Avoiding and Reporting Port Attack Abuse
What is a port attack?
A port attack is when a 'hacker' or malicious service attempts to
open a service port whilst you are online. The problem is whereas PC
users have Norton Anti Virus to block hackers getting in and to
prevent viruses, the Amiga does not. What's more, all the time you
are online you are prone to attack. Hackers normally use a program
such as 'Telnet' to get access to your computer whilst you are
online. Worrying? yes it is.. For instance a hacker can get access
to your hard disks, steal keyfiles (that are registered to you), mess
with your startup-sequence, format your hard disk and upload Trojans
to your Amiga.
What is a Trojan?
A trojan is a 'fake' program. It can be a fake version of the
Workbench 'Mount' command, or a fake datatypes.library. The hacking
group 'Digital Corruption' produced a 'fake' datatypes.library which
would e-mail your Miami configuration straight to the hackers. They
could then steal your host IP, and password, thus, allowing them to
even read your e-mail, and use your account willy-nilly ! Trojan's
run invisibly in the background and will open service ports on your
computer. Use a Task snooper such as Snoopdos, or Scout to spy on
running tasks if you are suspicious.
If there is an executable file on your hard drive you do not
recognize, run a filezapper on it (NewZap, DPU, etc.). Most Trojan
viruses writers take pleasure in signing their work which you can
then read. If your still worried, run a good virus checker over your
whole system partition.
What can I do to prevent attacks from Trojan viruses?
Download 'Safe' from Virus Support Denmark. It features a TCP/IP
Trojan detector: the moment a service port is attacked by an
infected file, 'Safe', will warn you about it. It is not a virus
killer, it only informs you if your machine is infected by a Trojan
virus infected file.
What can I do to kill Trojan Viruses?
Download 'Virus Executor' from Virus Support Denmark along with the
xvs.library (freeware library which contains the 'brains' to detect
and kill them). You will also need xad.master.library and
xfd.master.library and xpkmaster.library and sub library packages
installed too). Once again, you can obtain these from 'Virus Support
Denmark'.
So far, I have discussed what service port attacks actually are and
Trojan fileviruses, but the question is, how do I know if my machine
is being attacked by hackers ?
Logging Illegal Service Port Access:-
As far as MiamiDx goes, it's built like a brick sh*thouse so there is
really need to deny access to certain service port addresses. If
your using Miami3.2b, I strongly urge you to set the following in the
Database --> Services section of Miami:-
go to 'Databases' menu
go to 'Services' sub menu
in that section 'Add' an entry
in this entry type the following:
for Name put in: 'DCHack'
for ID put in '1599'
for protocol type: 'tcp'
then go to the submenu called 'IP Filter'
click on Add'
in Protocol type '*'
in Service type 'DCHack'
in host type '*.*.*.*'
leave Mask blank
in Access type 'n'
in Log type 'y'
save settings
This simple port blocker prevents Amiga hackers from issuing a DCHack
attempt on your computer. These can sometimes occur on service port
1559 and allows the hacker access to your hard drives. As soon as
the hacker attempts to open service port 1559, Miami will pop up a
shell window, displaying the time and date of the attack, the service
port which they tried to open (in this case '1559) and the hackers IP
address.
Now we will add some further protection against Amiga Nukes:-
To stop a nuke attempt on yourself:
Go to the Database section of Miami
Select the Services section
Double click on the two services with the name "Chargen" to disable
them.
Select the IP Filter
Enter the following lines if you do not have them
No. Protocol Service Host Allow Log
1 * DCHACK *.*.*.* N Y
2 * 19 *.*.*.* N Y
3 * 137 *.*.*.* N Y
4 * 138 *.*.*.* N Y
5 * 139 *.*.*.* N Y
6 * * 127.0.0.1 Y N
7 * 12345 *.*.*.* N Y
8 * 12346 *.*.*.* N Y
9 * 20034 *.*.*.* N Y
10 * 27374 *.*.*.* N Y
11 TCP AUTH *.*.*.* Y N
12 * * *.*.*.* Y Y
13 * $ *.*.*.* Y N
The lines are numbered from 1-13. Descriptions of what these entries
do are listed below:-
Line 1
Prevents the DCHACK. (See beginning).
