Manntech Computers was started in 2005 with the vision of creating and investigating information security. Since that date we have strived to gain expert knowledge and use that to create processes, procedures and applications that meet that need.
11/9/2009
Pretty quiet weekend. I spent some time going over the reports created by the Cisco ASA. Nothing much, usual Chinese scans. I was looking at the allowed traffic. I noticed that my allowed had an interesting pattern on it. You know me, I like patterns :) look at below. The patterns are circled 1,2 and 3. It keeps repeating.
When I looked at the details I noticed it was on port 8200 and the organization was citrix, LLC. That was the give away. A quick check confirmed that GoToMyPC was installed on a pc that was sending on this port. Apparently its like a heartbeat for gotomypc. Very interesting all the same. The point here is that if you start to see repeating patterns its always worth investigating.
11/10/2009
Someone pointed out to me that you could also use SOI for a passive hack minded tool. For instance if you started searching for organizations like; government, army, navy,police etc. This information is pretty much available via whois or other tables. What is interesting is you could hunt for systems that run applications that contain known vulnerabilities connecting up to you. An example would be looking for particular ports that run kazaa or limewire etc. But then isnt that the point to look for applications that violate company policy :)
Of note I do a timeline scan every now and then looking for organizations like schools, colleges etc trying to connect to me. After all the hacking community does like to sharpen its teeth on .edu's and home users. (low lying fruit) So if they use home users (keyword:ADSL) or universities (keyword:college,university,school) we may be able to use this against them. If we pay attention to schools that connect to us, we find that hackers are using them as a jump point. That is the whole point of SOI...looking for something not just geographically outside our sphere of influence, but outside our B2B (business to business) group. I mean if we are an online blog, we would expect home users, schools etc...but what if we are a supplier of medical equipment to the US. Would we expect homes users to be connecting to us from China? Maybe we need to look at that traffic more closely. That is not to say they may mask intentions or spoof IP addresses, but more often than not they are coming from their own IP address.
In the example below my SOI is US. I looked for universities connecting up to me. They were all connecting up the same machine on my network...you guessed it kazaa was running on it .....apart from one source ip address...I'll keep the source IP address and university a secret, but they were happily conducting a ssh scan against me ....all denied of course... :)
11/11/2009
Today was again reasonably quiet. Looking for patterns within patterns can be fun, if you that way inclined. Today I noticed an increase in port 22 scans. Is there a new vulnerability out...not that I know of. We'll keep an eye on it. Normally I'm used to seeing Chinese port 22 scans (maybe the origin is Chinese, maybe they're just using China as a jumping point of infected machines....hmmm) But recently I've started seeing other countries port 22 scans. Lets keep an eye on this one.
I did contact the SANS organization when I saw an increase in port 5900 port scans....it seems that this port scan follows a pattern. There is an increase every 20-23 days...I think if you know what is normal on your network, the abnormal stands out like a sore thumb :)