Hacking Intlwaters.com?

[TomMoorehouse]

I was asked recently do people actually try to hack in to the intlwaters.com server? You bet they do! You should see some of our log files. Almost every day someone tries to access/hack our ftp server. ZoneAlarm does a great job of displaying hack attempts. I have recently started using a program called VisualZone. It is a free ZoneAlarm log file analyser. It is a very nice program. If you run ZoneAlarm You might want to check it out http://www.visualizesoftware.com

I don't know how but a hacker today was able to make the server hang because of an access attempt to the mysql daemon that was stopped by ZoneAlarm. Nothing bad came of it as ZoneAlarm stopped it. However it did kill the main page and forum untill I was able to clear and deny the access attempt with the ZoneAlarm alert dialog.

Here is a little bit from todays logfile with this attackers ip:

I did send an abuse report email to the domains technical contact.

IP address:  206.77.144.56


Unauthorized access attempts:

 NETBIOS Name Service
 Date & Time: 2002/10/31 22:10:00 (-8:00 GMT)
 Time Zone: Pacific Standard Time
 UDP from port 1783 to port 137
 Victim IP: 216.227.12.237

 NETBIOS Session Service
 Date & Time: 2002/10/31 22:10:02 (-8:00 GMT)
 Time Zone: Pacific Standard Time
 TCP (flags:S) from port 1806 to port 139
 Victim IP: 216.227.12.237

 MSFT DS, SMB Server Message Block
 Date & Time: 2002/10/31 22:10:02 (-8:00 GMT)
 Time Zone: Pacific Standard Time
 TCP (flags:S) from port 1816 to port 445
 Victim IP: 216.227.12.237

 RPC Remote Procedure Call
 Date & Time: 2002/10/31 22:10:02 (-8:00 GMT)
 Time Zone: Pacific Standard Time
 UDP from port 1801 to port 135
 Victim IP: 216.227.12.237

 NETBIOS Name Service
 Date & Time: 2002/10/31 22:10:04 (-8:00 GMT)
 Time Zone: Pacific Standard Time
 UDP from port 1801 to port 137
 Victim IP: 216.227.12.237

 NETBIOS Datagram Service
 Date & Time: 2002/10/31 22:10:04 (-8:00 GMT)
 Time Zone: Pacific Standard Time
 UDP from port 1801 to port 138
 Victim IP: 216.227.12.237

 MSFT DS, SMB Server Message Block
 Date & Time: 2002/10/31 22:10:04 (-8:00 GMT)
 Time Zone: Pacific Standard Time
 UDP from port 1801 to port 445
 Victim IP: 216.227.12.237


This individual attempted to access my computer 7 times.


ZoneAlarm personal firewall log entries:

type,date,time,source,destination,transport,count
FWIN,2002/10/31,22:10:00,-8:00,206.77.144.56,1783,216.227.12.237,137,UDP,1
FWIN,2002/10/31,22:10:02,-8:00,206.77.144.56,1806,216.227.12.237,139,TCP (flags:S),1
FWIN,2002/10/31,22:10:02,-8:00,206.77.144.56,1816,216.227.12.237,445,TCP (flags:S),1
FWIN,2002/10/31,22:10:02,-8:00,206.77.144.56,1801,216.227.12.237,135,UDP,1
FWIN,2002/10/31,22:10:04,-8:00,206.77.144.56,1801,216.227.12.237,137,UDP,1
FWIN,2002/10/31,22:10:04,-8:00,206.77.144.56,1801,216.227.12.237,138,UDP,1
FWIN,2002/10/31,22:10:04,-8:00,206.77.144.56,1801,216.227.12.237,445,UDP,1

 

[Mike Broad]

The messages in the log you have posted are quite inncoent. It is just where someone has not diabled their lan settings for Windows shares etc. It is more a threat to them because they are advertising services on their P.C. that can be hacked into.

Mike Broad

 

[TomMoorehouse]

Well that was just a small part of it... they were able to invoke remotely the mysql admin center???

 

[snowdog-2112]

Tom,

I may be way off the mark here but it looks to me like your Netbios is enabled to the "net". If this is the case, that is a very bad thing, as you know. If my observation is correct, I would look at your firewall rules and disable ports 137-139 to the internet.

If you want some ideas for security, I have an EXCELLENT firewall rules that will make your server show up as stealth on all but the necessary ports.

Bryan Good

 

[TomMoorehouse]

according to grc.com my netbios is stealth on the server. anyways over thanksgiving I will be installing a smoothwall linux firewall for additional security.