Our reader Dean sent us a screen shot from wireshark, showing a scan for VNC servers from 220.127.116.11 (mail.tehran.agri-jahad.ir). Indeed, this system appears to be a mail server in Iran
220 mail.tehran.agri-jahad.ir Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Fri, 1 Jun 2007 20:54:41 +0330
With all the news about "Russia attacking Estonia", this nicely illustrates the problem in attributing attacks like this. Is the mail server in Iran compromised (my guess)? Who is launching the scan? Is it a random script kiddie, some bot herder, some government? If it is a government, which one?
The packets look the same and there is no way to tell the motivation. Only once your system is compromised, you may be able to figure out why they did it (and I rather skip that step). Honeypots can help, but a more sophisticated attacker would likely realized whats going on. On the other hand, a sophisticated attacker may actually use some simple "script kiddie" tools first, in order to hide out in the noise of bot probes.
One way to figure out what's going on is to check how many others are being "hit" by this same IP address. DShield is your tool to do just that. See http://www.dshield.org/ipinfo.html?ip=18.104.22.168 and you will find a few thousand other targets got hit by the same IP address. And port 5900 (VNC) appears to be the main attack method used!
(NB: rather then wireshark screen shots, we prefer raw packet captures)I will be teaching next: Defending Web Applications Security Essentials - SANS Silicon Valley - Cupertino 2020
Jun 1st 2007
1 decade ago