WWW.Smythies.com Security Notes: 2002:10:08

 

This site is intended to be safe for all, particularly children. Please notify me, and whomever else you might deem appropriate, immediately of any objectionable material so that the site can be shut down and checked for a security breach.

 

I do NOT claim any professional level of expertise in Networks and Internet. I do not have the education and training to make some reassuring statement as to site security. However, I am fascinated with internet and watch all of my security related logs closely.

 

I have been logging unsolicited internet probes, searches, scans, and hacking attempts since my emergency amateur radio interconnect router at hera.rfnet.sfu.ca was hacked into at 7:00 A.M. January 9^th 1999 (local time). Internet activity that I place in the “suspicious” category has been increasing exponentially since then (I don’t know if at a greater or lesser rate than internet use overall). Even experts in the field of internet security have expressed their concern as to the complexity of the issues. The experts do suggest that one keep the details of a site (I.E. which Operating System, web server, host computer,…) secret because that knowledge just helps the hackers. However, I prefer to make my network configuration as public as possible. Maybe, and hopefully, someone can learn something.

 

I do have only port 80 (www) and the SSH (secure shell) port open.  Telnet, ftp, and all those are closed.

Currently, the IP address is not shared. I.E. there is no LAN on the other side of 64.180.103.81. However, the firewall is enabled and is filtering IP addresses. Most of the traffic (like 90%) listed on the useage pages is internet virus related probing.

 

Every packet to/from this site is temporarily logged. Log files obtained during what later turns out to have been a security related event might be saved indefinitely.

 

On September 13^th 2002, this site was penetrated by the Apache/mod-ssl worm. A viscous denial of service attack resulted. It was a matter of hours before I discovered it and disconnected the machine. I am still getting packets on port 2002, a month later. I had to keep the server off line for several days due to saturation of my adsl internet link with UDP packets on port 2002. Even with my firewall set to disable all port 2002 traffic both to and from smythies.com, my site was saturated with IP packets for port 2002. In the 5 hours that the bugtraq.c program was running on my server, smythies.com had probed 283,648 other sites for the apcahe/mod-ssl worm (also known as the “linux slapper worm”) (see Cert advisory: http://www.cert.org/advisories/CA-2002-27.html )(see Red Hat: http://www.redhat.com/support/alerts/linux_slapper_worm.html ) . If you are one of the sites my server probed, then sorry. Every hour, much less probing was done  as traffic increased for the Distrubuted Denial of Service Attack on port 2002. By the end of the 5 hours, when I accidently discovered that the system had been compromised, there was almost no outgoing probing traffic. On September 13^th, and a full day before the first notice of this worm  was posted on CERT, I notified my ISP (Internet Service Provider) that I had an ongoing active DOS (Denial Of Service) attack against smythies.com. After about a week the  rate of UDP port 22 packets to smythies.com was down to about 5 packets per minute (??).