Attacks on my research server.

My research server has been attacked very cleverly. I traced the ip to united states then it couldnt trace it the rest of the way it skipped a few times to one node back tracked to another node in the uk and then went straight to america. (I am from UK so my main reason of thinking it could be a UK attack)

The only thing on my research server is reports, info and some government workers profiles, details etc. also my important telnet bbs details and my entire research dtabase including pictures form sources.

I personnaly don't think it was any old hacker because the entry was directly aimed to specific ports but I got lucky because my firewall is hardware based and beyond that I have a custom made firewall to configure every port.

So I think I got lucky but I am even more paranoid and my machine doesn't have a root password now it uses pgp keys instead. Every thing is encrypted.

But what I want to know is who do you think it is? I wouldn't normally ask but my research is coming to a end and when I get attacked a day before I plan to finish and publish it.

[edit on 1/6/05 by ascended]

Some logs would help as far as figuring out who was behind it. As for interpreting traffic aimed at specific ports as an advanced attempt to breach the system I think thats a bit much. Many canned programs will sweep ranges of IPs looking for specific ports running very specific versions of applications that are succeptible to remote exploits. What ports/services were target btw, may have even been a virus making the rounds looking for a way to infect the machine.

well Logs I can't give for my security reasons and reasons of people who do connect. 3 ports were attacked SSH on 456, 1099 ftp 31003 my current remote connection port.

Also I am running my own operating system.

What makes it a deliberate attempt in my book is that every port connection common ones. I don't use I changed they are ports that are open but tells people access not allowed.

I configured every port specifcally.

I will go through the logs and get the ip for you and post it ehre if that is allowed.

pgp? The government has the master key for all pgp's encryptions just thought I'd warn yea about that. Use BestCrypt they don't build backdoor keys.
www.jetico.com...

I had a very good I[ tracker is my Favorite's list, but I must have deleted it. It could trace the address of any IP code. I'll keep looking for it, as I'm sure it will help you out.

I use neotrace it is what the FBI use and I never new the government had a master pgp key.

I will look into bestcrypt but if worst comes to worst I will make my own.

Almost every computer that is connected to the internet is attacked within i believe it is within 1 minute. Hackers that are good will usually compromise several systems in wich to attack other systems thus hiding thier tracks. Lets say i wanted to attack your system i might hack into and control 2 other systems in different countires in order to avoid law enforcement from working with each other and then go after your system. you can use a tool called nmap to scan for open ports and then try to exploit the open ports with a tool called nessus (or multiple other tools) to gain access to your system.

Yes I know of compromising other systems etc. to gaina ccess to others I have done in the past for root wars etc. but what got me paranoid was the precission of the attack.

My security is custom and I beelive i covered all exploits or so I would like ot think but most original exploits don't count on my system because as I stated I made my own OS.

Anytime you have an open port on the internet you are vulnerable. It is impossible to cover all exploits. What you have to use is defense in depth. Have a border router providing basic filtering, then have a hardware firewall adding another layer of security and then you lock your system down as much as you can and maybe run a firewall on your system. Since you have your own os that would eliminate most exploits but you still have open ports.

Lets back up a second, how do you know that someone was able to breach your system? Do your log files show that. Was your data modified, deleted or did soemone manage to install some software on the system?

If you have your on os has anyone else helped you work on it that knows about the file structure?

I am the only person who worked on it I have a nokia firewall hardware based I have a router I also have a firewall on system itself.

My firewall configures every port and all ports are closed except the ones I use to connect to it remotley.

Well right now I am trying to walkthrough my logs I had a ip of a attacker attacking specific ports but the ip leads to know where but some of the log entries are filed wrong. I got scans etc. from last month in this months folder.

Well in the morning I will check out the hit counter for logins if the hits arent all accounted for when i compare them to logs it means that my system has been accessed.

I have completely scanned checked my system run a few scan etc. no software been installed.

My research hard drive is all passworded but I don't keep logs on password logins but I have my own encryption technique for that so it would take time to break it.

Hmm well all I can do in morning is go through logs find out if the discrepencies are my programing faults or if files have been edited. but in the mean time I have taken precaution and locked down my system.

