RE: help - can someone explain this to me?

From: scott [gts] (scott@graphictype.com)
Date: 10/26/01


From: "scott [gts]" <scott@graphictype.com>
To: "security-basics" <security-basics@security-focus.com>
Subject: RE: help - can someone explain this to me?
Date: Fri, 26 Oct 2001 15:26:21 -0400
Message-ID: <KFEKLFMNHDILCMFAEKJCCEFODHAA.scott@graphictype.com>


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

im pretty sure that 10.*, 127.* and 198.* are not routable
on the internet (which is why so many LANs use them), so it
looks like whatever happened to your machine is coming
from inside the LAN where your machine is hosted.

perhaps a machine that the ISP hosts is infected with something
and throwing out packets to everything on the LAN...?
(maybe it's another damn IIS worm, since it appears
 that your ISP hosts mostly NT/IIS machines)

but dont take my word, that's just a speculation, i'm
not a networking specialist or anything.

> -----Original Message-----
> From: Steven M Bloomfield [mailto:steven@root101.com]
> Subject: help - can someone explain this to me?
>
> Hi,
> I'm webmaster of a large-ish website and yesterday the server went down.
> It is a Redhat 6.1 Linux server. All my ISP would do was press the 'reset'
> button - very kind of them (they are NT specialists).
> Inspecting my log files I found thousands of denied packets, all seem to be
> within a period of 6 hours.
> My question is, could such an attack disable my machine and crash it? Can
> anyone identify what sort of attack it was?
>
> Here's a summary below:
>
> Denied packets from modem-392.awesome.dialup.pol.co.uk (62.25.129.136).
> Port https (tcp,eth0,input): 5 packet(s).
> Total of 5 packet(s).
>
> Denied packets from 10.10.71.237.
> Port netbios-dgm (udp,eth1,input): 69 packet(s).
> Port netbios-ns (udp,eth1,input): 333 packet(s).
> Total of 402 packet(s).
>
> Denied packets from 10.10.0.4.
> Port netbios-dgm (udp,eth1,input): 496 packet(s).
> Port netbios-ns (udp,eth1,input): 2925 packet(s).
> Total of 3421 packet(s).
>
> Denied packets from userSg017.videon.wave.ca (204.112.48.37).
> Port 500 (udp,eth0,input): 6 packet(s).
> Total of 6 packet(s).
>
> Denied packets from 207.190.199.102.
> Port https (tcp,eth0,input): 11 packet(s).
> Total of 11 packet(s).
>
> Denied packets from 10.10.32.21.
> Port netbios-dgm (udp,eth1,input): 338 packet(s).
> Port netbios-ns (udp,eth1,input): 1742 packet(s).
> Total of 2080 packet(s).
>
> Denied packets from 172.17.0.18.
> Port 1434 (udp,eth1,input): 2 packet(s).
> Total of 2 packet(s).
>
> Denied packets from 10.10.1.37.
> Port netbios-dgm (udp,eth1,input): 496 packet(s).
> Port netbios-ns (udp,eth1,input): 2925 packet(s).
> Total of 3421 packet(s).
>
> Denied packets from 10.10.32.27.
> Port netbios-dgm (udp,eth1,input): 59 packet(s).
> Port netbios-ns (udp,eth1,input): 324 packet(s).
> Total of 383 packet(s).
>
> Denied packets from 10.10.32.28.
> Port netbios-dgm (udp,eth1,input): 107 packet(s).
> Port netbios-ns (udp,eth1,input): 513 packet(s).
> Total of 620 packet(s).
>
> Denied packets from 10.10.0.1.
> Port 0 (tcp,eth1,input): 3 packet(s).
> Total of 3 packet(s).
>
> Denied packets from 10.10.0.3.
> Port bootpc (udp,eth1,input): 19 packet(s).
> Port netbios-dgm (udp,eth1,input): 475 packet(s).
> Port netbios-ns (udp,eth1,input): 2259 packet(s).
> Total of 2753 packet(s).
>
> Thanks,
Steve

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBO9m43caXTGgZdrSUEQIcvgCfZ+8J4IIJNGsEITW9jBHaEhU0bFUAoME/
jsdkTYNv3uylkRyyhvvyuQzi
=mXgL
-----END PGP SIGNATURE-----



Relevant Pages

  • RE: help - can someone explain this to me?
    ... To accomplish this the ISP ... may have lines in the router such as: ... > Inspecting my log files I found thousands of denied packets, ... > Port netbios-dgm: 496 packet. ...
    (Security-Basics)
  • RE: help - can someone explain this to me?
    ... internal addresses on their private networks (WANS covering not only the US, ... Internet" includes some ISP networks ... > Inspecting my log files I found thousands of denied packets, ... > Port netbios-dgm: 496 packet. ...
    (Security-Basics)
  • RE: help - can someone explain this to me?
    ... Network Designs - FAA AVR Information Security ... on the internet, ... > Inspecting my log files I found thousands of denied packets, ... > Port netbios-dgm: 496 packet. ...
    (Security-Basics)
  • RE: help - can someone explain this to me?
    ... perhaps a machine that the ISP hosts is infected with something ... > Inspecting my log files I found thousands of denied packets, ... > Port netbios-dgm: 496 packet. ... > Port https: 11 packet. ...
    (Security-Basics)
  • RE: help - can someone explain this to me?
    ... > on the internet (which is why so many LANs use them), ... > that your ISP hosts mostly NT/IIS machines) ... >> It is a Redhat 6.1 Linux server. ... >> log files I found thousands of denied packets, ...
    (Security-Basics)