[Snort-users] mirkforce IRC attack

Yonah Russ yonah at ...569...
Fri Mar 9 05:15:03 EST 2001


On Thu, 8 Mar 2001, Andrew Daviel wrote:

> Just found an IRC attack tool "mirkforce" (see eg.
> http://hackreport.magicnet.org/)
> 
> This is a bitch to find unless you have ARP logs, since the
> hacked machine does not use its own ip to connect to the target

This is true- I posted a question about integrating arpwatch into snort a
while back for this exact reason. Luckily an IRC op contacted us quickly
with a list of IP's which were obviously stolen so we knew what direction
to head in.

yonah

> 
> 21:53:36.416252 aaa.bbb.ccc.12.1250 > xxx.yyy.112.62.6667: S
> 804647496:804647496(0) win 32120 <mss 1460,sackOK,timestamp
> 12453625[|tcp]> (DF
> )
> 21:53:36.417145 aaa.bbb.ccc.13.1251 > xxx.yyy.112.62.6667: S
> 806447041:806447041(0) win 32120 <mss 1460,sackOK,timestamp
> 12453625[|tcp]> (DF
> )
> 21:53:36.417517 aaa.bbb.ccc.18.1252 > xxx.yyy.112.62.6667: S
> 810980329:810980329(0) win 32120 <mss 1460,sackOK,timestamp
> 12453625[|tcp]> (DF
> )
> 21:53:36.418059 aaa.bbb.ccc.19.1253 > xxx.yyy.112.62.6667: S
> 796980633:796980633(0) win 32120 <mss 1460,sackOK,timestamp
> 12453626[|tcp]> (DF
> )
> 21:53:36.418609 aaa.bbb.ccc.20.1254 > xxx.yyy.112.62.6667: S
> 807981272:807981272(0) win 32120 <mss 1460,sackOK,timestamp
> 12453626[|tcp]> (DF
> 
> 
> -- 
> Andrew Daviel, TRIUMF, Canada
> Tel. +1 (604) 222-7376
> security at ...524...
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> 





More information about the Snort-users mailing list