Re: Broadcasts, GET & SEARCH attacks on the server causing havoc
From: Karl Levinson [x y] mvp (levinson_k_at_despammed.com)
Date: 10/25/03
- Next message: Karl Levinson [x y] mvp: "Re: virus/trojan log analysis"
- Previous message: Bernard: "Re: Broadcasts, GET & SEARCH attacks on the server causing havoc"
- In reply to: Paul: "Broadcasts, GET & SEARCH attacks on the server causing havoc"
- Next in thread: Paul: "Re: Broadcasts, GET & SEARCH attacks on the server causing havoc"
- Reply: Paul: "Re: Broadcasts, GET & SEARCH attacks on the server causing havoc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 25 Oct 2003 09:08:36 -0400
Net mon or another sniffer is a good idea, but I'm wondering if maybe you're
not yet seeing the real traffic that is causing this. If you're sniffing
off of a switch port, then traffic on another computer won't be seen by you
unless you buy a cheap hub and plug all your computers into the hub first
and the hub into the switch, or reconfigure the switch to not act like a
switch, or use ARP spoofing or similar trick. You could also find out if
there is a way to reconfigure the modem to spit out detailed usage logs to a
syslog client on your network such as the free www.kiwisyslog.com , or put a
firewall or router under your control between your network and the cable
modem, and check the logs. If you just have one or a few computers, you
could install a personal firewall software onto every computer [even
temporarily if you prefer]. www.kerio.com and www.sygate.com and
www.zonealarm.com are all free [for non-commercial users anyways]. A
firewall would probably have stopped this attack. IDS such as www.snort.org
could be useful as well in the future [and you may be able to run your net
mon dumps through Snort after the fact as well].
The first most likely things I would suspect is that someone has installed
an FTP server on one of your computers. Other possibilities might be that a
virus has installed a proxy server like Autoproxy that could be used to
relay spam, or there is something like an IRC back door trojan containing a
denial of service tool on one of your computers.
Here are some things you can do on a suspect PC to see if it has been
hacked. The first thing I would do is update everyone's antivirus, reboot
and do a virus scan. www.grisoft.com is free antivirus [free for
non-commercial users]. http://housecall.antivirus.com can also be used to
scan for a second opinion in case your antivirus was disabled by a virus or
if installing antivirus is not attractive to you or not possible. Next,
consider running the NETSTAT -A command along with FPORT or vision from
www.foundstone.com/knowledge Use www.network-tools.com to look up
suspicious IP addresses reported by NETSTAT and www.google.com to look up
suspicious executables reported by Fport. Other things:
http://securityadmin.info/faq.htm#hacked
http://securityadmin.info/faq.htm#harden
If you have FTP services running, look in your FTP root folder, check to see
if free disk space has dropped, and make sure the anonymous IUSR user does
not have both read and write permission to ANY folder in the FTP root
folder.
http://securityadmin.info/faq.htm#ftpfolder
You might also tell the ISP what's happening and see if they can give you
any additional details about the traffic - which direction most of the
traffic is going, and what IP addresses and port numbers are involved. You
could also perhaps watch your DSL modem / internet connection or perhaps ask
the ISP to watch the connection while you power your computers off one by
one [or unplug network cables one by one].
I'm not yet convinced that the IIS server or the IIS logs you're seeing are
related to your problem.
"Paul" <paul_nospam@laberg.com.au> wrote in message
news:3f9a32de_1@news.iprimus.com.au...
> It started out with a massive comms bill. 1GB over the download limit for
a
> month. I couldn't work it out, but the same thing happened the next month,
> and this month. I started to have a look around..
>
> My ISP shows we are downloading roughly 100MB every 24 hours which is
> ridiculous for the type of work we do.
>
> If I run net monitor I see a pretty constant stream of broadcasts from the
> DSL modem. It seems to follow a pattern ...
> Echo request then a broadcast to all the IP addresses in my network.
>
> IIS has in it's logs (every 1-2 minutes):
> 80 GET / - 403 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98)
> 80 SEARCH / - 501 -
> There seems to be no pattern to the source IP addresses or I would just
> block them in the firewall
>
> I think it is some sort of automated buffer overflow exploit. I have
> disabled webDAV through the registry.
> I have auto-update on for windows, I have applied SP4 for IIS. I run a
> software firewall on the machine itself.
>
> This is costing me a fortune, and I would really appreciate some help if
> anybody has an idea of what might be going on.
>
>
- Next message: Karl Levinson [x y] mvp: "Re: virus/trojan log analysis"
- Previous message: Bernard: "Re: Broadcasts, GET & SEARCH attacks on the server causing havoc"
- In reply to: Paul: "Broadcasts, GET & SEARCH attacks on the server causing havoc"
- Next in thread: Paul: "Re: Broadcasts, GET & SEARCH attacks on the server causing havoc"
- Reply: Paul: "Re: Broadcasts, GET & SEARCH attacks on the server causing havoc"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
