Common incoming TCP/UDP hacker scans against your firewall

Common TCP and UDP port scans that people see against their firewalls.

Since March of 2020 the amounts of Port Scanning and Probes have gone up by the googols – (Googol, Googolplex – & Google. A googol equals 1 followed by 100 zeros. Googol is a mathematical term to describe a huge quantity).

To help people seeing these scans which lead to full on hacking attacks here is a list of Common incoming TCP/UDP hacker scans against your firewall, we hope this helps.


cyberaffairs

Click the image to visit Adept Secure ®

0 Commonly used to help determine the operating system. This works because on some systems,
port 0 is “invalid” and will generate a different response when you connect to it
vs. a normal closed port.
One typical scan uses a destination
IP address of 0.0.0.0 and sets the ACK bit, with broadcast at the Ethernet layer.
1 tcpmux Indicates someone searching for SGI Irix machines. Irix is the only major vendor that
has implemented tcpmux, and it is enabled by default on Irix machines.
Irix machines ship with several default passwordless accounts, such as
lp, guest, uucp, nuucp, demos, tutor, diag, EZsetup, OutOfBox, and 4Dgifts.
Many administrators forget to close these accounts after installation.
Therefore, hackers scan the Internet looking first for tcpmux, then
these accounts.
[
CA-1995-15
RFC 1078
]
7 Echo You will see lots of these from people looking for fraggle amplifiers sent
to addresses of x.x.x.0 and x.x.x.255.

A common DoS attack is an echo-loop, where the
attacker forges a UDP from one machine and sends it to the other, then
both machines bounce packets off each other as fast as they can (see
also chargen).
[CA-96.01]

Another common thing seen is TCP connections to this port by DoubleClick. They
use a product called “Resonate Global Dispatch” that connects to this
port on DNS servers in order to locate the closest one.

Harvest/squid caches will send tbese UDP echoes from port 3130. To quote their document:
If the cache is configured with source_ping on, it also bounces a
HIT reply off the original host’s UDP echo port.
It can generate a lot
of these packets.

11 sysstat This is a UNIX service that will list all the running processes on a machine
and who started them. This gives an intruder a huge amount of information
that might be used to compromise the machine, such as indicating programs
with known vulnerabilities or user accounts. It is similar the contents
that can be displayed with the UNIX “ps” command. This service is usually disabled,
scans for this don’t expect to actually succeed most of the time.

Some people come here looking for ICMP port 11. To repeat: firewall logs are confusing, ICMP doesn’t have
ports; if you see something that says “ICMP port 11”, you probably
want ICMP type=11.

19 chargen This is a service that simply
spits out characters for testing purposes. The UDP version will respond with a packet
containing garbage characters whenever a UDP packet is received. On a TCP
connection, it spits out a stream of garbage characters until the connection is
closed. Hackers can take advantage of IP spoofing for denial of service attacks.
Forging UDP packets between two chargen servers, or a chargen and echo
can overload links as the two servers attempt to infinitely bounce the traffic back
and forth. Likewise, the fraggle DoS attack broadcasts a packet destined to
this port with a forged victim address, and the victim gets overloaded with
all the responses.
[CA-96.01]
21 FTP The most common attack you will see are hackers/crackers looking
for “open anonymous” FTP servers. These are servers with directories that
can be written to and read from. Hackers/crackers use these machines as way-points
for transferring warez (pirated programs) and pr0n (intentionally misspelled
word to avoid search engines classifying this document).

In early 2003, I occasionally see people trying to exploit the FTP server using
a wide sprectrum of vulnerabilities. For example, I see them try several kinds
of buffer-overflows.

*2020 – We have seen numerous port scans including Decoy Scans

22 ssh
pcAnywhere
SSH is a popular
way to remotely run a command-prompt on systems, primarily UNIX systems. It provides secure authentication
and encryption, so it is especially popular among security professionals. There is a commercial version
by the company that originally created it, a popular open-source OpenSSH alternative, and many other
compatible versions.

In 2002, numerous vulnerabilities in most all versions were discovered, exploited, and routinely scanned for.
Many security professionals had their boxes compromised through SSH — in many cases, SSH was the only service
they had remotely reachable.

