Compromised Computers

[Gobalopper]

I setup a server at home and often get requests from IIS servers that have been compromised by hackers. Is it worth contacting the ISP that owns the IP address?

Examples:

[pre]Interesting ports on h24-70-71-236.ed.shawcable.net (24.70.71.236):

(The 1610 ports scanned but not shown below are in state: closed)

Port State Service

7/tcp open echo

9/tcp open discard

13/tcp open daytime

17/tcp open qotd

19/tcp open chargen

135/tcp open loc-srv

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

1080/tcp filtered socks

12345/tcp filtered NetBus

12346/tcp filtered NetBus

31337/tcp filtered Elite

Interesting ports on static24-72-39-161.reverse.accesscomm.ca (24.72.39.161):

(The 1613 ports scanned but not shown below are in state: closed)

Port State Service

135/tcp open loc-srv

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

5000/tcp open UPnP

12345/tcp filtered NetBus

12346/tcp filtered NetBus

27374/tcp filtered subseven

31337/tcp filtered Elite

54320/tcp filtered bo2k

Interesting ports on cdm-66-49-154-mnol.cox-internet.com (66.76.49.154):

(The 1608 ports scanned but not shown below are in state: closed)

Port State Service

111/tcp filtered sunrpc

119/tcp filtered nntp

135/tcp open loc-srv

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

1025/tcp open NFS-or-IIS

1026/tcp open LSA-or-nterm

5000/tcp open UPnP

12345/tcp filtered NetBus

12346/tcp filtered NetBus

27374/tcp filtered subseven

31337/tcp filtered Elite

Interesting ports on ool-182e1229.dyn.optonline.net (24.46.18.41):

(The 1605 ports scanned but not shown below are in state: closed)

Port State Service

80/tcp filtered http

113/tcp open auth

135/tcp filtered loc-srv

136/tcp filtered profile

137/tcp filtered netbios-ns

138/tcp filtered netbios-dgm

139/tcp filtered netbios-ssn

445/tcp filtered microsoft-ds

641/tcp open unknown

1025/tcp open NFS-or-IIS

1080/tcp filtered socks

3128/tcp filtered squid-http

5000/tcp open UPnP

6588/tcp filtered analogx

8080/tcp filtered http-proxy

12345/tcp filtered NetBus

12346/tcp filtered NetBus

31337/tcp filtered Elite

Interesting ports on ThePalace.cpe.mvllo.al.charter.com (24.196.2.94):

(The 1612 ports scanned but not shown below are in state: closed)

Port State Service

25/tcp filtered smtp

113/tcp open auth

135/tcp open loc-srv

139/tcp open netbios-ssn

445/tcp open microsoft-ds

1025/tcp open NFS-or-IIS

5000/tcp open UPnP

6667/tcp open irc

12345/tcp filtered NetBus

12346/tcp filtered NetBus

31337/tcp filtered Elite[/pre]

Note: I realize gryphon might be the only one who knows what I'm talking about. :D

[gryphon]

Contacting an ISP in most cases of an attack or hacked computer has little or no effect as far as I know. Unless you know the admin of that ISP or you are the admin of a considerable server. And even then small attacks are almost certain to be ignored if they didn't cause to much damage. Not to mention if they ISP is located in another country that doesn't have the best relations with yours.

If you know a computer has been compromised and is maintained by a home user an direct email to the user usually has more effect if you'd like to let him know he has been hacked. Although you could appear stupid if it was him that attacked you and he wasn't hacked. If it's a corporate server, they will probably not listen [ most admins are jurks and take the credit for finding it out for themselfs :- ] or send a standard reply email that they will look into it.

[ that my experiance with it anyway ]

Besides DDoS attacks [ about 4 a day, more in the weekends ] the biggest one I ever logged is a so called SMURF attack. And although they are pretty serious, there is not much you can do about them besides putting up your own firewalls and such.

