Anatomy of an IBM i Hack Attempt

By Rich Loeber

Kisco Information Systems keeps a lone IBM i server connected directly to the Internet in order to test it's SafeNet/i exit point security software in a real world environment. In the past, we have reported on our experience with quarterly reports in 2013 and even an update earlier this year in March 2017.

Last month we experienced an unusual and persistent hack attempt that surprised us by its depth and the amount of time that was used. This blog post is to report on what happened and, perhaps, remind everyone about how important it is to take hacking seriously in this day and age.

Starting at 20:30 on October 20, 2017 someone from IP address 79.137.65.236 began a persistent FTP script attack on our server. This happened on a Saturday evening when nobody was in the office to notice any unusual network traffic. The attack consisted of signon attempts via the FTP server using a very long series of profile names. The signon attempts were repeated every few seconds.

The script being used called for each of the hack attempts to be repeated 85 times with the same user profile. We don't capture the passwords being used, but it is obvious that each attempt was trying to use a different password. In our case, since our SafeNet/i did not recognize the IP address that was being used as a valid client address, the IBM i OS never got to the point of password validation and subsequent deactivation of the profile by the OS.

The user profiles used during this hack attempt were mostly comprised of common English first names such as ANDREA, BARBARA, KIM, ROBERT and so on. There were also a few coomon Hispanic names used such as JUAN and FERNANDO. Other profiles were also used and some of them got special attention with additional signon attempts. The profile name ADMINISTRA was used 255 times (85 three times?). Other common profiles that deserved extra attention included ADMIN, INFO, SPAM, "NULL" and, for some reason, BARBARA, all of which were attempted 170 times (85 twice?).

In addition to these common profile names, quite a few other "common" technical terms were used, each for its own series of 85 tries. These included profile names like ABACUS, ACCESS, ACCOUNT, ADMIN, APPLE, BACKUP, DEMO, GARAGE, MAIL, MAILSCANNE, ORANGE, NETGEAR1, PASSWORD, PAYMENTS, POSTMASTER, QWERTY, QWERASDF, SALES, SCANNER, TEMP, TEST, USER, WEB, WEBMASTER, WELCOME,123 and SYSADMIN.

The hack came to an end on Sunday morning when I received an email from SafeNet/i advising me that thousands of break in attempts had been made. When I checked the system I found that it was still going on and simply turned the FTP server off. Nobody needed FTP on a Sunday morning. I restarted the FTP server about an hour later, but the hack did not resume.

After the hack was done, I did a lookup using the IP address that was used and it traced back to the RIPE Network Coordination Center in The Netherlands. A few days later we reported the abuse attempt to them. Shortly after reporting it, we received a standard reply email that was un-formatted and very difficult to read. We went to the RIPE website and there was a place to trace the IP address within their organization and it traced back to an organization in France. An abuse report submitted to them has not been answered as of yet. Based on past experience, trying to trace back an abuser is a rabbit hole that you can rarely get out of. In the past, we have tried reporting hack attempts to the local police, state police and the FBI, always to no avail.

There are some take away things to think about from just this one hack attempt. You should consider the following:

• Review your user profiles and look for common English first names. Consider changing them to something more complex.
• Stay away from common technical terms, and even some uncommon ones, for user profile use.
• Don't run the FTP server when it isn't needed. The FTP script hack is the one used most frequently. If the server isn't active, it can't be hacked.
• Make sure that you have exit point software installed and active to control which IP addresses are allowed to connect to your system. Our SafeNet/i does this and successfully fended of this entire hacking scenario on our box.

The whole point of the FTP hack is to discover working user profiles and, hopefully, also uncover one that is using a very common password. Once a hacker has this, they are ready to come back via Telnet or some other server connection and really get into your system. You need to be prepared to stop them before that can happen.

If you have questions about details of the report, feel free to contact me directly by email (rich at kisco.com).