Also note that the ssh package comes with a program called
make-ssh-known-hosts that will scan a domain for ssh
hosts. You will sometimes be scanned from innocent people running this utility.

UDP (rather than TCP) packets directed at this port along with
port 5632 indicate a scan for pcAnywhere. The number
5632 is (hex) 0x1600, which byte-swapped is 0x0016, which is 22 decimal.

[CA-2002-36]
[CA-2002-18]
[CA-2001-35]
[CA-1999-15]

23 Telnet Telnet is the most popular protocol for getting a remote command line.

The most common use by scanners is to get the banner
that prompts the user for a login name. The banner tells a lot about system — often the attacker isn’t interested
in actually exploiting Telnet as to figure out more about the system when attacking other ports.

As of 2002, most attackers are interested in finding network equipment such as switches and routers, especially
Cisco equipment. When my honeypot gives them a command prompt, they spend more time trying out Cisco commands
than they do things like “uname” to figure out what system they are running on.

Historically (and still common as of 2002), hackers look for Unix systems with default
accounts. They will try a series of logon names and empty passwords. Since Unix systems
have largely fixed this problem of default accounts, this has become a less popular attack.

25 SMTP SMTP (Simple Mail Transfer Protocol) is the protocol that transfers virtuall all the world’s e-mail.

Scans against this port are almost certain coming from spammers (and occasionally anti-spammers)
looking for “open relays”. An open relay is a mail server that will accept e-mail from anyone
and forward it on. This allows the spammer to hide behind the relay, as well as take advantage
of the fact that they can submit one e-mail with 20 recipients — and the relay will do the job
of sending copies to each recipient. This lowers the spammer’s bandwidth costs.

Note that there continue to be vulnerabilities in mail servers themselves.

53 DNS DNS (Domain Name Service) is a core Internet protocol; it translates names into Internet addresses (like a phonebook translates
names into phone numbers).
It is so important that when DNS servers go down, users usually think the Internet
itself has gone down.

Ways of breaking into DNS servers are frequently discovered, such as the BIND exploit in 2002.
The BIND (Berkeley Internet Name Daemon) is the most popular DNS server. Many UDP packets you see
rejected by the firewall are looking for the name “version.bind”, which will tell the hacker
what version of BIND you are (hopefully) running, and therefore which exploits they can run to
break into your service. If you put a vulnerable version of BIND on the Internet, it will likely
be compromised in a few days.

DNS information tells the hacker a lot of about the intended victim. Rejected TCP attempts probably
reflect a desire by the hacker to do a “zone transfer”, which will list all the computers in your
domain. Victims often name systems in ways that help hackers figure out what is going on, such
as “cisco-rtr.example.com” or “payroll.example.com”.

Since DNS is such an important protocol to the Internet, firewall administrators often allow
port 53 when they shouldn’t. They sacrifice security in order to get ease-of-use and
reliability. This allows hackers to use port 53 for protocols other than DNS.
An important thing to note is that you will frequently see port 53
used as the source UDP port. Stateless firewalls frequently allow such
traffic on the assumption that it is a response to a DNS query. Hackers are
increasingly exploiting this to pierce firewalls.

67 and 68 bootp
DHCP
DHCP (and the older version, BOOTP) are the protocols that assign your desktop
computer an IP address.

Firewalls will see (and reject) a lot of DHCP requests from your local network.
This is an interesting problem with cable and DSL modems, because they create “virtual”
local networks including people in your nearby physical neighborhood.
You can identify these local requests because they are not sent to you, but are
are instead to what’s called the “local broadcast” address: 255.255.255.255
These machines are asking to for an address assignment from a DHCP server. You could probably
hack into them by giving them such an assignment and specifying yourself as
the local router, then execute a wide range of
man-in-the-middle
attacks. The client requests configuration on a broadcast to port 68 (bootps). The
server broadcasts back the response to port 67 (bootpc). The response
uses some type of broadcast because the client doesn’t yet have an IP address
that can be sent to.

