Some days I am fascinated by the output from the Snort box I run for the purposes of the IDS-Europe mailing list.
It is sitting off in the middle of nowhere on an ADSL line, doesn't really have any content (besides the mailing list and the web site associated with it) and yet it is bombared with attacks. Best of all the network it sits on is 100% non-Windows so why on Earth do you get all these Windows attacks?
The answer is that there is a major sales job for a good database. It all started off as a bit of a joke in 1999 on the GIAC pages at SANS where small group of analysts used to post their "catches" pretty much on a daily basis. For some reason at some point I wrote a rant where I was complaining that surely after two months or so of my 64kbit/s leased line being connected the script kiddies must have worked out that there were no Windows boxes there. Did they not keep a record? Were years and years of database development wasted?
Well, at some point we started conjecturing that somewhere on the underground there must be a database of scanned sites, that it would make very much sense for someone to create a public one in the interest of the script-kiddie community and make targeted attacks that much simpler. Think about it: why have your mum complain that instead of doing your homework you are hogging the phone line? You could pick the attack, select the hosts and selectively try "0wn1ng" them. So much better!
Somehow I doubt it has happened. From today's log:
| # | from | to | with |
|---|---|---|---|
| 57 | 64.4.30.250 | 195.82.120.110 | MS/SQL connection attempt |
Then people wonder when you tell them that most "hackers" (in the most erroneous interpretation of the word) are clueless.
Posted by arrigo at November 22, 2002 10:10 AM