Saturday
HOW HACKERS HACK YOUR NETWORK-4
Do you like this story?
Port 6588 can be a few different things. They could be scanning for a Trojan that uses that port. If their scan responds with the typical response of the remote access Trojan, they know they've found an infected system. Port 6588 can also be a proxy server (which we won't describe here) with a recent bug. This bug makes it easy for a hacker to exploit thereby giving them remote access to the system running the proxy server software.
The hackers system will tell them what service is listening on port 6588 so they know what tools to use to attack that port.
The second line in our log file above is from Africa. Port 5900 is VNC which is used by many, many system administrators to remotely connect to a system to perform maintenance on it. This software has had a few exploits and one just last year allowed the attacker to have remote control of the system with VNC installed without having to crack any passwords!
Line 3 has our friend from China back trying again. Same port. They must be trying a few exploits against this port. Maybe they know something that the general security community isn't aware of yet.
On line 4 in our logs we see a new IP address in the source. This one is from Korea but notice it's scanning port 2967. This happens to be the port that Symantec's Anti-virus software listens on for new updates. There is a known exploit which allows remote attackers to execute arbitrary code via unknown attack vectors. When hackers find this port they know exactly what exploit to try.
It could be that there is a new "hole" in Symantec's software that hackers know about but Symantec doesn't. The previous hole was patched so either the hackers are looking for yet unpatched Symantec software or they know of a new hole and are looking for ways to infect them.
Without reviewing your logs you have no idea what is trying to get into your network.
Without a properly configured firewall, this type of attack would surely get through. This happens to be a firewall we configured so we know of ports like this and we blocked outside access because this client does not use Symantec products.
When talking security with a business owner I always ask, "When was the last time your network was scanned for openings?" They usually respond with, "Never". To which I reply, "Oh you're wrong there. You've been scanned, you just don't know by who!"
Regular scans of your network show you what the hackers are seeing of your network. It's a simple process and should be performed at least once a month. The results should be presented to you in a very readable, understandable report.
What to Do Next
The first thing you should do is check your firewall to make sure it's logging all activity.
Then, your job is to start reviewing the logs either everyday or at a bare minimum, once a week.
Some routers have the firewall "built-in". I've often found these are very limited in their ability to protect. Even more limiting is their logging functionality. Typically these devices will only show what's blocked.
Often these router/firewalls have the option to have the logs emailed to someone when they're filled up with entries. This is a nice option as you can have them directed to someone who will (should) review them in detail and notify you of any entries to be concerned with.
If your firewall doesn't provide the level of detail described in this article, you should seriously consider upgrading. You can keep your existing router just turn off the firewall feature and buy a dedicated firewall.
Then you'll know what the hackers know about your network.
The hackers system will tell them what service is listening on port 6588 so they know what tools to use to attack that port.
The second line in our log file above is from Africa. Port 5900 is VNC which is used by many, many system administrators to remotely connect to a system to perform maintenance on it. This software has had a few exploits and one just last year allowed the attacker to have remote control of the system with VNC installed without having to crack any passwords!
Line 3 has our friend from China back trying again. Same port. They must be trying a few exploits against this port. Maybe they know something that the general security community isn't aware of yet.
On line 4 in our logs we see a new IP address in the source. This one is from Korea but notice it's scanning port 2967. This happens to be the port that Symantec's Anti-virus software listens on for new updates. There is a known exploit which allows remote attackers to execute arbitrary code via unknown attack vectors. When hackers find this port they know exactly what exploit to try.
In other words, the security software that is designed to protect systems is actually a way in for hackers due to a software bug.
It could be that there is a new "hole" in Symantec's software that hackers know about but Symantec doesn't. The previous hole was patched so either the hackers are looking for yet unpatched Symantec software or they know of a new hole and are looking for ways to infect them.
Without reviewing your logs you have no idea what is trying to get into your network.
Without a properly configured firewall, this type of attack would surely get through. This happens to be a firewall we configured so we know of ports like this and we blocked outside access because this client does not use Symantec products.
When talking security with a business owner I always ask, "When was the last time your network was scanned for openings?" They usually respond with, "Never". To which I reply, "Oh you're wrong there. You've been scanned, you just don't know by who!"
Regular scans of your network show you what the hackers are seeing of your network. It's a simple process and should be performed at least once a month. The results should be presented to you in a very readable, understandable report.
What to Do Next
The first thing you should do is check your firewall to make sure it's logging all activity.
Then, your job is to start reviewing the logs either everyday or at a bare minimum, once a week.
Some routers have the firewall "built-in". I've often found these are very limited in their ability to protect. Even more limiting is their logging functionality. Typically these devices will only show what's blocked.
Often these router/firewalls have the option to have the logs emailed to someone when they're filled up with entries. This is a nice option as you can have them directed to someone who will (should) review them in detail and notify you of any entries to be concerned with.
If your firewall doesn't provide the level of detail described in this article, you should seriously consider upgrading. You can keep your existing router just turn off the firewall feature and buy a dedicated firewall.
Then you'll know what the hackers know about your network.
Subscribe to:
Post Comments (Atom)
0 Responses to “HOW HACKERS HACK YOUR NETWORK-4”
Post a Comment