Re: intrusion alert
- From: Rick <rick0.merrill@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 11 Mar 2010 12:58:18 -0500
Burkhard Ott wrote:
On Thu, 11 Mar 2010 08:12:07 -0500, Rick wrote:
Burkhard Ott wrote:On Wed, 10 Mar 2010 18:29:23 -0500, Rick wrote:
Burkhard Ott wrote:On Wed, 10 Mar 2010 14:29:14 +0000, Jon Solberg wrote:
On 2010-03-10, Rick<rick0.merrill@xxxxxxxxxxxxxxxxxx> wrote:My firewall emails me the following:
03/09/2010 10:58:19.736 - Alert - Intrusion Prevention - FTP: PORT
bounce attack dropped. - 192.168.248.213, 3629, X1 (rick) -
192.168.248.205, 21, X0 - Target host: 184.108.40.206, 59310 This
email was generated by: SonicOS Enhanced 220.127.116.11-16o
Get a real firewall.
Nope, a dropped packet on a Sonicwall.
I think it means Affinity has an infected/zombied server. What do you
Yes for sure, format all your servers you are at high risk since you've
tried to access their servers, call them and tell them this serious
problem what your fancy sonicwall told you and you end up as the hero
of the day.
Believe it or not I did (once) get that to happen with a US based server
because I found the owner (not IT savy) who leaned on his IT people and
made them find the infected server.
Blessings, - Don Quixote
OK, while analyzed this stream, since you surely mirror your ports and
log it to a logging server, what did you find.
As far as I understand your logged message, the firewall dropped evil
Rick with the IP 192.168.248.213 (RFC1918!) to open a communication to
server 18.104.22.168 on port 21 (ftp auth).
The crappy sonicwall thinks this might be a bounce attack, so go to evil
Rick this is the guy you need to hunt.
home-pwp.ccres.tpa.affinity.com ::= 22.214.171.124
is the one listening for the bounce - same name as I, so he must be a good guy and is more liable to be the victim (of zombie attack) than the bad guy ;-)
The Arwin listing phone number is NIS!
(Not In Service)
Heck, maybe it is a honey pot that just goes out looking for possible zombies on other systems.
Ah, in '07 Affinity was taken over by Hostway of Chicago - the plot thickens.
- Re: intrusion alert
- From: Burkhard Ott
- Re: intrusion alert
- Prev by Date: Re: intrusion alert
- Next by Date: Re: intrusion alert
- Previous by thread: Re: intrusion alert
- Next by thread: Re: intrusion alert