I run several of these SonicWall firewall appliances. It appears the same tool was used to scan you in both attacks. Though, I would assume these attacks are separate (unique attacker), since one comes from the States and another from Japan. From the attacker's perspective, what would make him/her think it would work from a different block of ip addresses on the next day, if the first attack didn't work? The IP spoof appears to be an ICMP ping from 194.153.255.99.. You say it's not on your LAN.. Is this server at a colo? Either way, I would definitely not be worried about this. Hoyt Plunkett Senior Linux Administrator Matmon Internet, Inc. (501) 375-4999 -----Original Message----- From: Paul Speck [mailto:paul.speckat_private] Sent: Wednesday, October 24, 2001 5:58 PM To: 'incidentsat_private' Subject: Security Question I am attaching log files whichshow two days of attack and then an IP Spoof. Is this an indication of a successful access of our Red Hat 7.1 Linux machine? The Firewall manufacture (SonicWall) says no, but I am not sure of that. The MAC address is our Linux box. On the IP Spoof, neither Source nor Destination are on our LAN. 10/20/2001 08:12:46.160 - Possible Port Scan - Source:209.195.200.206, 53744, WAN - Destination:208.26.184.xxx, 5579, LAN - - 10/20/2001 08:12:58.304 - Striker Attack Dropped - Source:209.195.200.206, 55387, WAN - Destination:208.26.184.xxx, 2565, WAN - - 10/20/2001 08:13:00.368 - Sub Seven Attack Dropped - Source:209.195.200.206, 55653, WAN - Destination:208.26.184.xxx, 1243, WAN - - 10/20/2001 08:13:06.592 - Ini Killer Attack Dropped - Source:209.195.200.206, 56491, WAN - Destination:208.26.184.xxx, 9989, WAN - - 10/20/2001 08:13:32.208 - Ripper Attack Dropped - Source:209.195.200.206, 59280, WAN - Destination:208.26.184.xxx, 2023, WAN - - 10/20/2001 08:14:38.816 - Net Spy Attack Dropped - Source:209.195.200.206, 65247, WAN - Destination:208.26.184.xxx, 1024, WAN - - 10/21/2001 06:44:32.640 - Probable Port Scan - Source:202.219.52.137, 3162, WAN - Destination:208.26.184.xxx, 908, LAN - - 10/21/2001 06:45:29.288 - Sub Seven Attack Dropped - Source:202.219.52.137, 3619, WAN - Destination:208.26.184.xxx, 6711, WAN - - 10/21/2001 06:45:30.000 - Ripper Attack Dropped - Source:202.219.52.137, 3764, WAN - Destination:208.26.184.xxx, 2023, WAN - - 10/21/2001 06:45:40.400 - Striker Attack Dropped - Source:202.219.52.137, 1841, WAN - Destination:208.26.184.xxx, 2565, WAN - - 10/21/2001 06:45:41.176 - Net Spy Attack Dropped - Source:202.219.52.137, 2002, WAN - Destination:208.26.184.xxx, 1024, WAN - - 10/21/2001 06:45:43.176 - Ini Killer Attack Dropped - Source:202.219.52.137, 2438, WAN - Destination:208.26.184.xxx, 9989, WAN - - 10/21/2001 06:48:15.352 - Back Orifice Attack Dropped - Source:202.219.52.137, 2220, WAN - Destination:208.26.184.xxx, 31337, WAN - - 10/21/2001 06:48:44.032 - NetBus Attack Dropped - Source:202.219.52.137, 4238, WAN - Destination:208.26.184.xxx, 12345, WAN - - 10/21/2001 06:49:14.368 - Priority Attack Dropped - Source:202.219.52.137, 2770, WAN - Destination:208.26.184.xxx, 16969, WAN - - 10/21/2001 07:38:20.544 - IP spoof detected - Source:194.153.255.99, 8, LAN - Destination:192.117.189.191, 8, WAN - MAC address: 00.06.5B.1A.1E.EB - Paul ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 08:43:24 PDT