You rarely see attackers from remote parts of the Internet trying to exploit DHCP vulnerabilities.

As of 2003, an important exploit has been found in a DHCP service, so remote hackers may
start scanning for this. [CA-2003-01]

69 TFTP (over UDP). Many servers support this protocol in conjunction
with BOOTP in order to download boot code
to the system. However, they are frequently misconfigured to provide
any file from the system, such as password files. They can also
be used to write files to the system.
79 finger Hackers are trying to:

  • discover user information
  • fingerprint the operating system
  • exploit known buffer-overflow bugs
  • bounce finger scans through your machine to other machines.
80 HTTP Prior to 2003, I did not include an entry for this port. Presumably, you would know what port 80 meant without
this guide having to tell you. However, a enormous number of worms infecting Windows and Unix systems are now
using this port, so I am including it for worm discussion.

*2020 – We have seen numerous port scans including Decoy Scans

98 linuxconf The utility linuxconf provide easy administration of Linux
boxen. It includes a web-enabled interface at port 98 through
an integrated HTTP server.
It has had a number of security issues. Some versions are
setuid
root, trust the local network, create world-accessible files in /tmp, and a buffer
overflow in the LANG environment variable. Also, because it contains an integrated
web server, it may be vulnerable to many of the typical HTTP exploits (buffer overruns,
directory traversal using ../.., etc.).
109 POP2 POP2 is not nearly as popular as POP3 (see below), but many servers
support both (for backwards compatibility). Many of the holes that
can be exploited on POP3 can also be exploited via the POP2
port on the same server.
110 POP3 POP3 is used by clients accessing e-mail on their servers.
POP3 services have many well-known vulnerabilities. At least
20 implementations are vulnerable to a buffer overflow in
the username or password exchange (meaning that hackers can
break in at this stage before really logging in). There are other
buffer overflows that can be executed after successfully logging in.

*2020 – We have seen numerous port scans including Decoy Scans

111 sunrpc
portmap
rpcbind
Sun RPC PortMapper/RPCBIND.
Access to portmapper is the first step in scanning a system looking
for all the RPC services enabled, such as rpc.mountd, NFS, rpc.statd,
rpc.csmd, rpc.ttybd, amd, etc. If the intruder finds the appropriate
service enabled, s/he will then run an exploit against the port
where the service is running.

Note that by putting a logging daemon, IDS, or sniffer on the wire,
you can find out what programs the intruder is attempting to access
in order to figure out exactly what is going on.

113 identd
auth
This is a protocol that runs
on many machines that identifies the user of a TCP connection. In standard
usage this reveals a LOT of information about a machine that hackers can exploit.
However, it used by a lot of services by loggers, especially FTP, POP, IMAP, SMTP,
and IRC servers. In general, if you have any clients accessing these services
through a firewall, you will see incoming connection attempts on this port.
Note that if you block this port, clients will perceive slow
connections to e-mail servers on the other side of the firewall. Many
firewalls support sending back a RST on the TCP connection as part
of the blocking procedure, which will stop these slow connections.
119 NNTP
news
Network News Transfer Protocol, carries USENET
traffic. Attempts on this port are usually by people hunting for open USENET servers.
Most ISPs restrict access to their news servers to only their customers.
Open news servers allow posting and reading from anybody, and are used
to access newsgroups blocked by someone’s ISP, to post anonymously, or
to post spam.
135 loc-serv
MS RPC end-point mapper
As of 2003, the most common reason you see port 135/udp is because of WinPopup/Messenger
spam. This is a feature in Windows that allows system administrators to notify employees
of unusual events, such as the network or file servers about to be rebooted. However, spammers
have found a way to subvert this and use this mechanism to send popup messages on the victim’s
desktop.

Microsoft runs its DCE RPC end-point mapper for its DCOM services at this port.
This has much the same functionality as port 111 for UNIX
systems. Services that use DCOM and/or RPC register their location with
the end-point mapper on the machine. When clients remotely connect to
the machine, they query the end-point mapper to find out where the service
is. Likewise, hackers can scan the machine on this port in order to find out
such things as “is Exchange Server running on this machine, and which version?”.

