RE: Security Question

From: Hoyt Plunkett (hoytat_private)
Date: Thu Oct 25 2001 - 07:43:22 PDT

  • Next message: 'Bill Scherr IV, GCIA': "Re: What am I seeing?"

    I run several of these SonicWall firewall appliances.  It appears the
    same tool was used to scan you in both attacks.  Though, I would assume
    these attacks are separate (unique attacker), since one comes from the
    States and another from Japan.  From the attacker's perspective, what
    would make him/her think it would work from a different block of ip
    addresses on the next day, if the first attack didn't work?  The IP
    spoof appears to be an ICMP ping from 194.153.255.99.. You say it's not
    on your LAN..  Is this server at a colo?
    
    Either way, I would definitely not be worried about this.
    
    Hoyt Plunkett
    Senior Linux Administrator
    Matmon Internet, Inc.
    (501) 375-4999
    
    -----Original Message-----
    From: Paul Speck [mailto:paul.speckat_private] 
    Sent: Wednesday, October 24, 2001 5:58 PM
    To: 'incidentsat_private'
    Subject: Security Question
    
    
    I am attaching log files whichshow  two days of attack and then an IP
    Spoof. Is this an indication of a successful access of our Red Hat 7.1
    Linux machine?  The Firewall manufacture (SonicWall) says no, but I am
    not sure of that.  The MAC address is our Linux box.  On the IP Spoof,
    neither Source nor Destination are on our LAN.
      
    
    10/20/2001 08:12:46.160 - Possible Port Scan - Source:209.195.200.206,
    53744, WAN - Destination:208.26.184.xxx, 5579, LAN - - 
    
    10/20/2001 08:12:58.304 - Striker Attack Dropped -
    Source:209.195.200.206, 55387, WAN - Destination:208.26.184.xxx, 2565,
    WAN - - 
    
    10/20/2001 08:13:00.368 - Sub Seven Attack Dropped -
    Source:209.195.200.206, 55653, WAN - Destination:208.26.184.xxx, 1243,
    WAN - - 
    
    10/20/2001 08:13:06.592 - Ini Killer Attack Dropped -
    Source:209.195.200.206, 56491, WAN - Destination:208.26.184.xxx, 9989,
    WAN -
    - 
    
    10/20/2001 08:13:32.208 - Ripper Attack Dropped -
    Source:209.195.200.206, 59280, WAN - Destination:208.26.184.xxx, 2023,
    WAN - - 
    
    10/20/2001 08:14:38.816 - Net Spy Attack Dropped -
    Source:209.195.200.206, 65247, WAN - Destination:208.26.184.xxx, 1024,
    WAN - -
    
    
    10/21/2001 06:44:32.640 - Probable Port Scan - Source:202.219.52.137,
    3162, WAN - Destination:208.26.184.xxx, 908, LAN - - 
    
    10/21/2001 06:45:29.288 - Sub Seven Attack Dropped -
    Source:202.219.52.137, 3619, WAN - Destination:208.26.184.xxx, 6711, WAN
    - - 
    
    10/21/2001 06:45:30.000 - Ripper Attack Dropped - Source:202.219.52.137,
    3764, WAN - Destination:208.26.184.xxx, 2023, WAN - - 
    
    10/21/2001 06:45:40.400 - Striker Attack Dropped -
    Source:202.219.52.137, 1841, WAN - Destination:208.26.184.xxx, 2565, WAN
    - - 
    
    10/21/2001 06:45:41.176 - Net Spy Attack Dropped -
    Source:202.219.52.137, 2002, WAN - Destination:208.26.184.xxx, 1024, WAN
    - - 
    
    10/21/2001 06:45:43.176 - Ini Killer Attack Dropped -
    Source:202.219.52.137, 2438, WAN - Destination:208.26.184.xxx, 9989, WAN
    - - 
    
    10/21/2001 06:48:15.352 - Back Orifice Attack Dropped -
    Source:202.219.52.137, 2220, WAN - Destination:208.26.184.xxx, 31337,
    WAN -
    - 
    
    10/21/2001 06:48:44.032 - NetBus Attack Dropped - Source:202.219.52.137,
    4238, WAN - Destination:208.26.184.xxx, 12345, WAN - - 
    
    10/21/2001 06:49:14.368 - Priority Attack Dropped -
    Source:202.219.52.137, 2770, WAN - Destination:208.26.184.xxx, 16969,
    WAN - - 
    
    10/21/2001 07:38:20.544 - IP spoof detected - Source:194.153.255.99, 8,
    LAN
    - Destination:192.117.189.191, 8, WAN - MAC address: 00.06.5B.1A.1E.EB -
    
    
    Paul
     
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service. For
    more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 08:43:24 PDT