RE: Any ideas?
From: Reichert Holger (Holger.Reichert@nondbvwin.de)Date: 01/15/02
- Previous message: Rick Koenig: "RE: Blocking Kazaa"
- Maybe in reply to: TMaingot@venocoinc.com: "Any ideas?"
- Next in thread: Cflynn . Tech: "RE: Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Reichert Holger <Holger.Reichert@nondbvwin.de> To: "'security-basics@securityfocus.com'" <security-basics@securityfocus.com> Date: Tue, 15 Jan 2002 11:58:36 +0100
Hello Trevor
first of all as you may guess, (nobody else replied), i think that this list
is not the right one to post such events.
I propose to cross post it to incidents@securityfocus.com.
There you're more likely to find the specialists in logfile reading.
I myself am only a beginner in intrusion analysis, but what I've read by
this time the first two Packets from Snort show the third part of the TCP
3-way-handshake.
So to know if there has been ever a complete TCP connection you should
search your logfiles for SYN/ACK which your machine sent to 12.224.241.144
and SYN which 12.224.241.144 sent to your site.
Only if you see all these Pakets there has been an active TCP-Connection to
your server.
If you only see these ACK, there are two possibilities:
1) You've been scanned with ACK to see if your server is listening on
Port 80
If you only see these ACK's to this server you should take this for
serious, because the attacker allready knows your server
2) Somebody has spoofed your IP-Adress and scanned another host with
SYN/ACK Packets.
The last Packet in your mail says definitly that there has been a connect.
But for the analysation im not yet smart enough.
For more assistance in discovering if your server got compromised there is
another list
forensics@securityfocus.com
For help with interpreting snort messages search in snort.org or ask
questions in their mailing list.
Probably you can get advise from your local CERT. Try to phone them and ask
for routines you should go through.
For future problem solving I suggest to use Tripwire which is one
possibility to know fast if you were compromised.
Best wishes
Holger Reichert
www.holysword.de
holger.reichert@holysword.de
Trevor wrote:
___________________________________________________
Hi all,
These are entries from my Snort IDS logs and my firewall logs for the IP
address reported by Snort. It looks like an attempt to get into our Outlook
Web Access server. If it was a hack how could I tell if it was successful or
not? I did a google on it and did not come up with much
[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 3]
01/08-12:54:08.793287 12.224.241.144:1136 -> 63.xxx.xxx.xxx:80
TCP TTL:51 TOS:0x0 ID:2276 IpLen:20 DgmLen:730 DF
***AP*** Seq: 0xF608349 Ack: 0xFC8B5BF0 Win: 0x8ECD TcpLen: 20
[**] [1:882:1] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 3]
01/08-18:53:45.398355 12.224.241.144:1568 -> 63.xxx.xxx.xxx:80
TCP TTL:51 TOS:0x0 ID:5645 IpLen:20 DgmLen:818 DF
***AP*** Seq: 0x5C2AE779 Ack: 0x36609C29 Win: 0x8ECF TcpLen: 20
Jan 09 21:53:31.093 xxxxxxxxx httpd[339]: 121 Statistics: duration=4.23
id=51ZeM sent=544 rcvd=707 srcif=Vpn4 src=12.224.241.144/3172
cldst=63.xxx.xxx.xxx/80 svsrc=192.xxx.xxx.xxx dstif=Vpn3
dst=192.xxx.xxx.xxx/80 op=GET
arg=http://www.venocoinc.com/exchange/forms/IPM/NOTE/frmRoot.asp?index=0&obj
=000000005DDB3712FA5CD411A7EF00A0C9E0A0180700085F598189CED211A7BD00A0C9E0A01
8000000AC4A6B00006AC011B1CB7FD411BC78001083FC58260000006245B20000&command=op
en result="302 Object moved" proto=http rule=6
Thanks for the help
Trevor Maingot
* 805-745-2121
* 805-455-9660
* 805-745-1926
* tmaingot@venocoinc.com
- Previous message: Rick Koenig: "RE: Blocking Kazaa"
- Maybe in reply to: TMaingot@venocoinc.com: "Any ideas?"
- Next in thread: Cflynn . Tech: "RE: Any ideas?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