This port is often hit in order to scan for services (for example, using
the “epdump” utility), but this port may also be attacked directly. Currently,
there are a few denial-of-service attacks that can be directed at this port.

No RPC service except the endpoint mapper runs on this port, except that “broadcast”
messages intended for other RPC services can be forwarded through this port.

137 NetBIOS
name service
nbtstat
(UDP) This is the most common item seen by firewall administrators
and is perfectly normal.
139 NetBIOS
File and Print Sharing
Incoming connections to this port are trying to reach
NetBIOS/SMB, the protocols used for Windows “File and Print Sharing”
as well as SAMBA. People sharing their hard disks on this port are
probably the most common vulnerability on the Internet.

2000
Attempts on this port were common at the beginning of 1999, but tapered off near
the end. Now at the start of year 2000, attempts on this port have picked up again.
Several VBS (IE5 VisualBasic Scripting) worms have appeared that attempt to copy
themselves on this port. Therefore, it may be worms attempting to
propagate on this port.
2001
In late 2001 and early 2002, the Nimda worm would share the C$ drive when it
infected a machine. Many attempts against this port are from people scanning
for drives left open by Nimda.
2002
In late 2002, the ALEVIR worm is propagating heavily throughout the Internet
infecting Win95/Win98/WinMe machines. These have a bug that allows a hacker
to connect to a password-protected share by using only the first character
of a password, which is easy to guess. Most connection attempts to port 139
are from this worm.
* 2020 Window 10 still uses this port.
143 IMAP4 Same security idea as POP3 above, numerous IMAP servers
have buffer overflows that allow compromise during the login.
Note that for awhile,
there was a Linux worm (admw0rm) that would spread by compromising port 143, so
a lot of scans on this port are actually from innocent people who have already
been compromised. IMAP exploits became popular when RedHat enabled the
service by default on its distributions. In fact, this may have been
the first widely scanned for exploit since the Morris Worm.

This port is also used for IMAP2,
but that version wasn’t very popular.

Several people have noted attacks from port 0 to port 143, which appears
to be from some attack script.

161 SNMP (UDP) A very common port that intruders probe for. SNMP allows for remote management
of devices. All the configuration and performance information is stored in a database
that can be retrieved or set via SNMP. Many managers mistakeningly leave this
available on the Internet. Crackers will first attempt to use the default
passwords “public” and “private” to access the system; they may then attempt to
“crack” the password by trying all combinations.

SNMP packets may be mistakenly directed at your network. Windows machines running
HP JetDirect remote management software uses SNMP, and misconfigured
machines are frequent. HP OBJECT IDENTIFIERs will be seen in the packets.
Newer versions of Win98 will use SNMP for name resolution; you will see
packets broadcast on local subnets (cable modem, DSL) looking up sysName
and other info.

In early 2002, a university in Finland released its “PROTOS” tool that demonstrated many
flaws in popular SNMP implementations. These flaws had been known for more than a decade,
but this was the first time security implications were shown for these flaws.

162 SNMP trap Probably a misconfiguration.
177 xdmcp Numerous hacks may allow access to an X-Window console; it needs port 6000 open as well
in order to really succeed.
443 HTTPS/SSL See port 80 for more information.

This port is used for secure web browser communication. Data transferred across such connections are highly resistant to eavesdropping and interception. Moreover, the identity of the remotely connected server can be verified with significant confidence. Web servers offering to accept and establish secure connections listen on this port for connections from web browsers desiring strong communication security.

Once established, web browsers inform their users of these secured connections by displaying an icon — a padlock, an unbroken key, etc. — in the status region of their window

* 2020 We have seen numerous port scans including Decoy Scans

445 NetBIOS
File and Print Sharing
See port 139 for more information.

In Windows 2000, Windows XP, Windows 7, Windows 8, and Windows 10 port 445 is essentially a duplicate of port 139. These ports
are used for Micrsoft’s file and printer sharing, remote registry access, named pipes services,
and many MS-RPC services. The difference is that port 139 supports these services on top of NetBIOS,
whereas port 445 gets rid of this middleman, supporting these services directly over TCP/IP.

