In my previous articles, "Script Kiddies - Vermin of the Internet" and "Script Kiddies II - A warning to parents", I described the Script Kiddie problem.
This article contains information for web site owners and surfers regarding what to do when your system is continiously "probed" from the same source, or if your site is compromised. Who you gonna call? KiddieBusters? (could be a good name for a web site?)
If you are running personal firewall software while surfing, you can actually do something with the logs. You can send them to your ISP along with an incident description. They may be able to chase it up on your behalf. Better still, if you can identify the IP address using a tracing program, send the firewall log with the trace results to the owner of that address along with time, location etc.
I run traces on some of my logs, but this can also be a bit dangerous as there is a possibility that the owner of the address detects that you are "pinging" them and therefore revealing your own IP address. Properly configured firewall software can minimise the danger of this.
Also, the IP address shown does not necessarily mean that it is the Script Kiddie themselves. There are various cloaking devices that the Kiddies use to hide their true origin, or may only refer to the service they are using to launch the attack. But it doesn't hurt to send the IP owner a polite email to serve as an alert, especially if you have been able to establish a repetitive address.
How to write the email? The following is a message I recently sent to an ISP. (the IP and port numbers have been replaced with x's).
Greetings,
I have been receiving a number of warning messages over the last couple of days from my firewall software regarding an xxxx scan which seems to be originating from your service. Even as I am typing this I am receiving numerous warnings. It is currently 6.20pm Adelaide time, Monday 12 February. Could you please look into this for me as it is becoming highly annoying. Last night I had around 80 such warnings in 1 hour. Thanks. Below is my log of some of these scans and the copy of the trace results.
GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:15:18 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:19:00 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:19:08 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:19:38 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:19:38 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:19:54 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:19:56 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:21:00 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
FWIN,2001/02/12,18:21:04 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
Please contact me if you require any further details.
-
I also attached my "traceroute" results, but have not included them here as they identify the customer number. The ISP responded to my message and said that they had "contacted" the customer. I received no further scans.
It isn't just the casual surfer who is affected by Script Kiddies. Web Site owners are often the target of "vandals", also known as "Web Crackers". Web cracking is a popular Kiddie past-time. These individuals derive great pleasure from making changes to your web site without your knowledge. They access authoring rights to your site by "stealing" your password in a variety of ways. It isn't financially,politically or religiously motivated, it's just vandalism.
A real hacker would not carry out this type of foolishness, this is the realm of the gutless, immature Script Kiddie. It's a bit like that mindless graffitti you see sprayed all over our towns and cities.
In the case of the web site owner, it is imperative that you immediately contact your hosting service as the security of your site has been breached (and therefore probably the whole server). The server's logs record all the activity on your site, and Script Kiddies are notorious for leaving "footprints" behind.
Don't just shrug your shoulders and re-publish your site. What has just occurred to you is cyber-terrorism. There are a number of laws currently being introduced world-wide that will punish cyber-terrorists severely. It is unfortunate the offences are termed cyber-terrorism. In the case of the Script Kiddies it should be called cyber-idiocy. It should carry the death penalty, castration or at least they should be sentenced to a life of using a 386DX40 running Windows 95 rev. A! ;0)
Some other points of contact if your site is attacked are:
National Infrastructure Protection Center. The NIPC are a part of the FBI. On its site, there are forms that you can submit to report any incidents. It also contains up to date information on security threats and advice for ecommerce merchants.
http://www.nipc.gov/
For a more detailed listing of U.S points of contact, The Cybercrime site will have what you need:
http://www.cybercrime.gov/reporting.htm
In Australia, intrusions should be reported to the Australian Federal Police via your local Police Station. Hmmm.....we're a little behind the times methinks!
In the UK, well, I give up....couldn't find a thing except for a lot of talk. Once again, your friendly local bobby could probably help you out. If anyone does have any law enforcement reporting links for the UK or Australia, I'd be grateful for the information and would republish this article with it included.
In most countries, probably the best second point of call after your contacting your hosting service would be the Police.
The Internet community, either surfers, website owners or ecommerce merchants will only stamp out this problem if we actually do something about it. Don't let those valuable firewall logs go to waste. But if you are going to send them, ensure that what you send shows an established pattern of scans originating from the same source - at least 5 entries in a session. Random scans are very hard to track. A topic for another article.
Make it a national sport.....Grill a Kiddie!
ping - Ping is a basic Internet program that lets you verify that a particular IP address (a set of unique identifier numbers, e.g 192.168.0.1) exists and can accept requests
traceroute - Traceroute is a utility that records the path stops through the Internet between your computer and a specified destination computer
Michael Bloch
michael@tamingthebeast.net
http://www.tamingthebeast.net
Tutorials, web content and tools, software and community.
Web Marketing, eCommerce & Development solutions.
Copyright information....If you wish to reproduce this article, please acknowledge "Taming the Beast" by including a hyperlink or reference to the website (www.tamingthebeast.net) & send me an email letting me know. The article must be reproduced in it's entirety & this copyright statement must be included. Thanks. Visit www.tamingthebeast.net to view other great articles FREE for reproduction!
About the Author
Michael is an Australian Information Technologies trainer and web developer. Many other free web design, ecommerce development and Internet articles, tutorials, tools and resources are available from his award winning site; Taming the Beast.net (http://www.tamingthebeast.net)