After last month's article on zero-tolerance for attacks, our site was attacked because we take this position. This month's article is the story of the attacks and the story behind the story.
To begin at the beginning, we normally encounter about one unauthorized attempted telnet into our site per day. We block it before it gets to the login prompt and send email to the administrator (postmaster) at the site from which the attempted telnet took place. Here's the mail we send:
If more telnets come from your site, this may indicate a more serious attempted entry originating from your site, and should be followed up in more depth and more quickly.
This message is generated automatically at the time of the attempted entry and is sent to our administrators and the postmaster at the machine making the attempt. We have included any information provided by your ident daemon (if in use) on the subject line of this message. We also do a reverse finger and traceroute to help track down individuals involved.
Fred Cohen - email@example.com - tel:US+216-686-0090
Some people have commented that this message is accusatory and that it indicates that an attack has taken place when one has not. When I talked to other security administrators from big companies, they told me that people see what they want to see. Some people will call any message abusive. Of the people who called this abusive, at least one of them was also performing port scans of our site (commonly used as a prelude to break-ins) and another was using forged email to convey the message.
After we tracked down one person who attempted some telnets, we got the following response in email:
Subject: Who the Hell are You? Status: RO I don't care if you coined "computer virus". I can telnet into whatever I want. Don't be writing me back here again. I WILL get into your system. Feel free to write me back for any other complaints you have to give to me. Bee-ach!!!!!
The systems administrator at that site took this seriously and the individual apologized, but within a day of that incident, we started to see an increase in telnets into our site - ten the next day, twenty the next, then between midnight and 6AM on the next day, we got over 800 attempted telnets from sites from all over the world.