Whereas many ISPs now filter port 139, many do not filter port 445. As of mid-2002, we are
seeing more scans for port 445 as hackers learn to get around port 139 filters. In late 2002,
we are seeing worms propogate via this port.

513 rwho Probably from UNIX machines on your DSL/cable-modem segment broadcasting who is logged into
their servers. These people are kindly giving you really interesting information
that you can use to hack into their systems.
515 lp
printer
This is the standard protocol for remote printing on UNIX systems. Virtually
every UNIX system from Sun Solaris to Linux will listen on this port. In addition,
most laster printers support this protocol as well. There are widespread vulnerabilities
on this port, due either to vulnerabilities in the protocol itself, or vulnerabilities
in printer-specific drivers behind this port. The RedHat 7 LPRng bug was exploited by
the Ramen worm in early 2001.

As of late 2002, this is one of the more common ports probed, both because of Linux
worms propogating, but also from hackers looking for well-know vulnerabilities.

535 CORBA
IIOP
(UDP) If you are on a cable-modem or DSL VLAN, then you may
see broadcasts to this port. CORBA is an object-oriented remote procedure call (RPC)
system. It is highly likely that when you see these broadcasts, you can use
the information to hack back into the systems generating these broadcasts.
There are many exploits possible against this port.
600 pcserver
backdoor
See port 1524 for more info.

Some script kiddies feel they’re contributing substantially
to the exploit programs by making a minor change from ingreslock to pcserver
in constant text.

635 mountd Linux mountd bug. This is a popular bug that people are
scanning for. Most scans on this port are UDP-based, but they are increasingly
TCP-based (mountd runs on both ports simultaneously). Note that mountd can run at
any port (for which you must first do a portmap lookup at port 111), it’s just
that Linux defaulted to port 635 in much the same way that NFS
universally runs at port 2049.
1024 —– Many people ask the question what this port is used for. The answer is that this
is the first port number in the dynamic range of ports. Many applications don’t care
what port they use for a network connection, so they ask the operating system to assign
the “next freely available port”. In point of fact, they as for port 0, but are assigned
one starting with port 1024. This means the first application on your system that
requests a dynamic port will be assigned port 1024. You can test this fact by booting your
computer, then in one window open a Telnet session, and in another window run “netstat -a”.
You will see that the Telnet application has been assigned port 1024 for its end of the
connection. As more applications request more and more dynamic ports, the operating
system will assign increasingly higher port numbers. Again, you can watch this effect
with ‘netstat’ as your browse the Internet with your web browser, as each web-page
requires a new connection.
1025 —– See port 1024.
1026 —– See port 1024.
1027 —– See port 1024.
1080 SOCKS This protocol tunnels traffic through firewalls, allowing many people
behind the firewall access to the Internet through a single IP address.
In theory, it should only tunnel inside traffic out towards the
Internet. However, it is frequently misconfigured and allows
hackers/crackers to tunnel their attacks inwards, or simply bounce
through the system to other Internet machines, masking
their attacks as if they were coming from you. WinGate, a popular
Windows personal firewall, is frequently misconfigured this
way.

In the year 2000, much activity on this port was for the purpose of connecting to
IRC chatrooms. Usually the goal was DoS the chatroom. For this reason,
most IRC servers will not scan your machine for SOCKS out of self-defense: they want to make sure
that you are a legitimate user and now somebody who left the SOCKS service running that a hacker
is tunneling through.

In the year 2003, most of this activity is now by spammers. They are looking for SOCKS
servers in order to funnel spam through. This hides the original source of the spam.

There are several websites that maintain lists of open SOCKS servers. In 2002, most of the scans
I see were from people who maintain these lists.

1114 SQL This is rarely probed by itself, but is almost always
seen as part of the sscan script.

*We have seen numerous port scans including Decoy Scans

1243 Sub-7 Trojan Horse(TCP).
1433 MS SQL Microsoft runs its SQL database server on this port.

In the year 2002, several worms started exploiting this port.

