Re: help - can someone explain this to me?

From: Brad Westman (bwestman@foxvalley.net)
Date: 10/29/01 

Message-ID: <000d01c160ba$2097d710$541601bf@0003470AA162>
From: "Brad Westman" <bwestman@foxvalley.net>
To: <security-basics@securityfocus.com>
Subject: Re: help - can someone explain this to me?
Date: Mon, 29 Oct 2001 14:41:06 -0600

RFC 1819 or 1918 sorry not sure which one..
ietf.org

----- Original Message -----
From: "Lutz Badenheuer" <Lutz.Badenheuer@t-online.de>
To: "security-basics" <security-basics@security-focus.com>
Sent: Friday, October 26, 2001 5:41 PM
Subject: Re: help - can someone explain this to me?

> Please have another look at your documentation. The so-called
> "unregistered" IP-addresses are 10.0.0.0/8, 172.0.0.0/16 (i think, i
> don't use these ones) and 192.168.0.0/16.
>
> In fact, to me it doesn't seem that one of the denied connects listed
> below could have done any harm to your system. In fact, you shouldn't
> be too serious about the connects on ports "netbios-.*" (137, 139),
> because that is normal windows file sharing and can be seen within
> every network that has Wintendo boxes in it.
>
> Possibly, your log files filled up your harddisk so that the machine
> crashed.
>
> If those connects where all within a short period of time and you've
> not seen connects like these in this massive amount before, something
> changed in that network, and your ISP should immediately scan his
> boxes for the Nimda worm. He could be vulnearable because of using
> the inherently insecure Windows operating system. Nimda replicates
> (among other mechanisms) using these ports which are used by the SMB
> protocol. This worm cannot do any harm to your Linux box.
>
> RedHat 6.1 is a very, very old release and can be easily attacked by
> using information or ready-to-use exploits that can be found at
> rootshell.com or similar sites. You should upgrade IMMEDIATELY - that
> means, NOW!
>
> Sorry for any inconveniences because of my bad english, but i'm a
> german and suffer from a lack of training in that language.
>
> HTH,
> Lutz
>
> Am Freitag, 26. Oktober 2001 21:26 schrieb scott [gts]:
> > im pretty sure that 10.*, 127.* and 198.* are not routable
> > on the internet (which is why so many LANs use them), so it
> > looks like whatever happened to your machine is coming
> > from inside the LAN where your machine is hosted.
> >
> > perhaps a machine that the ISP hosts is infected with something
> > and throwing out packets to everything on the LAN...?
> > (maybe it's another damn IIS worm, since it appears
> > that your ISP hosts mostly NT/IIS machines)
> >
> > but dont take my word, that's just a speculation, i'm
> > not a networking specialist or anything.
> >
> > > -----Original Message-----
> > > From: Steven M Bloomfield [mailto:steven@root101.com]
> > > Subject: help - can someone explain this to me?
> > >
> > > Hi,
> > > I'm webmaster of a large-ish website and yesterday the server
> > > went down. It is a Redhat 6.1 Linux server. All my ISP would do
> > > was press the 'reset' button - very kind of them (they are NT
> > > specialists).
> > > Inspecting my log files I found thousands of denied packets, all
> > > seem to be within a period of 6 hours.
> > > My question is, could such an attack disable my machine and crash
> > > it? Can anyone identify what sort of attack it was?
> > >
> > > Here's a summary below:
> > >
> > > Denied packets from modem-392.awesome.dialup.pol.co.uk
> > > (62.25.129.136). Port https (tcp,eth0,input): 5 packet(s).
> > > Total of 5 packet(s).
> > >
> > > Denied packets from 10.10.71.237.
> > > Port netbios-dgm (udp,eth1,input): 69 packet(s).
> > > Port netbios-ns (udp,eth1,input): 333 packet(s).
> > > Total of 402 packet(s).
> > >
> > > Denied packets from 10.10.0.4.
> > > Port netbios-dgm (udp,eth1,input): 496 packet(s).
> > > Port netbios-ns (udp,eth1,input): 2925 packet(s).
> > > Total of 3421 packet(s).
> > >
> > > Denied packets from userSg017.videon.wave.ca (204.112.48.37).
> > > Port 500 (udp,eth0,input): 6 packet(s).
> > > Total of 6 packet(s).
> > >
> > > Denied packets from 207.190.199.102.
> > > Port https (tcp,eth0,input): 11 packet(s).
> > > Total of 11 packet(s).
> > >
> > > Denied packets from 10.10.32.21.
> > > Port netbios-dgm (udp,eth1,input): 338 packet(s).
> > > Port netbios-ns (udp,eth1,input): 1742 packet(s).
> > > Total of 2080 packet(s).
> > >
> > > Denied packets from 172.17.0.18.
> > > Port 1434 (udp,eth1,input): 2 packet(s).
> > > Total of 2 packet(s).
> > >
> > > Denied packets from 10.10.1.37.
> > > Port netbios-dgm (udp,eth1,input): 496 packet(s).
> > > Port netbios-ns (udp,eth1,input): 2925 packet(s).
> > > Total of 3421 packet(s).
> > >
> > > Denied packets from 10.10.32.27.
> > > Port netbios-dgm (udp,eth1,input): 59 packet(s).
> > > Port netbios-ns (udp,eth1,input): 324 packet(s).
> > > Total of 383 packet(s).
> > >
> > > Denied packets from 10.10.32.28.
> > > Port netbios-dgm (udp,eth1,input): 107 packet(s).
> > > Port netbios-ns (udp,eth1,input): 513 packet(s).
> > > Total of 620 packet(s).
> > >
> > > Denied packets from 10.10.0.1.
> > > Port 0 (tcp,eth1,input): 3 packet(s).
> > > Total of 3 packet(s).
> > >
> > > Denied packets from 10.10.0.3.
> > > Port bootpc (udp,eth1,input): 19 packet(s).
> > > Port netbios-dgm (udp,eth1,input): 475 packet(s).
> > > Port netbios-ns (udp,eth1,input): 2259 packet(s).
> > > Total of 2753 packet(s).
> > >
> > > Thanks,
> >
> > Steve
>
> --
> Microsoft's Software ist zu 99 % von UNIX abgeschrieben. 1 % dient
> dazu, MS zum Rest der Welt inkompatibel zu machen.
> Lutz Badenheuer | IT-Consulting, Development, Networksolutions
> luke@the-web-ac.com | C/C++, Perl, bash | Linux, SCO UNIX, Solaris
>

Quantcast