I noticed some typo's sorry for them but I haven't been getting much sleep. So appologies for bad spelling and grammar

No need to apologize to me. I am curious about your os. Is it a derivative of linux or some completely new os. Please keep me updated I work in the networking field and enjoy brainstorming problems.

If you need any help I will be glad to offer my services. I am well versed in internet security, but I use windows and not your current OS. Anyways if you want some links to the progs I use or any help write back. Here are some links to the progs I use.

www.eeye.com... (Iris, Retina, SecureIIS, Eeye digital security this site has the most useful tools)

www.glocksoft.com...

www.gfi.com...

u2u me if you need more help!

Thanx you for the links. I have wanted to get moreinto internet security for awhile.

Also my OS is based on linux but I am working on my own programming language soon as it is done then my OS will be completely different from any other OS.

I been checking my coding etc. to see what error was for logs but I found they have been tampered with. My research has been attempted to be accessed. But I am greatful my security held up but in the meantime my research is being taken off my server and being kept safe somewhere that god for my second hard drive.

But my system logs mostly everything I am checking to see if it got caught by my other logs. After this attack I am inserting some backup logging systems etc. hopefully it will help.

Also in a few months my OS will become available to people who request a copy.

The main reason I made my OS is due to the fact that I wanted something secure which exploits are not common in and if people try to exploit a system with a exploit that came out then it wont be in my system although I do check just in case. It is more or less designed to be a fortress to protect your information, ersearch and anything else that is on it more or less even to jsut protect your system etc.

Also if i want to u2u I need 20 posts so I guess I better start posting

I didn't realize you were new to ATS. Welcome, with warm regards. I also didn't know that you needed 20 posts before you could u2u. I should know this as I am an "ATS veteran" (Been here since August 2003)

Anyhoo.... you will make 20 posts in no time. The easiest way to make 20 posts is to post in BTS because you can basically it is just for getting to know members and basic chit chat.

I will try to u2u u and see what happens.

How often do you check your firewall logs? It sounds like a script kiddie running a port scan to me. No big deal, it happens all the time. I have absolutley nothing of value on this PC and it gets scanned several times a day.

I run a little utility that uploads my firewall log files to DShield.org once an hour. DShield collects firewall logs from all over the world and compiles them into a huge database to show what ports are the most attacked, what IP address has launched the most attacks, etc. I highly recommend everyone running a firewall (even Zone Alarm) go to DShield, download their small app (it's only like 50k or so) and then run it and help compile data about internet attacks.

Dshield shows a stat called Survival Time. It is the length of time the average, unpatched Windows computer will last on the internet before it is infected by a worm. Yesterday's Survival Time was 84 minutes, and that's fairly high.

The DShield database is used by the Internet Storm Center from SANS to put out security alerts and monitor security trends. They have a 'handler' on duty each day and I highly recommend reading the handler's diary entry every day if you have an internet connected computer.

Open Secret

Originally posted by DiRtYDeViL
pgp? The government has the master key for all pgp's encryptions just thought I'd warn yea about that.

When did that happen? I didn't get the memo.

How, exactly, did they manage to pull that off, given the fact that PGP is an algorithm that has been openly published?

And what is a PGP “master key”?

Never heard of it.

Commercial Security

Originally posted by DiRtYDeViL
Use BestCrypt they don't build backdoor keys.
www.jetico.com...

I would advise explaining how an openly published algorithm reviewed and employed by tens of thousands of people worldwide has been compromised before making commercial product endorsements on ATS.

I'm not saying Rijndael isn't more secure than PGP -- it is.

But I think the charge that the “government has the master key for all pgp's encryptions” is one that you should provide some corroboration for if you plan to push some company's wares on ATSers.

Enquiring minds want to know.

Well till I get solid eveidence that government has pgp I am tending to keep it in my system.

I can u2u staff but not members till I get 20 posts I shall have to go to bts and get to know every one

My server was accessed I been looking at some modified files.

The reasons the edited files didn't work was because the OS runs differently from others so right now I can't trace who done it nor know who done it all I know is research was tryed tog et into and they tryed making a backdoor on my server. It was a clever modification but when I run my compare tool it showed me the edited lines and added ones.

I've heard from several different sources that the newer versions of PGP can be cracked by the NSA but the older, patent-infringing ones are safe. I'll dig up some links and post them in a bit. I would recommend GPG over PGP.