2020 *We have seen numerous port scans including Decoy Scans
– SQL injection attempts

1434 MS SQL Service Discovery Protocol worm Microsoft’s SQL server uses this port for discovery of SQL services on the local LAN.

On January 26, 2003, the SQLslammer worm took down parts of the Internet in the early

hours of the morning. It took advantage of a buffer overflow on this service. Administrators
quickly respond by widely configuring packet filters throughout the Internet, so by the time
many people woke up in the morning in the U.S., much of the problem had gone away.

1524 ingreslock
backdoor
Many attack scripts install a backdoor shell at this port (especially those against Sun systems
via holes in sendmail and RPC services like statd, ttdbserver, and cmsd).
If you’ve just installed your firewall and are seeing connection attempts
on this port, then this may be the cause. Try telnetting to the attempted
machine in order to see if it indeed comes up with a shell. Connections to port
600/pcserver also have this problem. IN-99-04
2049 NFS The NFS program usually runs at this port. Normally, access to portmapper is needed
to find which port this service runs on, but since most installations run NFS
on this port, hackers/crackers can bypass portmapper and try this port directly.
2766 listen
npls
Used by Sun Solaris boxes as a printer service, alternative to the standard printer
on port 515. Exploit scripts against Solaris machines will
frequently bind a shell to this port, similar to the ingreslock
port. In particular, a well-known exploit against the snmpXdmid vulnerability
left behind a shell on this port.
3128 squid This is the default port for the “squid” HTTP proxy. An attacker scanning for this
port is likely searching for a proxy server they can use to surf the Internet anonymously.
You may see scans for other proxies at the same time, such as at port 8000/8001/8080/8888.
Another cause of scans at this port, for a similar reason, is when users
enter chatrooms. Others users (or the servers themselves)
will attempt to check this port to see if the user’s machines supports proxying.
5632 pcAnywhere You may see lots of these, depending on
the sort of segment you are on. When a user opens pcAnywhere,
it scans the local Class C range looking for potential
agents. Hackers/crackers also scan looking for open machines, so
look at the source address to see which it is.
Some scans for pcAnywhere frequently also include a UDP packet to port 22.
.
6776 Sub7 artifact This port is used separately from the
SubSeven
main port to transfer data.
One example where you might see this is when a master is controling a slave
on a dialup line, then the slave machine hangs up.
Therefore, when someone else dials-in at that IP address, they
will see a continuous stream of connection attempts at this port.
6970 RealAudio Clients receive incoming audio streams from servers on UDP ports in the range 6970-7170.
This is setup by the outgoing control connection on TCP port 7070.
13223 PowWow The “PowWow” chat program from
Tribal Voice. It allows users to open up private chat connections
with each other on this port. The program is very aggressive at trying to establish
the connection and will “camp” on the TCP port waiting for a response.
This causes a connection attempt at regular intervals like a heartbeat. This can be seen by
dial-up users who inherit IP addresses from somebody who was chatting
with other people: it will appear as if many different people are probing
that port. The protocol uses the letters “OPNG” as the first four
bytes of its connection attempt.
17027 Conducent Outbound: This is seen on outbound connections. It is caused
by users inside the corporation who have installed shareware
programs using the Conducent “adbot” wrapper. This wrapper
shows advertisements to users of the shareware. A popular shareware
program that uses this is PKware.
Bill Royds mentions that in his experience, you can block this
outbound connection with no problem, but if you block the
IP addresses themselves, then the adbots can overload the link
trying to reach the servers by continually connecting many times
per second.
27374 Sub-7 Trojan Horse (TCP).

Also used as a backdoor port left behind by exploit scripts, such as those
in the Ramen worm. While some scans for this port may be due to SubSeven,
others may be looking for a remote shell.

