RE: DoS "Probing" on one of our hosts

From: Harlan Carvey (
Date: 06/30/03

  • Next message: Stone, Alexander: "RE: DoS "Probing" on one of our hosts"
    Date: Mon, 30 Jun 2003 10:14:27 -0700 (PDT)

    > To me, that pattern sounds a lot more like someone's
    > hacked a server and set up a warez site.

    This could very well be, particularly if there is an
    FTP server floating around on the connection.

    > See if you can put a sniffer on the outbound
    > connection (Sniffer is my commercial favorite) to
    > find the endpoints.

    Sniffer isn't needed to find the endpoints...only
    netstat on the local box.

    > There are lots of reasons your
    > IDS isn't raising alarms: the system that was hacked
    > was already an FTP server, or if your IDS isn't
    > monitoring common protocols from servers, or the IDS
    > system doesn't see the traffic going to the hacked
    > system, et al.

    Well, not so much that the IDS didn't see it, but the
    IDS didn't have a signature for the traffic that it
    did see...


    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month!

    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out.

  • Next message: Stone, Alexander: "RE: DoS "Probing" on one of our hosts"