In addition to the other suggestions here, have you considered www.mynetwatchman.com and/or www.dshield.org? These are two free services which would let you see if anyone else has seen attacks such as this, as well as automatically notify the relevant ISP [though I agree that this often does not bring satisyfing results]. If you're like most people, you will receive so many of these types of initial scans that you may find yourself unable to respond to each scan personally. Make sure your firewall policy and systems are secure, and be sure to look for connections that were permitted in addition to ones that were dropped. >From: Christian Stigen Larsen >To: incidentsat_private >Subject: Attack attempts from 195.86.128.45 >Date: Tue, 6 May 2003 19:36:34 +0200 >Hi all, > >we've gotten a lot of attempted attacks from 195.86.128.45, which maps to >kes.wirehub.nl. I've already notified abuseat_private, but have >anybode else seen attacks from this ip ? > >From our log: > >05/06/2003 12:29:53.048 Sub Seven Attack Dropped 195.86.128.45, 4341, WAN >195.119.0.181, 6776, DMZ 05/06/2003 12:35:54.624 Ripper Attack Dropped >195.86.128.45, 3230, WAN 195.119.0.181, 2023, DMZ 05/06/2003 12:36:18.736 >Sub Seven Attack Dropped 195.86.128.45, 1780, WAN 195.119.0.181, 1243, DMZ >05/06/2003 12:43:28.928 Sub Seven Attack Dropped 195.86.128.45, 1627, WAN >195.119.0.181, 6711, DMZ 05/06/2003 12:52:30.176 Ini Killer Attack Dropped >195.86.128.45, 4690, WAN 195.119.0.181, 9989, DMZ 05/06/2003 12:54:06.592 >Striker Attack Dropped 195.86.128.45, 1327, WAN 195.119.0.181, 2565, DMZ >05/06/2003 12:59:22.640 Net Spy Attack Dropped 195.86.128.45, 2570, WAN >195.119.0.181, 1024, DMZ 05/06/2003 13:25:08.352 Net Spy Attack Dropped >195.86.128.45, 3754, WAN 195.119.0.181, 1024, DMZ 05/06/2003 13:32:18.144 >Striker Attack Dropped 195.86.128.45, 2661, WAN 195.119.0.181, 2565, DMZ >05/06/2003 13:34:10.352 Ini Killer Attack Dropped 195.86.128.45, 2307, WAN >195.119.0.181, 9989, DMZ 05/06/2003 13:42:59.320 Sub Seven Attack Dropped >195.86.128.45, 2832, WAN 195.119.0.181, 6711, DMZ 05/06/2003 13:48:29.528 >Sub Seven Attack Dropped 195.86.128.45, 1863, WAN 195.119.0.181, 1243, DMZ >05/06/2003 13:48:41.544 Ripper Attack Dropped 195.86.128.45, 4230, WAN >195.119.0.181, 2023, DMZ 05/06/2003 13:52:18.416 Sub Seven Attack Dropped >195.86.128.45, 3498, WAN 195.119.0.181, 6776, DMZ 05/06/2003 14:12:09.240 >NetBus Attack Dropped 195.86.128.45, 3677, WAN 195.119.0.181, 12345, DMZ >05/06/2003 14:36:07.608 Priority Attack Dropped 195.86.128.45, 2045, WAN >195.119.0.181, 16969, DMZ 05/06/2003 15:08:06.576 Priority Attack Dropped >195.86.128.45, 3927, WAN 195.119.0.181, 16969, DMZ 05/06/2003 15:11:52.048 >NetBus Attack Dropped 195.86.128.45, 1756, WAN 195.119.0.181, 12345, DMZ >05/06/2003 15:14:22.032 NetBus Attack Dropped 195.86.128.45, 3133, WAN >195.119.0.181, 12345, DMZ 05/06/2003 15:17:39.560 Priority Attack Dropped >195.86.128.45, 2129, WAN 195.119.0.181, 16969, DMZ 05/06/2003 15:47:12.224 >NetBus Attack Dropped 195.86.128.45, 3450, WAN 195.119.0.181, 20034, DMZ >05/06/2003 15:51:43.192 NetBus Attack Dropped 195.86.128.45, 4064, WAN >195.119.0.181, 20034, DMZ 05/06/2003 16:38:27.816 Back Orifice Attack >Dropped 195.86.128.45, 2249, WAN 195.119.0.181, 31337, DMZ [...] > >Plus numerous portscans. > >What should I do next, besides wait for a reply? ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed May 07 2003 - 22:43:26 PDT