Quite a while has passed since we started logging data about incoming attacks on an Internet-connected system and now we have gathered enough information to show the risks of exposing an unsecured computer on the Web.

Let’s start with some data about the attacks, first where they originate from and later, what they are trying to exploit:

 

As you can see there are some prevalent countries, but basically most of the attacks originate from either Europe or Asia. What are the attacks attempting to exploit? Here is a list of the attacked ports in order of prevalence.

For those less initiated in the mysteries of networking and services, here is a brief explanation of each port and the name of the associated service:

Port

No. of attacks

Service name

135

42.93%

Microsoft RPC Service

445

19.70%

Microsoft DS Service

139

11.11%

Netbios Session Service

23

5.68%

Telnet

1433

3.61%

Microsoft SQL Server

5900

3.50%

VNC Server

22

3.21%

SSH

25

3.07%

SMTP

4899

2.52%

Radmin

2967

1.37%

SSC Agent

8080

1.35%

http-proxy

10000

0.89%

this port is used by various software apps (Webmin, Sage, Veritas Backup, etc)

21

0.51%

FTP

3128

0.31%

http-proxy

2968

0.23%

Symantec updates

Besides the “normal” attacks we’ve seen, the longest ones appear to be FTP dictionary-based attacks.  These can take up to several minutes or more, as in some cases we’ve seen attacks with 10,000+ passwords.

Aside from the usual passwords (mostly common names/words) we’ve seen birthdates, comic books/movie characters (anyone fancy Batman, Spiderman or Shrek ? :D ), and even Internet browser names as passwords. As a concern for some admins, some of the commonly used passwords like “q1w2e3r4” were in the lists.

As we mentioned in an earlier post, “spam messages” sent to the Windows Messenger Service are still used. Basically the domain changes but the idea is the same, trick the user into downloading unwanted software, as you can see below:

As a surprise for us, we received attacks from the well known SQL Slammer worm. After more than five years this SQL thingy is still lurking out there.

A more exotic attack was the one targeting VoIP and PBX services. Even though the number of attacks is low, it still raises concern. Most of them were just scans for services based on SIP protocol using the SIPVicious tool suite.

None of the RPC traffic we observed tried taking advantage of the recently issue described by Security Bulletin MS08-067. In case you haven’t already done so, you can read more about this issue here.

To conclude, it is important for users connected to the Internet to have really strong passwords in key places, all keep all software up to date, and have a good security application installed (Windows Live OneCare and Forefront seem like a good idea, right? :D).

Andrei Saygo && Patrik Vicol