Hacking Report For Our IBM i - A Current Update

By Rich Loeber

In 2013, we issued quarterly reports about attempts at hacking our IBM i system. At the outset of that series, we explained that Kisco keeps a lone IBM i server connected directly to the Internet in order to test it's SafeNet/i exit point security software in a real world environment. This article will update the information from that study and review the current state of observed intrusion attempts from more recent activity. The landscape of what we are seeing in the way hacks are being attempted has changed quite a bit since our last report.

The biggest shift that we have observed is a significant fall off in hacks attempting to gain access using brute force FTP attacks. However, the overall access attempts have increased from an average of 14 times as day in 2013 to nearly 50 times a day now. Even after a recent change in IP address for our server, the hackers found the new location almost right away.

Thanks to our SafeNet/i exit point network control software, we successfully thwarted all unauthorized accesses. Of these, 351 were attempts to gain access via FTP and another 6,009 attempts were to get a Telnet signon session during the analysis period that went from October 2016 through early February 2017. The big change here is that hackers seem to have given up on FTP Script attacks in favor of just pounding away at the Telnet port.

For the FTP attacks, the profiles named ADMINSTRA and ADMIN were the most popular ones used. This was true for the 2013 study as well. Other profile names used included ANONYMOUS, FTP, and WWW-DATA. Once again, these users were consistent with profiles tried in the 2013 study.

Our SafeNet/i Telnet exit point stops access before a signon screen is presented, so all we have to look at for the 6,009 Telnet attempts that were thwarted is the source IP address that was used. We continue to see certain IP addresses with repeated access attempts. The leading violator for this study period traced back to the Asia Pacific Network Information Center in Australia. This hacker attempted to open a Telnet session more than 1500 times over a 2 hour period.

Some good news from the study, which we also observed in 2013, is that most hackers have no idea that our server is running IBM i OS. No attempts were observed to connect to the system using connection points other than FTP and Telnet. It may be that this is because hackers have so much success using FTP or Telnet, but it indicates that a lot of other avenues of access are not being employed, at least in our experience.

For the full study period, our server posted close to 300 thousand network transactions. This is nothing in today's computing environment, some of our customer's servers can record that level of activity in just a few minutes. But, 2.1% of those network access attempts were not authorized by us. This is up from 0.5% for our 2013 study. That is a four fold increase! You have to take hackers seriously. Failure to do so will get you in the headlines as the next Yahoo.

If you have questions about details of the report, feel free to contact me directly by email (rich at kisco.com).