Re: DoS "Probing" on one of our hosts

From: Christopher Kunz (chrislist_at_de-punkt.de)
Date: 06/30/03

  • Next message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
    Date: Mon, 30 Jun 2003 18:34:28 +0200
    To: incidents@securityfocus.com
    
    

    Donald Voss wrote:

    > Not to be a jerk .. but could it have been a file sharing app or two or
    > three ..

    I can safely rule that out - the data that went _into_ the box must have
    been stored somewhere and there is definitely not enough space to store
    the equivalent of those bandwidth spikes.
    And since the outgoing traffic did not change at all, I don't suspect
    the box has been rooted or used as a file server by its legitimate owners.

    > a rooted box .. = warez ftp ? You never know until you look close. We have
    > had students here do the file sharing thing .. then of course everyone sorts
    > the hits by speed .. then queues up a few hindered .. so our pipe has been
    > filled from outside connections .. can anyone say packeteer ..

    I just ran chkrootkit on the box and although this tool is of course not
    too sophisticated, it generally gave me a good hint on all boxes on my
    network that have been rooted in the past. No results.

    --ck

    -- 
    php development | hosting |  housing | professional game server hosting
    http://www.de-punkt.de   [ chris@de-punkt.de ]    http://www.stormix.de
    +49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de
    Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php
    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
    world's premier technical IT security event! 10 tracks, 15 training sessions, 
    1,800 delegates from 30 nations including all of the top experts, from CSO's to 
    "underground" security specialists.  See for yourself what the buzz is about!  
    Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------
    

  • Next message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"

    Relevant Pages

    • Re: DoS "Probing" on one of our hosts
      ... > how much they can slow down Yahoo using your bandwidth. ... 100 mbit INBOUND, not OUTBOUND? ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Accessing the File server
      ... > Subject: Accessing the File server ... >> technical IT security event. ... Modeled after the famous Black Hat event ... > Symantec is the Diamond sponsor. ...
      (Security-Basics)