what to do if connected to the attacker's port???

Discussion in 'other security issues & news' started by adiel, Mar 3, 2003.

Thread Status:
Not open for further replies.
  1. adiel

    adiel Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    37
    Last night i was attacked on port 1080....usually i ignore such attacks...and let zonealarm take care of these things...but that guy was probably mad.He tried every possible way to connect on port 1080..so after an hour of this contineous threat...i started TDS-3 and tried to Tcp connect to that attacker(with nothing in my mind i was just angry at these attempts)
    and to my surprise after trying some ports randomely i was connected at port 1025 of the attacker.
    But as i don't know much about this tcp connection..i just kept sending him messages...i don't know it did anything good or not.

    so i was just curious...what could i have done to give him a lessono_O
    is there any way that if i am connected to an attacker's port..then i can do something so he would never come back??
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,285
    Location:
    New England
    You really don't want to try to "teach anyone a lesson" on the Internet and here's some of the reasons why...

    First, if that person was actually a skilled hacker, which is doubtful, but let's go with it for a moment, then they would probably know a whole lot more than any of the rest of us do regarding attacks. Any counter "attack" against them simply gets their attention. Trust me, you don't want to draw a real hacker's attention to yourself, "for they are subtle and quick to anger." :D

    Second, you are probably using an ISP that has its own TOS that states that you may not use their network interface to hack others. It's probably an offense that could get your service terminated.

    Third, if that IP address was simply hitting your port 1080 over and over, in spite of not getting connected on the first attempt, then that was probably not an "attack" but rather some application that was trying to connect to a service it expected at that port, on that (your) IP address. Most likely, it's just a poorly written application that should have timed out after a few failed attempts.

    Fourth, (and final for now, though there are many more reasons), what if they are running firewalling and logging software, and what if they report inbound attempts to various abuse lists? What if they report your attempts to connect to them? :eek:

    As tempting as it is to go after probes that come against your system, the best thing to do is either ignore it, you have a firewall, you are protected, or subscribe to a reporting system like myNetWatchman. They take reports from all over the Internet and consolidate the information and their reports of abuse are often listened to and acted upon. (It's like "Community Policing".)

    Hope that helps,
    LowWaterMark
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Adiel,
    is 1080 not one of the common proxy ports, so trying to route via you as a proxy maybe?
    As they were blocked, you were protected, nothing happened.

    Anyway, if there had been a portscanner, and you are doing a Resolve, Traceroute or interrogate scan to them, they know you are aware of them already.
    Depending how i feel i prefer the UDP broadcast, which is easier, on the open ports found and sending something nice. If it's persistent, ok, you have their ISP to send a complaint to their abuse and even in that i stay nice and ask them to help out their user who might be abused by a third party himself or lost the way.
    Spares energy, irritation, frustration, angry wrinkles in your face and a possible bad response from a mad hacker or scriptkid.
    You have TDS at hand, you know it teaches us security can be really fun!
     
  4. controler

    controler Guest

    here are a couple pages that list all the ports and what commom trojans use them for.

    http://www.simovits.com/trojans/trojans.html

    http://www.sans.org/resources/idfaq/oddports.php

    Then I hope someone ***wink *** will post the common ports windows uses and their purpose.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
  6. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,017
    The TDS maual lists what actions could be taken, but as mentioned before by others it is wise not to angry anyone.
    100% failsafe protection is a dream no matter how secure you think you are.
    So the last thing anyone would want is to aggravate anyone enough to make him/her see a challenge in proving you wrong.
    These guys are looking for easy prey and will quickly go elsewhere to break havoc, but don't you dare challenging as you surely will pay the price if the attacker is the right one and challenged on top of that.
     
  7. adiel

    adiel Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    37
    I was contineously attacked for about 2 hours..no application would do this.
    I could see that person was trying from so many different ports to connect on 1080.
    Ok forget about teaching a lesson...but at least if someone tries this at me...i should know something to do in that case so that possible hacker should realize that i know about him...something more than just pinging or traceroute...i believe most hacker's have this in mind that thier attempts can be logged...so can't they spoof thier ipo_Oam i right about this??

    Thanks Mr Jooske for your tips.

    and thanks for the links...i will check all these links.
     
  8. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    I have had a similar event happen to me.
    Persistent scans from a particular address.

    I scanned back.

    But to go further than that you have you to weigh all the variables.
    What if that person reports you?
    Mickey brings up a very important point.
    What if an experienced hacker is on the other end of the connection?That could be real TROUBLE waiting to happen!
    I have been in some web "places" where hackers have "booted" surfers and worse!
    These type of people are more easily found than you might expect.
    And all too often they know exactly what they are doing!
     
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,285
    Location:
    New England
    Are you saying that because the remote port (source port on their system) changed in the various connection attempts they made to you, that you think an application would not be doing that? That is exactly how applications work. Very often the source port changes (often it just increments, but can also vary in other ways) as the application tries to connect.

    The reason that I believe that this was not a real intruder is that from the very first attempt, it would be obvious to an active intruder that your port 1080 was not going to respond. Hitting it over and over does not get them in. They know this.

    If this was an attack, it was a pretty pointless one. A port won't "break" because of repeated connection attempts. It's either open (available to be connected to) or closed (not available). It can not be broken into from the outside if closed.
    It's more complicated than this. Yes, a form of attack does use a fake source IP address, but, then the "attacker" never sees any result of their attack and you'd never know who they were. Mostly only denial of service attacks would use a fake IP address.

    Even leaving aside the teaching a lesson point, there is still no active thing you can do that will communicate to an attacker - "hey you - I see you - you'd better stop this." It just doesn't work that way. The "best" way to deal with these is either a service like myNetWatchman or ignoring them, unless you plan to become a hacker yourself. And even then, there is always someone more skilled and more dangerous out there... Getting noticed by real attackers is not good!
     
  10. adiel

    adiel Registered Member

    Joined:
    Jan 29, 2003
    Posts:
    37
    hmmmm..thanks for the advice.. i will keep this in mind :)
     
  11. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    I follow the safest road and pull the plug out of the wall for 20 mins :)
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    >Thanks Mr Jooske for your tips.

    Mrs please :)

    TDS and PE give me for 1080 SOCKS - Proxy, RAT: WinHole, Broser

    If you open in TDS > Network > TCP Port Listen, on that 1080 see what it's trying to send. Your firewall protects you so nothing happens. Or if you have Port Explorer you can sniff the packets too.
    In case you would report to their abuse you can copy such as proof. Could help them to locate the malfunctioning application somewhere.

    Closing the internet connection several minutes helps in many cases too, even if you get back with the same IP.
     
  13. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Float like a butterfly sting like a bee.

    Paste the IP address into TDS an then hit em hard and often:
    1) Interogate
    2) TCP Inspector
    3) Trojan Port Scan
    4) Targeted Port Scan
    5) Remote Port Scan
    6) Backdoor knock

    For starters.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Zappa,
    you have Screx installed and running?
    There are some more nice emulators like Jazzie's (shipped both with TDS scripts)

    I like to change passwords as well, even though it's just for netbus but just in case.
    But stay nice as long as possible.

    You could detect availability of msagents on their system (tests included in the software of msagent) and have one jump up with a warning message. Needs to be scripted still.
     
  15. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Hello Jooske,

    Presently, I have InnerPeace loaded. :D

    Sometimes there is a need to say someone is home and the lights are still on.

    Just an attempt to give some information that answers the question more to the point.

    Here to help at all times. :D
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Somewhere in the private forum must be a link to my CokeMachine script, which you can configure further at wish. The "helpfile.exe" part of it for instance is a desktop helper, voice commanded, which you can edit yourself for the proper links inside. (using MASH or wordpad, MASH might solve a possible language problem too for the voice commands)
    Can you imagine the effect if you would be able to have that thing play InnerPeace on an attackers system?

    In the days the whole world was upside down since 9/11 it was only that TDS voice saying the things we're used to, that was at least something!
    I like creating fun scripts, have bunches of them, not to mention the over 300 agents characters i collected to play them with.
    It's good TDS has the speech included to alert for connection requests etc. You can do so much with that combination, till switching on the lights and picking up the phone, etc etc.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.