Re: Attack attempts from 195.86.128.45

From: Neil Dickey (neil_at_geol.niu.edu)
Date: 05/07/03

  • Next message: Jacco Tunnissen: "Re: Attack attempts from 195.86.128.45"
    Date: Wed, 7 May 2003 10:14:12 -0500 (CDT)
    To: csl@sublevel3.org
    
    

    Christian Stigen Larsen <csl@sublevel3.org> wrote asking:

    >we've gotten a lot of attempted attacks from 195.86.128.45, which
    >maps to kes.wirehub.nl. I've already notified abuse@nl.easynet.net,
    >but have anybode else seen attacks from this ip ?

    I agree with Hamish Stanaway in that you are unlikely to hear
    anything substantive from the ISP. That doesn't mean they are
    ignoring you, and it may mean that they are simply swamped with
    similar complaints.

    >>From our log:
    >
    >05/06/2003 12:29:53.048 Sub Seven Attack Dropped 195.86.128.45, 4341, WAN 195.119.0.181, 6776,
    DMZ
    > [ ... ]
    >Plus numerous portscans.

    You don't mention what tool is generating these log entries. How is
    it identifying the nature of the "attack," e.g. "Sub Seven," "Back
    Orifice," etc.? From what you sent, it appears to be doing this on
    the basis of the destination port and this is no longer reliable as
    a means of identifying the nature of an attack. It's so easy to
    tweak the malware, and by doing so one avoids ports that are very
    closely watched. If the packets being dropped are all just "SYN"
    packets, then the situation isn't nearly so alarming as it seems to
    be. The "numerous portscans" could simply involve activity to ports
    not commonly associated with malware by whatever you are using as
    an IDS.

    Do you have packet captures from any of these events? That would
    help you decide whether or not the line I quoted above is actually
    a SubSeven attack, or just a SYN packet sent to that port. If you
    don't have anything listening on port 6776, or at least not anything
    that's vulnerable, then all's well. Traffic like this is part of
    what has become normal noise on the internet.

    >What should I do next, besides wait for a reply?

    As Hamish indicated, the usual sorts of things are appropriate: Don't
    run any services you don't actually need. Keep your system patched up
    to date. Use a firewall, e.g. IPFilter, to control access to your
    machine by remote domain and local port. TCPwrappers perform a similar
    function, and can be useful for security on ports commonly used for
    remote access, such as SSH on port 22. Don't run telnet or ftp daemons,
    but use SSH instead.

    If you already have a firewall up, then block the offending IP address.
    If you are feeling particularly paranoid, then use the RIPE "whois"
    database to find out the IP address range of this clown's IPS, and
    block all of it. ( I will admit to having done that on occasion. ;-)

    Best regards,

    Neil Dickey, Ph.D.
    Research Associate/Sysop
    Geology Department
    Northern Illinois University
    DeKalb, Illinois
    60115

    ----------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-incidents
    ----------------------------------------------------------------------------


  • Next message: Jacco Tunnissen: "Re: Attack attempts from 195.86.128.45"

    Relevant Pages

    • Re: linux newbie: how to stop port scan abuse?
      ... the packets of the scan -- and they happened to choose your IP address as ... No Linux box can be considered anywhere near secure unless all the ... attack. ... particular port. ...
      (comp.os.linux.security)
    • RE: Strange loopback in firefox.
      ... described as heavy attack from outside IP addresses. ... either using the Microsoft_DS port or epmap port to connect). ... For example a connection from port 3014 to 3015 and the next ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Security problem
      ... simply to use a non-standard port. ... names and passwords, on large ranges of IP addresses. ... order to perform successful brute-force attack and that's ludicrous. ... DROP incoming packets for other ports (and what internet-facing server ...
      (comp.os.linux.development.apps)
    • Re: Port 17889 - new attack?
      ... Port 17889 - new attack? ... would this theory hold true if the servers on different subnets all sent packets at generally the same time? ... Port 17889 - new attack? ...
      (Incidents)
    • FW: Legal? Road Runner proactive scanning.[Scanned]
      ... You consider a port scan to be an attack? ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)