Hacking Report For Our IBM i - 3rd Qtr 2013

By Rich Loeber

In January of this year, Kisco Information Systems issued our first Hacking Report for our IBM i system. At that time, I promised to publish additional reports of what we are seeing on this test server. This is our report for the third quarter of 2013 and represents activity observed from July 1st through the end of September.

During this three month period, we observed a slight decrease in the volume of network transactions on our system, less than 1% in total. At the same time, we saw a drop in the number of illegal access attempts that were rejected by our SafeNet/i software. From 1,417 rejections last quarter, we saw an 8.4% decrease down to 1,209. This represents an average of 14 unauthorized access attempts every day, down from 16 last quarter.

Life on the Internet continues to be unsafe. Having someone knock on the door of my primary server 14 times a day trying to get in is not my idea of fun. But this is what passes for "normal" in today's internetworked world.

Some interesting things to note ....

On our server, the unauthorized access attempts continue to fall into two categories. The miscreants attempt to access the system by FTP and Telnet.

SafeNet/i on our FTP Server on the IBM i OS rejected 792 access attempts which represents a decrease from last quarter. During this time, the number of legitimate FTP access attempts was 746, so the unauthorized attempts exceeded the legitimate attempts. We serve client requirements and software development needs using FTP, so we have to keep the FTP server active. This is a clear warning message, however, that if you are keeping the FTP server active on your system, you really need to have access controls in place like those provided by SafeNet/i.

During this quarter, however, we saw that brute force FTP attacks using a large number of different common user profiles disappeared. In its place, we are seeing repeated attempts to gain access using very common user profiles but cycling through multiple passwords on each attempt. Using this method, the most popular user profiles used were ADMINISTRA, MYSQL, APACHE, TEST, TEST1, TEST12, TEST123 and WWW-DATA. All of these profiles are common in the Unix world, so it appears that the IBM i platform is still not well recognized.

For unauthorized Telnet access attempts, we saw an increase in activity, nearly doubling, back to the level we observed during our first quarter report. The access attempts via Telnet tend to come in single attempts or at the most, two or three successive attempts. SafeNet/i captures these before an actual signon screen is presented, so they never get to the feature in IBM's i OS that forces a profile to go inactive. (The same is true for the way we are intercepting unauthorized FTP attempts.)

We also continue to see certain IP addresses with repeated access attempts. The leading violator for this quarter traced back to Bright House Networks in Florida. The next three highest all traced back to the Asia Pacific Network Information Center in Australia.

Another trend that we note that is disturbing is that for the 92 days covered by our study, there were only 5 days with no malicious activity. That means that almost every day our server sits out there, someone is trying their hand at gaining access illegally.

We will continue to review our server's status on a quarterly basis and report the results on our blog space. If you have questions about details of the report, feel free to contact me directly by email (rich at kisco.com).