Event
Summary
In the past
two weeks, a large number of United States Internet sites have reported an on-slaught
of network probes or scans from the Republic of Korea. Security engineers and
systems administrators have been spending a lot of time in the last few weeks
asking each other, "Why are we seeing so many scans from Korea." and, "Who
is scanning for what?" There have been numerous speculations made about all
the ubiquitous Korean network probes.
Many security professionals believe that it is just due to a lack of system
security on Korean networks in general which makes their networks more vulnerable
to being exploited by hackers. According to the vast number of incident reports
on the SecurityFocus incident mailing list, most of the scans seem to be aimed
at port 111, which is the sunrpc port, and automount port for Linux. The source
port for most of the scans seems to be UDP port 53. A spokesperson for the U.S.
Department of Interior suggested that it was probably some intelligence gathering,
however, more likely it is hackers from other parts of the world coming in through
Korea due to the easy ability to compromise systems on .kr networks.
Some
network administrators are retaliating by scanning back the IP addresses where
these probes are coming from. One administrator found TCP/IP port 2222 open
which dropped them into what is known as a rootshell. A rootshell is a computer
account with special privileges that empower the user to completely take over
and own the system.
On
January 8th, a hacker using the handles "Hi There" and "Timothy" writing from
the account whymeh@kornet.net made an offer on various Internet hacking newsgroups
to pay $20,000 for hacking assistance. Kornet is one of the Republic of Korea's
leading Internet Service Providers. The hacker wrote, " I am writing this email
in the hope that I could find anyone who has the ability to access certain institution's
computer network and control some data in it. Of course it is not involved with
any malicious thing at all. It can be considered ethical hacking. I am sorry
that I can not go into details now in this mail." The hacker known as "Timothy"
started posting these messages on hacker newsgroups on December 7th. On January
8th, "Timothy" started using the alias "Hi There" writing from the same account.
It is not clear if these events are related, though it is somewhat coincidental.
Market
Impact
Many "stateless" firewalls allow Internet traffic to come in on UDP port 53
thinking it is a DNS response. Often attackers come from source port 53 in order
to penetrate firewalls that are known as stateless. If you have what is known
as a stateless firewall, check your logfiles for incident traces from the .kr
country domain.
Security
Incidents can be reported to either Sans or CERT who track, and in some cases,
identify sources of attacks.
User
Recommendations
What can your organization do to protect itself from Cyberpeepers from Korea
or anywhere else?
1.
Put in a stateful packet inspection (SPI) firewall, and an appropriate security
policy, and monitor and review the firewall logs daily.
2.
Hire an outside auditing company to see if your organization is vulnerable to
security compromises.
3.
If it is not feasible to put in an SPI firewall, install an Intrusion Detection
System to assist your stateless firewall in data gathering.
4.
Hire a security engineer to monitor your organization's network traffic on a
daily basis.
5.
Don't go overboard trying to figure out where mysterious scans are coming from.
It's better to spend the time fortifying your network.
6.
Make sure that appropriate host security has been implemented on all mission
critical servers -- this means that you need to know which servers are mission
critical to your organization.