[ Officially you could take them to court. .. ]

The examples are traces from your side to the IP's showing up in your logs ? Besides a few badly configured servers with open NetBios ports, a possible open Back Orifice port on 31337 and some filtered 12345 ports which could leed to a remote access vulnerabilitie or a certain type of anti-virus sotware [ not to mention the guy running a Squid proxy server on a microsoft product together with an AnalogX proxy server which is weird to say the least ] their should be other indications that those servers are hacked. As an open port doesn't mean it is in use for that function.

Below is an example you can expect to get on a webserver on daily bases. IP's are taken out so the only thing visible is the request they made and the responds from the IIS server. Usually just an indication of a 14year old with to much time on his hands ;)

~/scripts/root.exe 404 123 320 72 10 HTTP/1.0 www - - -

~/MSADC/root.exe 404 123 320 70 0 HTTP/1.0 www - - -

~/c/winnt/system32/cmd.exe 404 123 320 80 0 HTTP/1.0 www - - -

~/d/winnt/system32/cmd.exe 404 123 320 80 0 HTTP/1.0 www - - -

~/scripts/..%255c../winnt/system32/cmd.exe 404 123 320 96 0 ~/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 404 123 320 117 0 HTTP/1.0 www - - -

~/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 404 123 320 117 0 HTTP/1.0 www - - -

~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe 404 123 320 145 0 HTTP/1.0 www - - -

~/scripts/..%c1%1c../winnt/system32/cmd.exe 404 123 320 97 10 HTTP/1.0 www - - -

~/scripts/..%c0%2f../winnt/system32/cmd.exe 404 123 320 97 10 HTTP/1.0 www - - -

~/scripts/..%c0%af../winnt/system32/cmd.exe 404 123 320 97 0 HTTP/1.0 www - - -

~/scripts/..%c1%9c../winnt/system32/cmd.exe 404 123 320 97 0 HTTP/1.0 www - - -

~/scripts/..%%35%63../winnt/system32/cmd.exe 404 123 320 98 10 HTTP/1.0 www - - -

~/scripts/..%%35c../winnt/system32/cmd.exe 404 123 320 96 0 HTTP/1.0 www - - -

~/scripts/..%25%35%63../winnt/system32/cmd.exe 404 123 320 100 0 HTTP/1.0 www - - -

~/scripts/..%252f../winnt/system32/cmd.exe 404 123 320 96 0 HTTP/1.0 www - - -

So in short. Contacting an ISP if one of their customers is misbehaving, I wouldn't. And I'm not shure at this point how you have seperate the IIS servers that have been hacked from the ones just making requests. [ taken a "request" can be the owner himself trying to hack you, and the examples you gave are portscanns from you to the IP showing up in your logs ]

And although an open port 31337 is a almost death give-away the system has bene hacked, unless you know it is in use for that function it can be a practical joker who has assigned that port for a webserver to listen at.

Contacting the ISP to report a infected customer will most likely result in the ISP claiming there costomers are responsible for there own security.

Hope it clarifies a bit :)

[gryphon]

just a note, if the same IP's are constantly showing up you could just make an IPChains rule for it sending all incomming traffic from that IP to DEVNULL.

[Gobalopper]

Ya its just my Apache logs I'm looking through. I setup a FreeBSD server on an old p100 to test out and since there isn't much real traffic the odd stuff stands out. Its pretty much random so I suspect its probably just an exploited computer looking for more, not anything on the level of an attack though.

Too much work for me to contact all the ISP's though so I won't bother. Don't the ISP's check their customers though? Seems like an easy thing to do but I guess most probably don't care.

[Nyarlathotep]

Don't the ISP's check their customers though? Seems like an easy thing to do but I guess most probably don't care.

No they don't. At least not as far as I know.

[gryphon]

Taking your server off port 80 and locate it somewhere else can also help to get unnoticed for those random scans. The only extra thing you need to do is change any domainname linked to it or a possible shortcut you give away to friends.

Mine has been on port 1480 for a verry long time.

If FreeBSD also works with an host.deny file make shure you have edited them [ hosts / host.allow / host.deny ] properly. It's not much of a security plann but it's simple and works, would be a shame not to use it.