Christian Stigen Larsen <cslat_private> wrote asking: >we've gotten a lot of attempted attacks from 195.86.128.45, which >maps to kes.wirehub.nl. I've already notified abuseat_private, >but have anybode else seen attacks from this ip ? I agree with Hamish Stanaway in that you are unlikely to hear anything substantive from the ISP. That doesn't mean they are ignoring you, and it may mean that they are simply swamped with similar complaints. >>From our log: > >05/06/2003 12:29:53.048 Sub Seven Attack Dropped 195.86.128.45, 4341, WAN 195.119.0.181, 6776, DMZ > [ ... ] >Plus numerous portscans. You don't mention what tool is generating these log entries. How is it identifying the nature of the "attack," e.g. "Sub Seven," "Back Orifice," etc.? From what you sent, it appears to be doing this on the basis of the destination port and this is no longer reliable as a means of identifying the nature of an attack. It's so easy to tweak the malware, and by doing so one avoids ports that are very closely watched. If the packets being dropped are all just "SYN" packets, then the situation isn't nearly so alarming as it seems to be. The "numerous portscans" could simply involve activity to ports not commonly associated with malware by whatever you are using as an IDS. Do you have packet captures from any of these events? That would help you decide whether or not the line I quoted above is actually a SubSeven attack, or just a SYN packet sent to that port. If you don't have anything listening on port 6776, or at least not anything that's vulnerable, then all's well. Traffic like this is part of what has become normal noise on the internet. >What should I do next, besides wait for a reply? As Hamish indicated, the usual sorts of things are appropriate: Don't run any services you don't actually need. Keep your system patched up to date. Use a firewall, e.g. IPFilter, to control access to your machine by remote domain and local port. TCPwrappers perform a similar function, and can be useful for security on ports commonly used for remote access, such as SSH on port 22. Don't run telnet or ftp daemons, but use SSH instead. If you already have a firewall up, then block the offending IP address. If you are feeling particularly paranoid, then use the RIPE "whois" database to find out the IP address range of this clown's IPS, and block all of it. ( I will admit to having done that on occasion. ;-) Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 07 2003 - 22:10:36 PDT