Technocrat

Cybercrooks' Business Methods

zogger
Wed Nov 26 15:43:00 -0800 2008
Security.
Last editor Alan manage

The blackhats are getting craftier at how they go about making money off their illegal access and acquisition efforts on the web. One of the new trends is to compromise important servers, then use the data there to verify credit card numbers before using them.

It's a service the crooks sell to other fraudsters who don't trust that the stolen card numbers they're buying from someone else will actually work, and it's good business. And the link to the report: Symantec Report on the Underground Economy ed.z.: maybe they should patent their techniques...

Slightly OT: Hackers

Michael Smith
Wed Nov 26 16:33:04 -0800 2008
 manage

I run three servers with various versions of netbsd on them. The two more recent machines are getting the distributed dictionary attack. It loops through a list of Italian user names in alphabetical order. One node tries one name. Another node tries the next name in sequence, which is kind of creepy. A bit like having real zombies outside the house on a dark and stormy night. I have a list of 400 IP addresses which are involved in the attack. 400 is the maximum number of rules I am currently willing to put into pf at the moment but that may change. I can post the list if anybody thinks it would help them.

The oldest machine seems to have an actual human attacking it. The attack comes from one IP address and only tries root. That approach will never work but it has me worried. The big bad wolf if huffing and puffing and the roof is starting to sound dodgy.

I didn't like the off the shelf solutions for blocking hosts so I wrote a script which gets the output from /var/log/authlog. It blocks hosts on the second try. I am spending a lot of time tweaking it but the final issue will be how many hosts I want to block in total. I may have to bump that limit up to 1000 or so.

Slightly OT: Hackers
President4242
Wed Nov 26 17:13:25 -0800 2008
 manage

Why limit it at 1000?  Seems to me, depending on how you write it, that you might as well block all the zombies.  Given the number of computers now on the net, the chance of one of your legit users also being a zombie machine is small.

Or is it the processing power you're worried about?

Slightly OT: Hackers
Michael Smith
Wed Nov 26 18:28:03 -0800 2008
 manage

Why limit it at 1000?

These systems are colocated in a data centre. I am trying to proceed cautiously. I don't actually know the impact on the kernel of having thousands of pf rules defined, particularly under load. I may have to go to thousands if this keeps up. Currently every zombie I am sure of is in the table but it increases by 100 every day.

Slightly OT: Hackers
pyro9
Thu Nov 27 10:35:58 -0800 2008
 manage

I find Fail2ban works well. Most of the dictionary crackers give up once the server stops responding, so most of the attackers get blocked only once for 15 minutes and then I don't hear from them again.

 

I do have a few more persistent attackers in a perminant ban list upstream of the servers though.

 

Do you have questions about the site? Write to bruce at perens.com . List of all articles we've ever published. Source Code Developer's Documentation RSS XML Sitemap XML News Sitemap Valid XHTML 1.0 Strict Valid CSS! [Valid RSS]