RE: Attack attempts from 195.86.128.45

From: C.W.L. Hoogenboezem (root_at_digitalcraze.nl)
Date: 05/07/03

  • Next message: OBrien, Brennan: "RE: Healthcare incidents?"
    To: <incidents@securityfocus.com>
    Date: Wed, 7 May 2003 12:17:43 +0200
    
    

    Christian,

    As Hamish Stanaway already told you - you're most likely not going to
    receive a reply to your e-mail soon, so you might just want to ditch off
    the attacks by dropping all packets from this IP, or if you want to take
    somewhat more radical precautions, and scans appeared from other than
    the host you mentioned in this network, drop the C-class.

    You might aswell want to ask yourself the following: what is there on
    your machine that they want? Ofcourse you might just be a random target,
    but you could look a bit further than that - did you encounter attempts
    to compromise your system from this same IP or ISP before?

    Summary of actions I would take:

    - Block the address(es) involved;
    - Notify abuse@ (you did this already);
    - Perform an audit on my system (like Hamish also said);
    - Look for potential causes of these attempts to compromise your system.

    Best regards,
         Chris Hoogenboezem
         http://w.digitalcraze.nl

    -----Oorspronkelijk bericht-----
    Van: Christian Stigen Larsen [mailto:csl@sublevel3.org]
    Verzonden: dinsdag 6 mei 2003 19:37
    Aan: incidents@securityfocus.com
    Onderwerp: Attack attempts from 195.86.128.45

    Hi all,

    we've gotten a lot of attempted attacks from 195.86.128.45, which maps
    to kes.wirehub.nl. I've already notified abuse@nl.easynet.net, but have
    anybode else seen attacks from this ip ?

    >From our log:

    05/06/2003 12:29:53.048 Sub Seven Attack Dropped 195.86.128.45, 4341,
    WAN 195.119.0.181, 6776, DMZ
    05/06/2003 12:35:54.624 Ripper Attack Dropped 195.86.128.45, 3230, WAN
    195.119.0.181, 2023, DMZ
    05/06/2003 12:36:18.736 Sub Seven Attack Dropped 195.86.128.45, 1780,
    WAN 195.119.0.181, 1243, DMZ
    05/06/2003 12:43:28.928 Sub Seven Attack Dropped 195.86.128.45, 1627,
    WAN 195.119.0.181, 6711, DMZ
    05/06/2003 12:52:30.176 Ini Killer Attack Dropped 195.86.128.45, 4690,
    WAN 195.119.0.181, 9989, DMZ
    05/06/2003 12:54:06.592 Striker Attack Dropped 195.86.128.45, 1327, WAN
    195.119.0.181, 2565, DMZ
    05/06/2003 12:59:22.640 Net Spy Attack Dropped 195.86.128.45, 2570, WAN
    195.119.0.181, 1024, DMZ
    05/06/2003 13:25:08.352 Net Spy Attack Dropped 195.86.128.45, 3754, WAN
    195.119.0.181, 1024, DMZ
    05/06/2003 13:32:18.144 Striker Attack Dropped 195.86.128.45, 2661, WAN
    195.119.0.181, 2565, DMZ
    05/06/2003 13:34:10.352 Ini Killer Attack Dropped 195.86.128.45, 2307,
    WAN 195.119.0.181, 9989, DMZ
    05/06/2003 13:42:59.320 Sub Seven Attack Dropped 195.86.128.45, 2832,
    WAN 195.119.0.181, 6711, DMZ
    05/06/2003 13:48:29.528 Sub Seven Attack Dropped 195.86.128.45, 1863,
    WAN 195.119.0.181, 1243, DMZ
    05/06/2003 13:48:41.544 Ripper Attack Dropped 195.86.128.45, 4230, WAN
    195.119.0.181, 2023, DMZ
    05/06/2003 13:52:18.416 Sub Seven Attack Dropped 195.86.128.45, 3498,
    WAN 195.119.0.181, 6776, DMZ
    05/06/2003 14:12:09.240 NetBus Attack Dropped 195.86.128.45, 3677, WAN
    195.119.0.181, 12345, DMZ
    05/06/2003 14:36:07.608 Priority Attack Dropped 195.86.128.45, 2045, WAN
    195.119.0.181, 16969, DMZ
    05/06/2003 15:08:06.576 Priority Attack Dropped 195.86.128.45, 3927, WAN
    195.119.0.181, 16969, DMZ
    05/06/2003 15:11:52.048 NetBus Attack Dropped 195.86.128.45, 1756, WAN
    195.119.0.181, 12345, DMZ
    05/06/2003 15:14:22.032 NetBus Attack Dropped 195.86.128.45, 3133, WAN
    195.119.0.181, 12345, DMZ
    05/06/2003 15:17:39.560 Priority Attack Dropped 195.86.128.45, 2129, WAN
    195.119.0.181, 16969, DMZ
    05/06/2003 15:47:12.224 NetBus Attack Dropped 195.86.128.45, 3450, WAN
    195.119.0.181, 20034, DMZ
    05/06/2003 15:51:43.192 NetBus Attack Dropped 195.86.128.45, 4064, WAN
    195.119.0.181, 20034, DMZ
    05/06/2003 16:38:27.816 Back Orifice Attack Dropped 195.86.128.45, 2249,
    WAN 195.119.0.181, 31337, DMZ
    [...]

    Plus numerous portscans.

    What should I do next, besides wait for a reply?

    -- 
    Christian Stigen Larsen -- http://sublevel3.org/~csl/ -- mob: +47 98 22
    02 15
    ----------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
    world's premier event for IT and network security experts.  The two-day 
    Training features 6 hand-on courses on May 12-13 taught by professionals.  
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
    sales pitches.  Deadline for the best rates is April 25.  Register today to 
    ensure your place. http://www.securityfocus.com/BlackHat-incidents 
    ----------------------------------------------------------------------------
    

  • Next message: OBrien, Brennan: "RE: Healthcare incidents?"

    Relevant Pages

    • RE: [fw-wiz] Domain Login Problem Thru Netscreen
      ... People from DMZ will log in to the Box. ... > LAN users are there with some WAN users too. ... > Exchange Server in the WAN. ... > Can this domain Login be done if I configure the DMZ interface as DHCP ...
      (Firewall-Wizards)
    • Re: Share Internet Connection with 2 SBS Same Router
      ... Sonic WAN ... but relies on the ISP being able to assign a 2nd public IP to the DMZ. ... Assign a subnet mask in the DMZ Subnet Mask field. ... WAN port on the router or a LAN port on the router? ...
      (microsoft.public.windows.server.sbs)
    • Re: Share Internet Connection with 2 SBS Same Router
      ... Sonic WAN ... but relies on the ISP being able to assign a 2nd public IP to the DMZ. ... Assign a subnet mask in the DMZ Subnet Mask field. ... WAN port on the router or a LAN port on the router? ...
      (microsoft.public.windows.server.sbs)
    • ADSL Router
      ... 6881-6889 in der Firewall des ADSL ... Lan to LAN / Router ... LAN to WAN ... LAN to DMZ ...
      (microsoft.public.de.german.windowsxp.networking)
    • Re: Sonicwall
      ... >> A server I have positioned him on the net DMZ with the following ... >> Another server I have positioned him on the net WAN with the following ... Why is this system on the WAN side of the SonicWall? ... I succeed from the lan to pingare the GW ...
      (comp.security.firewalls)