What’s Travelling on the Wire (part 2)


Quite a while has passed since we started logging data about incoming attacks on an Internet-connected system and now we have gathered enough information to show the risks of exposing an unsecured computer on the Web.


Let’s start with some data about the attacks, first where they originate from and later, what they are trying to exploit:


 


As you can see there are some prevalent countries, but basically most of the attacks originate from either Europe or Asia. What are the attacks attempting to exploit? Here is a list of the attacked ports in order of prevalence.



For those less initiated in the mysteries of networking and services, here is a brief explanation of each port and the name of the associated service:





































































Port


No. of attacks


Service name


135


42.93%


Microsoft RPC Service


445


19.70%


Microsoft DS Service


139


11.11%


Netbios Session Service


23


5.68%


Telnet


1433


3.61%


Microsoft SQL Server


5900


3.50%


VNC Server


22


3.21%


SSH


25


3.07%


SMTP


4899


2.52%


Radmin


2967


1.37%


SSC Agent


8080


1.35%


http-proxy


10000


0.89%


this port is used by various software apps (Webmin, Sage, Veritas Backup, etc)


21


0.51%


FTP


3128


0.31%


http-proxy


2968


0.23%


Symantec updates


Besides the “normal” attacks we’ve seen, the longest ones appear to be FTP dictionary-based attacks.  These can take up to several minutes or more, as in some cases we’ve seen attacks with 10,000+ passwords.


Aside from the usual passwords (mostly common names/words) we’ve seen birthdates, comic books/movie characters (anyone fancy Batman, Spiderman or Shrek ? 😀 ), and even Internet browser names as passwords. As a concern for some admins, some of the commonly used passwords like “q1w2e3r4” were in the lists.


As we mentioned in an earlier post, “spam messages” sent to the Windows Messenger Service are still used. Basically the domain changes but the idea is the same, trick the user into downloading unwanted software, as you can see below:



As a surprise for us, we received attacks from the well known SQL Slammer worm. After more than five years this SQL thingy is still lurking out there.


A more exotic attack was the one targeting VoIP and PBX services. Even though the number of attacks is low, it still raises concern. Most of them were just scans for services based on SIP protocol using the SIPVicious tool suite.


None of the RPC traffic we observed tried taking advantage of the recently issue described by Security Bulletin MS08-067. In case you haven’t already done so, you can read more about this issue here.


To conclude, it is important for users connected to the Internet to have really strong passwords in key places, all keep all software up to date, and have a good security application installed (Windows Live OneCare and Forefront seem like a good idea, right? :D).


Andrei Saygo && Patrik Vicol

Comments (0)