Re: intrusion alert



Burkhard Ott wrote:
On Thu, 11 Mar 2010 08:12:07 -0500, Rick wrote:

Burkhard Ott wrote:
On Wed, 10 Mar 2010 18:29:23 -0500, Rick wrote:

Burkhard Ott wrote:
On Wed, 10 Mar 2010 14:29:14 +0000, Jon Solberg wrote:

On 2010-03-10, Rick<rick0.merrill@xxxxxxxxxxxxxxxxxx> wrote:
My firewall emails me the following:

03/09/2010 10:58:19.736 - Alert - Intrusion Prevention - FTP: PORT
bounce attack dropped. - 192.168.248.213, 3629, X1 (rick) -
192.168.248.205, 21, X0 - Target host: 216.87.188.9, 59310 This
email was generated by: SonicOS Enhanced 5.3.0.0-16o
(0017-C54A-D6FC)

Comments?

Get a real firewall.

Nope, a dropped packet on a Sonicwall.

I think it means Affinity has an infected/zombied server. What do you
think?

Yes for sure, format all your servers you are at high risk since you've
tried to access their servers, call them and tell them this serious
problem what your fancy sonicwall told you and you end up as the hero
of the day.

cheers


Believe it or not I did (once) get that to happen with a US based server
because I found the owner (not IT savy) who leaned on his IT people and
made them find the infected server.

Blessings, - Don Quixote

OK, while analyzed this stream, since you surely mirror your ports and
log it to a logging server, what did you find.
As far as I understand your logged message, the firewall dropped evil
Rick with the IP 192.168.248.213 (RFC1918!) to open a communication to
server 216.87.188.9 on port 21 (ftp auth).
The crappy sonicwall thinks this might be a bounce attack, so go to evil
Rick this is the guy you need to hunt.

cheers

home-pwp.ccres.tpa.affinity.com ::= 216.87.188.9
is the one listening for the bounce - same name as I, so he must be a good guy and is more liable to be the victim (of zombie attack) than the bad guy ;-)

The Arwin listing phone number is NIS!

(Not In Service)

Heck, maybe it is a honey pot that just goes out looking for possible zombies on other systems.

Ah, in '07 Affinity was taken over by Hostway of Chicago - the plot thickens.

.



Relevant Pages

  • Re: intrusion alert
    ... a dropped packet on a Sonicwall. ... I think it means Affinity has an infected/zombied server. ...
    (comp.security.firewalls)
  • Re: intrusion alert
    ... Burkhard Ott wrote: ... Get a real firewall. ... a dropped packet on a Sonicwall. ...
    (comp.security.firewalls)
  • Re: intrusion alert
    ... Get a real firewall. ... a dropped packet on a Sonicwall. ... Believe it or not I did get that to happen with a US based server because I found the owner who leaned on his IT people and made them find the infected server. ...
    (comp.security.firewalls)
  • Re: Cannot download large files on a W2K3 network.
    ... No ISA, proxy, server and no such accelerators of any kind. ... appliance is the SonicWALL. ... > Is the sonicwall appliance a caching internet appliance or just a firewall? ...
    (microsoft.public.windows.server.networking)
  • Re: Installing new SBS 03 server. Will that be 1 Nic or 2 ?
    ... I use VPN because I need two-factor authentication. ... I guess technically 2 NICs would be more secure, but hopefully the SonicWall ... and when the server was about 6 weeks old a drive failed. ... and points regarding method of connectivity. ...
    (microsoft.public.windows.server.sbs)