Line 2
Prevents an Amiga nuke working on your machine.
Lines 3, 4 and 5
Prevents WinNukes and BREAK95 attempts, although these won't affect
your machine, it's nice to know when someone is trying it.
Line 3 and 6
Your local IP is 127.0.0.1 - this allows you to access your machine
without logging.
Lines 7 and 8
Prevent and log NetBus attacks.
Lines 9 and 10
Prevent attacks on service port TCP--asp--Address Search Protocol.
I get lots of attempts on them.
Line 11
Allows TCP AUTH requests.
Line 12
Log ALL other requests.
Line 13
Allow all remaining ports to be accessed but not generate a log.
Summary:
Right, you should now have a pretty good service port blocker, to
prevent Amiga Nukes, DCHack attempts and Break's and you are informed
of all service ports which are opening whilst you are online. Once
you have set all this up, all service ports (including legal and
illegal ones are logged). Don't take all of them as attacks: for
instance, if your using FTP from Dopus or are downloading files from
Aminet then of course, TCP/21 will open. This is not a hack attempt
it is you downloading/uploading a file.
What you SHOULD be looking for are ports which SHOULD NOT BE opening.
If you are not using FTP and suddenly, TCP/21 opens up (Miami will
inform you of this too), DISCONNECT IMMEDIATELY: a hacker has gained
access to your hard drives on service port tcp/21 [File Transfer
Protocol Controlled Connection]. You can turn off FTP in the
services section of Miami, but if you do, you will be unable to use
FTP.
Collection evidence to prosecute hackers:
Right, you have followed my tutorial for Miami 3.2b to set up a
simple port blocker. All ports are logged (including legal service
port access) and illegal service port access. We now need to find a
way of collecting evidence to prosecute any dumb ass hackers who are
trying to get access to your computer. What I am going to show you
next is how to set this up in Miami 3.2b.
1) Go to Aminet and download Syslog.lha (Syslog Library Distribution).
2) Unpack the archive.
3) Just copy the file syslog.library to LIBS: YOU DO NOT NEED TO
INSTALL THE ENTIRE SYSLOG PACKAGE !
4) Start Miami 3.2b (but don't go online yet).
5) Go to 'Logging' menu in Miami3.2b. There is a box marked
'Console'. In the console box, enter the following:-
CON:/0/0/640/50/Miami log/AUTO/CLOSE
6) In the box below there is a box marked 'File'. In this box,
type:- S:MyMiami.log
7) Below box marked 'File' the is a tickbox marked 'Use
syslog.library' tick it.
8) Save Miami 3.2b preferences.
Summary:
Now ALL PORTS (including those which you open whilst your online are
logged), as well as service port attacks and hackers may attempt to
carry out on your machine. But that is not all:- they are now saved
to a text file in your S: directory called 'MyMiami.log'. This file
you can display with a text viewer. You now have evidence if you
wish to prosecute hackers to their ISP. hehe 8-) What I am going to
show you now is how to trace hackers attempting to issue service port
attacks on your machine, and how you can report them to their
Internet Service Provider.
Obtaining Evidence to prosecute hackers:-
If you have followed the above section (Collecting Evidence to
prosecute hackers). The next stage is to trace and report them to
their internet service provider.
All Internet Service Providers operate an AUP (Acceptable Use
Policy). Alternatively to this, they will operate a terms and
conditions agreement. You agree to this when opening your account
with your internet service provider. If this is breached, most
Internet Service providers will immediately terminate their account.
