RE: DoS "Probing" on one of our hosts

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 06/30/03

  • Next message: Stone, Alexander: "RE: DoS "Probing" on one of our hosts"
    Date: Mon, 30 Jun 2003 10:14:27 -0700 (PDT)
    To: incidents@securityfocus.com
    
    

    > To me, that pattern sounds a lot more like someone's
    > hacked a server and set up a warez site.

    This could very well be, particularly if there is an
    FTP server floating around on the connection.

    > See if you can put a sniffer on the outbound
    > connection (Sniffer is my commercial favorite) to
    > find the endpoints.

    Sniffer isn't needed to find the endpoints...only
    netstat on the local box.

    > There are lots of reasons your
    > IDS isn't raising alarms: the system that was hacked
    > was already an FTP server, or if your IDS isn't
    > monitoring common protocols from servers, or the IDS
    > system doesn't see the traffic going to the hacked
    > system, et al.

    Well, not so much that the IDS didn't see it, but the
    IDS didn't have a signature for the traffic that it
    did see...

    Harlan

    __________________________________
    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month!
    http://sbc.yahoo.com

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Stone, Alexander: "RE: DoS "Probing" on one of our hosts"

    Relevant Pages

    • Re: IPSEC Detect dropped packets
      ... Then you're actually talking about a firewall, not an IDS. ... If you enable auditing of object access and logon events, ... suffice to send your IPSec events to the event log. ... As far as FTP is concerned, just enable logging on the FTP server. ...
      (microsoft.public.security)
    • Re: security tool
      ... > I have linux installed on a box that is 24/7 connected to the internet. ... > I use it for web, mail and ftp server. ... Further "snort" as an IDS and "tcpdump" as a ...
      (comp.os.linux.security)
    • Microsoft FTP Server problem on W2K?
      ... We have a mainframe at work that FTPs file to a Microsoft W2K FTP server ... Microsoft FTP server can create both teh control and data ports for the ... connection; rather than requiring the mainframe to create the data port. ... the data connection MUST use the same IP address as the ...
      (microsoft.public.inetserver.iis.security)
    • Re: Microsoft FTP Server problem on W2K?
      ... Please note that both the Mainframe and Microsoft FTP Server is on same ... > connection; rather than requiring the mainframe to create the data port. ... the data connection MUST use the same IP address as ...
      (microsoft.public.inetserver.iis.security)
    • Re: .NET CF Socket are behaving very strangely
      ... Set the PASV range for the FTP server to 1027 - 3500. ... My data connection works for ports ...
      (microsoft.public.pocketpc.developer)