CyberPeepers from Korean Sites Peek at U.S. Networks

Event Summary

In the past two weeks, a large number of United States Internet sites have reported an on-slaught of network probes or scans from the Republic of Korea. Security engineers and systems administrators have been spending a lot of time in the last few weeks asking each other, "Why are we seeing so many scans from Korea." and, "Who is scanning for what?" There have been numerous speculations made about all the ubiquitous Korean network probes.

Many security professionals believe that it is just due to a lack of system security on Korean networks in general which makes their networks more vulnerable to being exploited by hackers. According to the vast number of incident reports on the SecurityFocus incident mailing list, most of the scans seem to be aimed at port 111, which is the sunrpc port, and automount port for Linux. The source port for most of the scans seems to be UDP port 53. A spokesperson for the U.S. Department of Interior suggested that it was probably some intelligence gathering, however, more likely it is hackers from other parts of the world coming in through Korea due to the easy ability to compromise systems on .kr networks.

Some network administrators are retaliating by scanning back the IP addresses where these probes are coming from. One administrator found TCP/IP port 2222 open which dropped them into what is known as a rootshell. A rootshell is a computer account with special privileges that empower the user to completely take over and own the system.

On January 8th, a hacker using the handles "Hi There" and "Timothy" writing from the account made an offer on various Internet hacking newsgroups to pay $20,000 for hacking assistance. Kornet is one of the Republic of Korea's leading Internet Service Providers. The hacker wrote, " I am writing this email in the hope that I could find anyone who has the ability to access certain institution's computer network and control some data in it. Of course it is not involved with any malicious thing at all. It can be considered ethical hacking. I am sorry that I can not go into details now in this mail." The hacker known as "Timothy" started posting these messages on hacker newsgroups on December 7th. On January 8th, "Timothy" started using the alias "Hi There" writing from the same account. It is not clear if these events are related, though it is somewhat coincidental.

Market Impact

Many "stateless" firewalls allow Internet traffic to come in on UDP port 53 thinking it is a DNS response. Often attackers come from source port 53 in order to penetrate firewalls that are known as stateless. If you have what is known as a stateless firewall, check your logfiles for incident traces from the .kr country domain.

Security Incidents can be reported to either Sans or CERT who track, and in some cases, identify sources of attacks.

User Recommendations

What can your organization do to protect itself from Cyberpeepers from Korea or anywhere else?

1. Put in a stateful packet inspection (SPI) firewall, and an appropriate security policy, and monitor and review the firewall logs daily.

2. Hire an outside auditing company to see if your organization is vulnerable to security compromises.

3. If it is not feasible to put in an SPI firewall, install an Intrusion Detection System to assist your stateless firewall in data gathering.

4. Hire a security engineer to monitor your organization's network traffic on a daily basis.

5. Don't go overboard trying to figure out where mysterious scans are coming from. It's better to spend the time fortifying your network.

6. Make sure that appropriate host security has been implemented on all mission critical servers -- this means that you need to know which servers are mission critical to your organization.


comments powered by Disqus