informed. By looking up the whois data, I discovered that the server was hosted in the US and that there was a technical contact listed. I emailed the technical contact, as well as the root/abuse/info at the domain in question and informed them of the problem. I received a response a couple of hours later and the site was taken down for maintenance.

A couple of things I take away from this is that I can make a difference by being aware of what is happening to me and doing some minor investigating when an intrusion attempt occurs. Also, the whois data being public is essential for people like me who care about the safety of others to be able to inform server admins that they may have a problem with the integrity of their systems. Sorry about the lack of detail on the site, but I don't want to make them a target or give them any undue publicity.

No comments: