Web Log - March 5, 2009
Index
Trying to load a story for the Old Pals section, (Geoff, thanks for the Moped story!) I kept getting frustrated by the decrepit old PC on which my website resides hanging up on me. Checking the log files showed the reason - some of them were incredibly large at over 70Mb and some were 160Mb-plus. The logs showed repetetive time-consuming break-in attempts, as extraction from the logs of 'Failed Password' messages shows here.
Obviously I'm vying for time on my own computer with several hackers on the other side of the world who should have no business meddling with my stuff.
There seem to be two types of access attempts, one of which tries various user names from a list in the hopes that a chance coincidence occurs. I would guess from looking at the attempted user names that the list(s) are culled from successful break-ins of other websites.
A variation of this is to persistently try to log in as the site administrator ('ROOT') which I don't think will get far because most website servers are initially set to disallow logging in as the administrator from a remote terminal.
The other type of break-in attempt tries a systematic advance through the alphabet, aa, ab, ac etc. This might seem futile, but it could pay off. The time markers in the logs show that chancing on a four-character user name like 'Fred' only takes about 64 hours, and one individual has used at least 7 hours in the last week doing this on my website machine.
Ok, so now I know where the break-ins are coming from. Now what? Obviously the IP addresses of the computer(s) being used vary, so I can't just block them in case an address gets assigned to a legitimate visitor. One suggestion frequently mentioned on anti-spam websites is to write a complaining letter to the Internet Service Provider from whence the abuse is originating, so I tracked down a few of them
and show a typical example from the PC at 60-220-218-88
This is just one PC attempting illegal access for seven hours each day for the past two weeks! The logs show several more.
inetnum: 60.220.0.0 - 60.223.255.255 netname: CNCGROUP-SX descr: CNCGROUP Shanxi Province Network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: XH63-AP remarks: service provider mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-SX mnt-routes: MAINT-CNCGROUP-RR status: ALLOCATED PORTABLE role: CNCGroup Hostmaster e-mail: abuse@cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CNI checked a couple more IPs, for example this one at 124.160.33.162 and guess what? - same company every time!
It turns out that the owner of cnc-noc.net is responsible for unbelievably huge amounts of spam e-mail throughout the world and in fact several bodies in the western hemisphere have tried vainly to shut them down, which the Chinese government refuses to do. E-mails and written letters of complaint are obviously ignored, probably because the ISP is actually in the business of originating spam. Tracking some of the other IP Addresses produces similar companies, most of them in the same province of China, but some in Korea.
The worrying thing is that although cnc-noc.net is widely reported as a spam generator I couldn't find any web references to their hacking activities, and I wonder if many administrators are aware that this company is expending so much effort into trying to gain illegal access into their servers. At the very least, their behaviour ties up an awful lot of my valuable server time.
The problem facing people like me is that we can't just deny access to entire blocks of addresses such as 60.*.*.* because APNIC refers to the entire Asia-Pacific network including not only China and Korea but also Malaya, Indonesia, Australia, New Zealand etc. and I, for one, can't just shut out all the Ozzie family members who emigrated and want to look at my genealogy pages. And if I start blocking the 60*220.*.* group I'll be there all night, every night, trying to sort the bad ones from the good.
So, I went to a lot of trouble shutting down all the external services on the server except the one that serves up webpages to PCs whose IP Address can be verified through the NIC services. You might not realise it, but every time you click on a link on one of my website pages your PC is verified before the page is sent. This is the case with most websites, because attacks like the ones I've been experiencing can come from PCs with IP addresses that cannot be traced to an ISP. There are tens of thousands of entries in my logs for Could not reverse map address 124.160.33.162 and others. In fact on the afternoon of March 3rd there were 16,102 attempts in just over four hours.
Last night's logs looked a bit threadbare - just somebody looking at the REME group photo and another visitor investigating the family portraits. Hopefully, I've won and welcome visitors will no longer suffer the 'Site Not Available' message due to the server being too busy dealing with these idiots.
Now, back to Geoff's story . . . .