Wait for a service port attack, and if your have followed everything
in this tutorial so far, Miami 3.2b will open a window if a service
port attack occurs (listing date and time of the attack, IP of host
who issued the attack and the service port they tried to open). If
you are 100% sure this is a service port attack by a malicious hacker
then do the follow:-
1) Launch NetInfo 2.
2) In NetInfo's IP box, type the hackers IP address (which logging
from Miami reported), then click the 'Trace' button opposite.
NetInfo will do a trace route on the hackers IP address, as well as
giving you the country they are located in (they should be the last
listed in the list).
3) Select them in NetInfo's Window.
4) Do a 'Finger This Host' Query from NetInfo's top-menu. Providing
they do not have service port 79 disabled in their TCP/IP stack
dialing software, you should see their real name, IP address and
login name. Write this down.
5) Next, do a NetWork WHOIS Query from NetInfo (Once again, make sure
their IP is selected in NetInfo's Window), and select 'NetWork WHOIS
Query. Providing they can be traced and do not have an IP block on
their IP address, you should see the Network WHOIS information for
their network (their ISP), together with an e-mail address of where
to report abuse/spam etc. Write this e-mail address down. If the
e-mail address of where to report abuse is not listed, simply contact
the networks maintainer or hostmaster instead.
Ok, we now know:-
- Where the hacker is from (Country)
- Their real name and login name (If they have not denied Finger
Query to service port 79 in their TCP/IP stack).
- Where to report Spam / Abuse (Should be listed via NetWork WHOIS
Lookup) as I described in step 5 above.
The next step is to report the hack attempt they issued on your
computer (if a service port was opened illegally. As I've already
mentioned, if you have followed this tutorial word-for-word, a shell
window will pop up, and Miami will give you the date and time of the
attack, IP of the hacker, and the service port they attacked. This
is now saved in your S: drawer and is called 'MyMiami.log'.
Reporting Abuse To The Hackers IP to prosecute:-
You remember the NetWork WHOIS Lookup you did in NetInfo 2 earlier.
You should of wrote this down. Fire up your e-mail client YAM /
MicroDOT / Thor and compose the following mail. This is an example
of how to issue a service port attack to the hackers ISP to prosecute
them. I have provided a template mail to show you how to do this.
The paragraph's in this example mail are numbered: (1), (2), (3),
etc.
1) State the network server the attack occurred. We know this anyway,
since we did a NetWork WHOIS Lookup in NetInfo (paragraph 1).
2) State you provide a logfile of service port attacks. Confirming
time format (24hr clock) and also include IP of hosts and ports
illegally opened by the host (paragraph 2).
3) Accuracy of service port attacks that were made by the hacker
which are datestamped by your computers battery backed clock. Also
be sure to state if your battery backed clock has been set to BST
(Daylight Saving Time) or GMT (Winter time). Confirm the date your
clock was adjusted to either BST or GMT. State your timezone
(paragraph 3).
4) A brief paragraph (paragraph 4).
5) Paragraph 5 / 6. I've pasted the logged attack from my
MyMiami.log (which is logged as a text file) into the mail, so the
hackers internet service provider knows *exactly* the date and time
of attack occurred, along with their IP address and the port they
attempted to open.
6) We know the hacker attacked service port 27374. This is
TCP--asp--Address Search Protocol (service port lookup I used from
GoPortScan!) to find out this info 8-)
7) Results of Finger Query I carried out on the host using NetInfo 2
If the hacker has denied access to service port 79, you will be
unable to perform a finger query on their IP, in which case I have
listed 'Connection Refused).
8) WHOIS Lookup Information. We did a Network WHOIS query on the
hackers IP using NetInfo 2 earlier, I have included it in the mail,
proofing the hacker is located at their network.
9) For the last paragraph of the mail, I have specified the host has
breach their internet service providers Acceptable Use Policy for
opening service ports illegally to my machine.
Their internet service provider will now terminate their account
since they are issue service port attacks / port scanning other
members accounts. In the case of BT Internet, they are only
interested in hackers who are attacking other customer accounts.
