In my previous articles, "Script Kiddies - Vermin of Internet" and "Script Kiddies II - A warning to parents", I described Script Kiddie problem.This article contains information for web site owners and surfers regarding what to do when your system is continiously "probed" from same source, or if your site is compromised. Who you gonna call? KiddieBusters? (could be a good name for a web site?)
If you are running personal firewall software while surfing, you can actually do something with logs. You can send them to your ISP along with an incident description. They may be able to chase it up on your behalf. Better still, if you can identify IP address using a tracing program, send firewall log with trace results to owner of that address along with time, location etc.
I run traces on some of my logs, but this can also be a bit dangerous as there is a possibility that owner of address detects that you are "pinging"* them and therefore revealing your own IP address. Properly configured firewall software can minimise danger of this.
Also, IP address shown does not necessarily mean that it is Script Kiddie themselves. There are various cloaking devices that Kiddies use to hide their true origin, or may only refer to service they are using to launch attack. But it doesn't hurt to send IP owner a polite email to serve as an alert, especially if you have been able to establish a repetitive address.
How to write email? The following is a message I recently sent to an ISP. (the IP and port numbers have been replaced with x's).
------------------
Greetings,
I have been receiving a number of warning messages over last couple of days from my firewall software regarding an xxxx scan which seems to be originating from your service. Even as I am typing this I am receiving numerous warnings. It is currently 6.20pm Adelaide time, Monday 12 February. Could you please look into this for me as it is becoming highly annoying. Last night I had around 80 such warnings in 1 hour. Thanks. Below is my log of some of these scans and copy of trace results.
GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:15:18 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:19:00 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:19:08 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:19:38 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:19:38 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:19:54 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:19:56 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:21:00 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP FWIN,2001/02/12,18:21:04 +10:30 GMT,xxx.xxx.xxx.xxx:xxx,xxx.xxx.xxx.xxx:xxx,TCP
Please contact me if you require any further details.
----------------------
I also attached my "traceroute"** results, but have not included them here as they identify customer number. The ISP responded to my message and said that they had "contacted" customer. I received no further scans.
It isn't just casual surfer who is affected by Script Kiddies. Web Site owners are often target of "vandals", also known as "Web Crackers". Web cracking is a popular Kiddie past-time. These individuals derive great pleasure from making changes to your web site without your knowledge. They access authoring rights to your site by "stealing" your password in a variety of ways. It isn't financially,politically or religiously motivated, it's just vandalism.