30100 NetSphere Trojan Horse (TCP).
This is a commonly seen scan looking for systems compromised by this trojan.
31337 Back Orifice
“elite”
This number means “elite”
in hacker/cracker spelling (3=E, 1=L, 7=T). Lots of hacker/cracker backdoors
run at this port, but the most important is Back Orifice.
At one time, this was by far the most popular scan on the Internet.
These days, it’s popularity is waning and other remote access trojans
are becoming popular.
31789 Hack-a-tack UDP traffic on this port is currently being seen due to the “Hack-a-tack” RAT (Remote Access Trojan).
This trojan includes a built-in scanner that scans from port 31790, so any
packets FROM 31789 TO 317890 indicate a possible intrusion. (Port 31789 is the
control connection; port 31790 is the file transfer connection).
32770 ~ 32900 RPC services Sun Solaris puts most of its RPC services in this range. In particular,
older versions of Solaris (pre-2.5.1) put a portmapper in this range,
allowing hackers access to this even when low ports are blocked by a firewall.
Probes in this range might either be for this portmapper, or for known
RPC services that can be exploited.
33434 – 33600 traceroute If you see a series of UDP packets within this port range (and only within thisrange), then it is
probably indicative of traceroute.
41508 Inoculan Inoculan on UDP. Older versions of Inoculan apparently generate huge quantities of
UDP traffic directed at subnets in order to discover each other.

Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.

The Hidden China’s Maxim – Leave No Access Point Unexploited: The Hidden Story of China Telecom’s BGP Hijacking

Hijacking Internet Traffic not covered by the anti-theft 2015 Xi-Obama Agreement Surprisingly, the voluntary 2015 Xi-Obama agreement stopping military forces from hacking commercial enterprises for economic gain did appear to dramatically reduce Chinese theft efforts against western targets. China’s technological development process, however, was still dependent on massive expropriation of foreign R&D.


cyberaffairs

Click the image above to go to the paper

This necessitated new ways to get information while still technically adhering to the agreement. Since the agreement only covered military activities, Chinese corporate state champions could be tasked with taking up the slack. But even Chinese multinationals, such as Huawei or ZTE, were already being viewed with suspicion. Instead data suggests the government opted to leverage a seemingly innocuous player – one that is normally viewed as a passive service provider – to target the foundational infrastructure of the internet to bypass the agreement, avoid detection, and provide the necessary access to information.

Enter China Telecom3 – a large state champion telecommunications company – as an option. While the 2015 agreement prohibited direct attacks on computer networks, it did nothing to prevent the hijacking of the vital internet backbone of western countries.

Conveniently, China Telecom has ten strategically placed, Chinese controlled internet ‘points of presence’4 (PoPs) across the internet backbone of North America. Vast rewards can be reaped from the hijacking, diverting, and then copying of information-rich traffic going into or crossing the United States and Canada – often unnoticed and then delivered with only small delays.

This essay will show how this hijacking works, and how China Telecom seems to employ its distributed points of presence (PoPs) in western democracies’ telecommunications systems to selectively redirect internet traffic through China. It will show the observed routing paths, give a summary of how one hijacks parts of the internet by inserting these nodes, and outline the major security implications.

These Chinese PoPs are found all over the world including Europe and Asia. The prevalence of – and demonstrated ease with which – one can simply redirect and copy data by controlling key transit nodes buried in a nation’s infrastructure requires an urgent policy response. To that end, we recommend an ‘Access Reciprocity’ strategy for vulnerable democracies – one that is

We at Adept Technologies recommend that all Cyber Professionals read this paper.

Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.

Its just a matter of time

We are watching you. From us to you. Its just a matter of time.

ADEPT SECURE ® Reduced Cyberattacks by 96%. By implementing ADEPT SECURE ® on high target Power Company and Government systems they have reported to us a staggering 96% reduction in cyberattacks.

As we get more results, and more attack data, the overwhelming tasks of dealing with numerous cyberattacks have become more manageable with ADEPT SECURE ®.

Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.

ADEPT SECURE ® Reduced Cyberattacks by 96%

Cyber Security – ADEPT SECURE ® sets a standard in providing high levels of protecting data and integrity of computing assets belonging to and connecting to an organization’s network. Its purpose is to defend those assets against all threat actors throughout the entire life cycles of numerous cyberattacks.

96 Percent

Adept’s Secure Security Solution – Data Breaches and attacks are an increasing threat to every computerized system which also faces the prospect of severe impact on their branding and reputation due to increased negative sentiment driven by media news of successful cyberattacks.

