Truemors
is reporting from
Member
NP Rank:
NP Rank:
Are you being hacked: Results of one week of home HoneyPot data.
Share:
by maleger | April 7, 2008 at 10:55 am
1741 views | 12 Recommendations | 10 comments
In early April, I installed a HoneyPot on my home network for a period of one week. My home network is connected to the Internet using the Cable Modem service provided by Videotron, a large ISP in Quebec. I was quite surprized to note that I had 12079 attempts to connect or send attacks to my home computer network. A summary of my results are provided in the following table.
Summary of the results
|
Date |
Number of attempts |
|
Sunday March 9th |
5221 |
|
Monday March 10th |
989 |
|
Tuesday March 11th |
1080 |
|
Wednesday March 12th |
1144 |
|
Thursday March 13th |
1580 |
|
Friday March 14th |
963 |
|
Saturday March 15th |
1102 |
|
Total: |
12079 |
Table 1: summary of the results
What is a honeyPot ?
A honeypot, a name inspired from Winnie the Poo, is a device that can be installed on a network to catch intruders. Purposely made to be enticing to an intruder or computer system cracker, it give the impression that multiple TCP-IP ports are open on computers that can be reached through a network, in this case the Internet. Honeypots have basic intrusion detection capabilities built into them in order to collect information on the intrusion attempts. It can be viewed as a form of entrapment. The Open Source product I used to perform this test is HoneyBot, from Atomic Software Solutions (http://www.atomicsoftwaresolutions.com/ ). Please note that I have no connection to this company and found the product by doing a Google search.
So who is attacking me ?
Interestly, most trafic was attemps to display Windows messages on my computer via ports 1026, 1027 and 1028. These messages where intended at having me purchase a Registry Cleaning software. A simple Google search indicates that this may be a form of Internet Scam. There where also many attempts o connect to TCP-IP port 21, the port used by FTP servers. Other ports frequently accessed where ports 22, 1434, 2967, 5900, 8000 and 8555.
By doing a Whois on the source IP address, I was able to find out that a large portion of the packets appeared to come from within Canada, through addresses allocated to Shaw Communications and COGECO. Most likely, based on my personal experience, I would suspect thay originate from compromised computers acting as relays, also called zombies. However, I identified a large number of attempts from China, South Korea and Iran. Attempts where made from France, USA, China and Iran. Individual is Iran and China made several attempts to connect to port 21 (FTP) on my Honeypot.
Should you be concerned ?
I think this should deeply concern all legitimate users of the Internet, I know I am. This is potentially a big problem, which I reported to the Royal Canadian Mounted Police (RCMP), via their online fraud reporting service. They have not responded. As well, I complained to my ISP, Videotron, who has not responded to my email.
The following table provides a sample of some of the offending IP addresses.
|
Source IP |
Location |
|
118.236.131.108 |
Tokyo Japan |
|
125.65.109.49 |
Mianyang Sichuan PR China |
|
125.65.112.152 |
Chengdu SiChuan PR China |
|
143.178.92.210 |
Amsterdam, NL |
|
147.53.21.30 |
Notre-Dame Illinois USA |
|
152.17.181.134 |
Winston-Salem, NC, USA |
|
158.97.90.64 |
Mexico |
|
16.72.136.23 |
HP, Palo-Alto, CA, USA |
|
17.212.77.244 |
Apple, Cupertino, CA, USA |
|
189.67.195.13 |
Brazil |
|
192.222.80.199 |
DoD Columbus OH USA |
|
194.54.33.33 |
Ankara, Turkey |
|
201.229.38.165 |
Aruba |
|
202.101.235.100 |
Jiangxi, China |
|
202.28.79.167 |
Bangkok, Thailand |
|
202.97.238.194 |
Heilongjiang, China |
|
202.99.11.99 |
Neijing, China |
|
203.197.237.145 |
Mumbai, India |
|
204.143.34.175 |
Centennial, CO, USA |
|
205.78.116.65 |
US NAVY, Pensacola, FL, USA |
|
211.232.192.220 |
Jeonju, South Korea |
|
218.10.137.141 |
Heilongjiang, China |
|
218.206.140.236 |
jiangsu, China |
|
220.191.233.133 |
Taizhou Electronic Government Network, China |
|
220.227.158.83 |
Mumbai, India |
|
221.208.208.99 |
Beijing, China |
|
221.209.110.20 |
Heilongjiang, China |
|
24.64.100.67 |
Calgary, Alberta |
|
57.103.68.198 |
Neuilly, 92 , France |
|
58.20.15.126 |
Hunan, China |
|
58.20.15.126 |
Hunan, China |
|
58.236.26.54 |
Seoul, South Korea |
|
59.63.157.211 |
NANCHANG,JIANGXI, China |
|
60.190.163.66 |
Huzhou,Zhejiang, China |
|
60.190.163.66 |
Huzhou,Zhejiang, China |
|
60.191.43.40 |
Hangzhou,Zhejiang, China |
|
61.132.223.14 |
Anhui, China |
|
61.159.245.166 |
Yunnan, China |
|
62.193.246.160 |
Paris, France |
|
64.59.69.151 |
Southfield, MI, USA |
|
74.138.15.28 |
Louisville, KY, USA |
|
74.210.128.33 |
Cogeco, Trois-rivières, QC |
What is NowPublic?
