Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Attributing Attacks SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Attributing Attacks
Our  reader Dean sent us a screen shot from wireshark, showing a scan for VNC servers from 213.176.81.229 (mail.tehran.agri-jahad.ir). Indeed, this system appears to be a mail server in Iran

220 mail.tehran.agri-jahad.ir Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Fri, 1 Jun 2007 20:54:41 +0330

With all the news about "Russia attacking Estonia", this nicely illustrates the problem in attributing attacks like this. Is the mail server in Iran compromised (my guess)? Who is launching the scan? Is it a random script kiddie, some bot herder, some government? If it is a government, which one?

The packets look the same and there is no way to tell the motivation. Only once your system is compromised, you may be able to figure out why they did it (and I rather skip that step). Honeypots can help, but a more sophisticated attacker would likely realized whats going on. On the other hand, a sophisticated attacker may actually use some simple "script kiddie" tools first, in order to hide out in the noise of bot probes.

One way to figure out what's going on is to check how many others are being "hit" by this same IP address. DShield is your tool to do just that. See http://www.dshield.org/ipinfo.html?ip=213.176.81.229 and you will find a few thousand other targets got hit by the same IP address. And port 5900 (VNC) appears to be the main attack method used!

(NB: rather then wireshark screen shots, we prefer raw packet captures)I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3680 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!