A majority of cyber security experts agree that mitigating reputational risk is crucial to any business and that managing IT Security plays a major role in these efforts, along with the obvious loss of Intellectual property, money, insurance, and other value.

ADEPT SECURE ® Reduced Cyberattacks by 96%. By implementing ADEPT SECURE ® on high target Power Company and Government systems they have reported to us a staggering 96% reduction in cyberattacks.

We believe that once the attacking systems realized they are being tracked, blocked, recorded, watched, they move on to easier targets. It is like parking your car and locking it in a very bad neighborhood at night.

You have billions of bad guys attempting to open the door, see its locked and move on to the next parked car. Then you get the millions that have dealer set keys that try every attempt to open the lock on the door, none of their keys work because the door lock disappears. Then you get the thousands that attempt to break the car windows, they move on because the whole car disappears.

All the attackers are on security cameras and photos of them all have been recorded are shared with other car owners and law enforcement.

The bad guys that have Harry Potter’s Cloak of Invisibility on, that is make believe, you think your IP address is spoofed, nothing is truly invisibility on the internet.

“As we get more results, and more attack data, the overwhelming tasks of dealing with numerous cyberattacks have become more manageable with ADEPT SECURE ®, and you sleep a lot better” says Nicholas Cordua, Chief Technology Officer of Adept Technologies Inc.

Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.

Run for your life! There are stupid hackers everywhere!

Over the last three months the amount of hacking has been insane. However, the amounts of hacking data we have received on the bad guys has been amazing. Our cyber security teams have been having a lot of fun and we have learned a lot.

Here is some of what we learned.

Spoofing IP addresses, we have seen a lot of this lately, and unfortunately most ISP (Internet Service Providers) are supposed to NOT allow this type of traffic to pass through their systems.

Bad Hackers

Unfortunately these ISP corporations are allowing this traffic through their systems, since we have caught a lot of it.

Denial of Service Attacks, are way up. We see hackers get pissed off on not getting what they want so they have temper tantrums and fire off Denial of Service attacks. Which is totally stupid.

Spoof your IP addresses when doing this, you don’t want a swat team showing up at the data center you have a VM (virtualized server) account with a VPN (Virtual Private Network) from your private LAN running stolen CIA hacking tools, attacking us.

It will be wonderful seeing the USA Data center people getting pissed off and coming after you since we filed civil and criminal complaints against them for your illegal actions.

Let’s throw in the law firms. We then file huge amounts of civil legal action against these firms, huge amounts of damages, any law firm eats this up, especially ours. The insurance companies get involved, their law firms get involved and we basically put you or your supporters out of business.

No insurance company will ever insure you again based on the huge amounts of settlements or when we go to trial, because we love to go all the way. It is just over for you or the company allowing you to hack.

Since the Coronavirus has been very bad, especially here in the USA, I don’t ever see a Jury feel sorry for a Hacker that took down any SaaS system, or stole data that caused problems when everyone is using these systems to work from home.

If you are outside the USA, that is ok too. We just block your whole country. That’s when you purchase a service here in the USA and attack us that way, which is great because we then have a party here in the USA that allowed you to do this. Lawsuit! We then go after them.

We watch everything, because that is what we do. We are super nerds. One nice thing about all these attacks is the data. We look forward towards more data.

There are patterns in the attacks too, some just go on forever especially brute force attacks against FTP and VPN systems. Even if you shut off the ports and log the attempts. The logs just capture so much honey. Some of these attacks come from University systems (University of Utah 128.110.154.3 and Wisconsin 128.105.145.159) Is everyone out there a hacker these days?? I guess they are, but stupid in more ways than one.

Be safe out there. Sad seeing all of this. We as humans are supposed to be better than this, we must all be held to a higher standard. If not well when you get caught and you will if you are a hacker, it will not be good for you. Can’t we all just get along? If your a hacker Stop it!

Contact us today toll free 1-888-392-9623 to find out more on how Adept Technologies can save you money by utilizing our services and technology.