When we wrote the first version of BotFence we assumed we’d fight off some lone hacker running a script on his desktop computer that tries to brute-force hack our servers. But we found out that the threat is much worse than that in several dimensions:
- These bots are much more common than we thought. As an experiment we set up a brand new virtual server in a different geographic location and a previously unused website with no links from our other websites and after little over a day the first FTP probing attempts came in. After about a week we had daily full-scale attacks to FTP, RDP and SMTP with thousands of individual passwords and accounts. Our original starting point was when we found more than 16.000 hack attempts in one day on our own website hosting Windows 2008 server.
- The attacks come from dozens of different countries. The #1 position varies. We’ve had frequent attacks from China, Pakistan, India, Ukraine (thought they’d have different problems right now) and Russia. But of course that doesn’t mean the hackers actually are from those countries. It’s very likely hackers use other previously hacked systems to run their bots.
- The hackbots are a lot more sophisticated than just scripts that try out a list of different passwords:
- We found that they automatically lower the number of hack attempts per hour to prevent detection.
- They incorporate other information in their choice of usernames and passwords. For example they use the domain names hosted on a server to form user names. In our case they automatically used “servolutions”, “servolutions-admin” and “firstname.lastname@example.org” as a username for our server that hosts the domain “servolutions.com”. They did the same with other domains that we had registered on our server but that we had never even used actively.
- And we found at the same time that if a bot from one IP address was caught by BotFence the hack attempts from several other IP addresses suddenly changed. For example when we changed the number of failed FTP logins that caused an address to be banned from 10 to 5, catching several attackers immediately, several other IP addresses suddenly changed tack and only tried 4 attempts before waiting a couple hours and try again. Of course the heuristics in BotFence still caught them but this shows that the attack programs are actually communicating between these systems – they comprise a botnet.
If you want to check your own server for traces of previous bot and botnet attacks you can use our free AttackTracer tool.