Example mail:-
To: abuse@btinternet.com
Subject: Port Attack Abuse From YOUR Network:-
Message:
Hello,
(1) I wish to report port attack abuse located from a host located at
your network server (BT-IMSNET) - BT Internet.
(2) I provide a logfile of attacks (specifying date, time (in 24 hour
format), host(s) and ports attempted to be opened by this host.
(3) Logfiles of service port attacks are dependent on my computer
system's battery backed clock, and should be accurate within a 2-3
minute time scale. I hereby confirm my computer system's battery
backed clock was set to Daylight Saving Time (BST) as from 25 March
2001. My timezone is United Kingdom.
(4)An evidence log file of attacks made by this host located at your
BT-IMSNET server to my computer system are as follows:-
(5)Date: Time:
(6)25.07.01 00:11:50 Access from host 213.122.26.141 to port tcp/27374
rejected.
(7)1x service port attacks this host made to my computer. Host
attempted to open service port 27374 (TCP--asp: Address Search
Protocol. Known Trojans capable of attacking this service port are:
(SubSeven).
(8)Results of Finger Query of this host: refused.
WHOIS Lookup: Host is located at your BT-IMSNET server:-
Official name: host213-122-26-141.btinternet.com
Addresses: 213.122.26.141
Whois for host213-122-26-141.btinternet.com
.com is the global domain of USA & International Commercial
(Whois queries for .com domains can be performed at
http://rs.internic.net/cgi-bin/whois)
whois -h whois.crsnic.net btinternet.com
Redirecting to NETWORK SOLUTIONS, INC.
The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in
obtaining information about or related to a domain name registration
record. Network Solutions does not guarantee its accuracy. By
submitting a WHOIS query, you agree that you will use this Data only
for lawful purposes and that, under no circumstances will you use
this Data to: (1) allow, enable, or otherwise support the
transmission of mass unsolicited, commercial advertising or
solicitations via e-mail ( spam ); or (2) enable high volume,
automated, electronic processes that apply to Network Solutions ( or
its systems ). Network Solutions reserves the right to modify these
terms at any time. By submitting this query, you agree to abide by
this policy.
Registrant:
British Telecommunications Ltd ( BTINTERNET-DOM )
81 Newgate Street
London, Greater London EC1A 7AJ
GB
Domain Name: BTINTERNET.COM
Administrative Contact:
BT WebWorld DNS ( BS38-ORG ) dnsreg@BT.COM
British Telecommunications plc
PP TKS/G74/01 Trunk Exchange Nth
109-117 Long Rd
GB
+44 1223 551919Fax- - +44 1223 358474
Fax- - - +44 1223 358474
Technical Contact:
Artym, Rich ( RA2240 ) rich@BT.NET
British Telecommunications Plc
154 St.Albans Road
St. Albans Hertfordshire
AL49NH
UK
+44 1992-897045 ( FAX ) +44 1992-897382
Billing Contact:
DNS Operations Manager (DO947-ORG) dnsbilling@BT.COM
British Telecommunications PLC
Post Point TKS/G74/01
109-117 Long Road, Cambridge CB2 2HG
GB
+44 (0)1223 555167
Fax- +44 (0)1223 358474
Record last updated on 29-Sep-2000.
Record expires on 22-Oct-2001.
Record created on 21-Oct-1995.
Database last updated on 24-Jul-2001 06:37:00 EDT.
Domain servers in listed order:
DNS2.BTINTERNET.COM 194.73.73.94
DNS1.BTINTERNET.COM 194.73.73.95
NOTE:
9)Above host is in breach of your Acceptable Use Policy/Terms &
Conditions for port scanning/attempting to open ports illegally AND
invasion of customers privacy.
Summary:-
There we have it then, an in depth tutorial of protecting yourself
from malicious hackers whilst your Amiga is online, as well as
reporting abuse attacks. Happy surfing !
