I started working on setting up my first Website, virtually hosted, about a week ago. I've been playing with CPanel daily and noticed yesterday that I had a visitor from 61.133.102.XXX. I checked their IP on ARIN and got this info...

inetnum 61.133.102.128 - 61.133.102.255
netname SD160
descr Shandong Telecom 160 Info. Station
country CN
admin-c DS95-AP, inverse
tech-c DS95-AP, inverse
mnt-by MAINT-ZXF, inverse
changed zxf@sdinfo.net 20010319
source APNIC


person Data Communication Bureau Shandong, inverse
address No.77 Jingsan Road,Jinan,Shandong,P.R.China
country CN
phone +86-531-6052163
fax-no +86-531-6052245
e-mail http://www.apnic.net/apnic-bin/whois2.pl?results=all&key=ip%40sdinfo.net, inverse
nic-hdl DS95-AP, inverse
mnt-by MAINT-ZXF, inverse
changed zxf@sdinfo.net 20010206
source APNIC

The weird thing is that I haven't given the domain out to anybody expect the person setting it up with me. I know it's public record and all, but yesterday's visitor is the only one who's been to the site beside me and the other person.

I thought the Chinese hacker attacks we'd been hearing about were just overblown hype from the press and China itself. But now I'm wondering if this is what this was. I know nothing about the service provider above and am not intending to impute their name. It's just kinda weird. Whoever it was, they got an Error 400. I wonder what's the most likely reason why...

One of our customers got hax0red as part of this hacking war between a group of US hackers and their counterparts in China.

A web host co-located in our NOC was running IIS on his mail server for the convenience of one of his clients.

It was a pretty standard hacking attack. He got port scanned three times and then they got in and put up a page with a red background, a little animated chinese flag, and a message to the effect of "Down with American hegemony".

It's cost him a lot of time because we had to take the server off the network until he did a root compromise recovery, and he's spent a lot of time in the NOC fixing it.

These hacker attacks are real, doing real damage to people's servers, and they got in wherever they could.

It's unlikely that this visitor was related to it, as they were portscanning and using a known security hole in IIS. Only sites hosted on NT servers running IIS were at risk.

I've removed the majority of the posts in this thread as it suddenly turned into a personal flame war bordering on the ridiculous.

This thread is now re-opened, but I would ask that everyone stay on-topic and provide some constructive viewpoints.

If you have some steam to let off, this certainly isn't the place for it because the posts will be immediately removed.

Thank you for your co-operation.

P.S. This has also been moved to a slightly more appropriate forum..........

Hacked in 15 Minutes
I have heard people claim that they have seen linux boxes hacked in less than 15 minutes after being on the net. Though I have never been hacked that quickly, I di have a box on the net for only 24 hours before someone tried to drop a rootkit in via anonymous ftp.


I have a linux box that is simple used for internal dev work -- although we do need outside access to it so we do not have it behind our firewall. The box doesn't have a domain name, has never been advertised, etc, but we get people trying to exploit telnet, ftp, and other problems on a daily basis. Rare do we see brute force portscans, but the machine still gets hit by the script kiddies frequently.


Portscanning Made Easy
There are a number of easy to use security scanners out there that script kiddies and serious hackers alike use. Recently, I saw a portscanner that uses a list of machines to act as innocent relays, thus masking the real attackers IP.

People Scanning vs. People Securing
Aside from the recent real rise in chineese based hacking attempts, there are some other simple trends leading to an increased number of hacks. The first is the increased availability of high bandwidth connections in the home. The second is an increasing number of sophisticated but easy to use security/exploit scanners. The third is serious processing power is inexpensive.





Scan Yourself
I would reccommend using Nessus scanner on your server. This is a good first pass at securing your machine and will help you target many of the expolits that hackers use. Many hackers are looking for quick easy exploits -- if you plug these up, they will move onto easier prey.

You can find nessus at:
http://www.nessus.org/
Intro to Nessus
http://www.linuxsecurity.com/feature_stories/feature_story-86.html


A look at web face defacement statistics:
http://www.attrition.org/mirror/attrition/os-graphs.html


Good first starts at armoring your server:
http://www.enteract.com/~lspitz/papers.html

Honeypot Project: Good archive of what different types of scans look like.
http://project.honeynet.org/scans/