NowPublic lets people work together to cover news events around the world.
Most RecentMost Recommended Comments (10)
at 11:16 on April 7th, 2008
Thanks, quite interesting. What mischief can someone get up to once they've made it through a port?
at 11:19 on April 7th, 2008
maleger, frightening stuff - and kudos for taking the plunge! The BBC did a similar experiment a while back, I recall.
at 11:48 on April 7th, 2008
The michiefs are varied. It can range from installing software, trojans, stealing personal information or data, identity theft to rendering my computers less efficient or forcing me to reinstall the operating system. As well, the intent of nations such as China or Iran can be detrimental to the national interests of Canada...
at 11:57 on April 7th, 2008
Update: 20 minutes after posting this article, Videotron (my ISP) has responded. They thank me for my letter of march 21st and for my recommendations. They assure me that they have a team to handle these type of situations. I guess I will have to follow-up with them in a few weeks ;-)
Of course, the results have nothing to do with Videotron. I'm certain there same results would be seen in any such large network where many users are likely to be connected 24hr a day, 7 days a week.
at 15:52 on April 7th, 2008
the important aspect of this is that honeypot actually highlights your computer as vulnerable - so the results are meaningless for anyone not using honeypot.
I use a firewall. I have tested this and a hacker would not be interested in my computer because it does what any reasonable firewall program should do, that is make your computer appear invisible. Hackers cannot see my computer so no attempts are make.
I'm sure if i put on honeypot and was waving about like a flower in the sun, then I would experience similar results.
The answer - use a good firewall (both hardware and software based) and don't install any programs that invite hackers!!
at 17:40 on April 7th, 2008
I am trialing this software, I also will report its findings to my Isp, perhaps if we all did that we would help rid the internet of these pests.
at 17:44 on April 7th, 2008
maleger, I like this story. It's good stuff.
at 18:46 on April 7th, 2008
I agree that implementing a firewall with proper policies, keeping it up to date and verifying the logs is an excellent way to mitigate your own risks. I also have a security architecture in place on my home network. In the case described in the article and as a teacher in IT security at a College and in a graduate University program, my interest was to see what is going on out there.
I feel that some if this stuff would, or should, interest my ISP. It certainly should help to convience my neighboors that they need to do like you and implement a firewall, or at least configure their router. If you look at another article I wrote on WiFi security, you may notice that some people do not seem to take any risk mitigation measures. These are the people I am trying to convince to reconsider their ways. Obviously you have already reached a higher level of IT security maturity.
By the way , I ran the honeypot in my DMZ.
at 18:44 on April 7th, 2008
Please note Matte's comments and my response before you go to far with this It should be a part of a security architecture to implement a secure network but other things are needed such as a properly configured router, a firewall, an anti-virus (up to date), service patches loaded and up to date.
Other usefull tolls include an intrusion detection system, such as SNORT. Nessus and Microsoft baseline security analyser (if you are on windows) can also help by giving information on your vulnerabilities.
at 10:05 on January 19th, 2009
plenty of good free firewalls for download, just make sure you have one and dont trust the windows firewall