|
This is a summary of unauthorized
computer access for the 3rd Quarter (July to September) of 2005.
As for the current tendency summarized from the reporting status
for the 3rd Quarter of 2005:
- a number of nondiscriminatory attacks to every computers including
the computers for home use.
- damages caused by intruding Web servers for which are exploited
for attacks to the other servers as steppingstones tend to increase.
1. Reported Number
The reported number
for the Third Quarter of 2005 was 125: the gross reported
number was decreased about 25% and the ratio for the actual damage
was also decreased about 33% compared with the numbers reported
in the previous quarter.
2. Type of Incidents
Reported
Of 125, the total reported number reported to IPA during the quarter,
reports for “Access Probe (Attempt)” was 85 (previous
= 107) which constituted 68.0% against the whole. In addition,
the reports for actually damaged was 38 (previous = 57) which
constituted 30.4% against the whole. The reports for actually
damaged here indicates the total number of “Intrusion”,
“Worm Probe”, “Mailing Address Spoofing”,
“Unauthorized Mail Relay”, “DoS” and “Others
(Damaged)”.
|
Third
Qtr. 2004 |
Fourth
Qtr. 2004 |
First
Qtr. 2005 |
Second
Qtr. 2005 |
Third
Qtr. 2005 |
Intrusion
|
14
|
10.5%
|
11
|
8.1%
|
18
|
11.8%
|
28
|
16.9%
|
19
|
15.2%
|
Unauthorized
Mail Relay |
0
|
0.0%
|
0
|
0.0%
|
3
|
2.0%
|
2
|
1.2%
|
1
|
0.8%
|
Infection
w/Worm |
0
|
0.0%
|
0
|
0.0%
|
0
|
0.0%
|
3
|
1.8%
|
2
|
1.6%
|
DoS
|
0
|
0.0%
|
0
|
0.0%
|
1
|
0.7%
|
13
|
7.8%
|
6
|
4.8%
|
Mailing
Address Spoofing |
5
|
3.8%
|
2
|
1.5%
|
0
|
0.0%
|
2
|
1.2%
|
3
|
2.4%
|
Others
(Damaged) |
2
|
1.5%
|
2
|
1.5%
|
10
|
6.5%
|
9
|
5.4%
|
7
|
5.6%
|
Access
Probe (Attempt) |
110
|
82.7%
|
121
|
89.0%
|
116
|
75.8%
|
107
|
64.5%
|
85
|
68.0%
|
Worm
Probe |
2
|
1.5%
|
0
|
0.0%
|
0
|
0.0%
|
2
|
1.2%
|
2
|
1.6%
|
Others
(Not Damaged) |
0
|
0.0%
|
0
|
0.0%
|
5
|
3.3%
|
0
|
0.0%
|
0
|
0.0%
|
Total
|
133
|
136
|
153
|
166
|
125
|
Note: the shaded parts are the incident
types actually damaged.
%s shown above are rounded at the 2nd place of arithmetic decimal
points, the total may not be made 100%, accordingly.
3. Cause for Damage
Of 38, the reports actually damaged, the causes of breakdown were
“ID/Password Insufficient Management” with 13,
“Use of Older Version/Patches Have not yet Applied”
with 4 and “Insufficient Setups” with 1, etc.
Note: The report that
has multiple damage causes was aggregated by the major cause of
the damages and is counted as 1 case.
<Damage Instances:>
1) Intruded servers and sent spam mails from the systems inside.
The causes were the ports used for SSH were having been opened carelessly
and the password set for administrator privileged user account was
easily assumable.
2) Intruded severs installed on the borders in between the Internet
and LAN where certain Web contents that would be exploited for phishing
were being setup without asking. The cause was the outcome of usurpation
of an administrator privileged user account which was being accessed
by password cracking attacks for several days.
3) Intruded multiple network devices such as routers, etc. accessed
by password cracking attacks to the telnet connection from the outside
of the networks where the password was being altered without asking
and/or the log recording function was being disabled. Damage was
enlarged since the telnet connection to the routers from the outside
of the networks was available and the password for connection and
the administrator privileged password were exactly the same.
4) The port 80 on the Web servers were getting unavailable to browse
from outsides for several hours since number of accesses that may
be considered to be unauthorized were being gathered. The port was
recovered by restricting accesses from certain IP addresses.
5) Several hundreds to several thousands of password cracking attacks
were accessed from both insides and outsides of networks within
several minutes. Although intruding attempts could be prevented,
the servers were overly loaded and its performance was tentatively,
but significantly lowered.
6) Those mails he/she knew nothing had been returned to him/her
as the addressee unknown errors. The mailing headers had been checked
and realized that those mails were sent from the mail server within
his/her own domains. The cause was being checked but not yet realized.
7) The IDs and the passwords necessary for online banking transactions
were fraudulently taken over and the deposits were transferred to
the other accounts without asking. The cause was one of spywares
called keylogger was being embedded. In addition, the Web browser’s
setups were altered without asking and those files saved in the
computer were also destructed.
8) Had troubles in receiving/sending mails and experienced anomaly
behaviors in anti-virus software. Study conducted using a packet
monitoring software and realized that many packets for transaction
were unusually being sent. Accordingly, installed an anti-spyware
software to scan and then several malicious codes were detected.
9) Checked out logs when the firewall software intercepted not only
attacks conducted by malicious codes but also entire in- and out-communication:
the cause was that several malicious codes were embedded in his/her
computer: it is probable that those malicious codes were trying
to attempt attacks to the outsides of computers. The cause was being
checked but not yet realized.
10) Had clicked “yes” on the age-confirmation screen
in one of adult sites: then his/her mailing address was being displayed
on the screen along with the following message saying “thank
you for your sign up with us.” After that, a billing screen
for the site usage appeared several minutes of intervals and collection
mail for the bill came. Nothing was detected when scanned using
anti-virus software.
4. Classification
of Reporters
The breakdown classified by reporters was “Individual Users”
constituting about 77% against the whole which remains high ratio.
Note: The ratios are rounded
at the first arithmetic points; the total may not make 100% sharp,
accordingly. |
Japanese