Re: Connection Attempts
From: Anders Thulin (Anders.Thulin@kiconsulting.se)Date: 01/15/02
- Previous message: Michael Hottinger: "Re: Matt Wright FormMail Attacks"
- In reply to: Jeremy Hoover: "Connection Attempts"
- Next in thread: Andrew Simmons: "Re: Connection Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Jan 2002 08:24:37 +0100 From: Anders Thulin <Anders.Thulin@kiconsulting.se> To: Jeremy Hoover <hoover@gti-bti.com>, incidents@security-focus.com
Jeremy Hoover wrote:
>
> Today I was going through my server logs. And I came across this.
>
> Jan 14 11:46:51 penguin ftp(pam_unix)[7256]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=63.240. xxx.xxx
> Jan 14 11:46:53 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
>[...etc.]
> On Dec. 26th, I found a syn flood coming from the same ip. What actions
> should I take? What kind of legal matters are involved in
> this. As I dig deeper, I keep finding connection attempts. There is NO
> reason for them to be trying to access our servers.
Start detailed logging, for instance sniffing on these nets, so that you can
see what usernames and passwords that are being used. At the same
time alert any other sysadmins or net admins to enable and check logging
for your other servers, routers, whatnot. Tread carefully, though.
And have a chat with your company's risk manager and/or legal adviser, as well
as other concerned people. You don't seem to have any policies for handling
security problems or incidents -- you (or someone else) may need to take the
time to begin thinking deeper about that later. (Recommended book: van Wyk &
Forno: Incident Response).
Overtly, treat it as a mistake, and inquire about it, including the relevant
logs. Make sure your logs show the correct time, and also what time zone they're
from. Also report this to CERT, and make sure you tell that to the person at the
sending end that you contact about it. As it is, they could have been hacked, and
what you're seeing is those hacker's activities. If they have been hacked, be
prepared for a certain amount of incredulity. That why you should pass on logs
from the very beginning.
If it doesn't stop, you may bare your teeth.
-- Anders Thulin anders.thulin@kiconsulting.se 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Michael Hottinger: "Re: Matt Wright FormMail Attacks"
- In reply to: Jeremy Hoover: "Connection Attempts"
- Next in thread: Andrew Simmons: "Re: Connection Attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
