[Snort-users] Shaft?

Wayne T Work securitygauntlet at ...3130...
Sun Aug 25 11:41:05 EDT 2002


Doing some research show this IP to belongs in Germany. Here is a bunck of 
info about that site. Not active right now but might want to contact the 
ISP to investigate

08/25/02 14:36:41 Spade Log
08/25/02 14:36:51 IP block 195.27.218.62 at ...6687...
Trying 195.27.218.62 at ARIN
Trying 195.27.218 at ARIN
Redirecting to RIPE ...
Trying 195.27.218.62 at RIPE
Trying 195.27.218 at RIPE
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      195.27.218.0 - 195.27.218.63
netname:      CW-DE-BMW-NET
descr:        BMW AG
descr:        Petuelring 130, 80199 Munich
country:      DE
admin-c:      PP3612-RIPE
tech-c:       PP3612-RIPE
status:       ASSIGNED PA
mnt-by:       CW-EUROPE-GSOC
changed:      fschneid at ...6688... 19991221
changed:      smorhoff at ...6688... 20020402
source:       RIPE

route:        195.27.0.0/16
descr:        DE-ECRC-195-27-0-0
origin:       AS1273
mnt-by:       CW-EUROPE-GSOC
changed:      wbe at ...6688... 19990415
changed:      sticht at ...6688... 19991205
changed:      theimes at ...6689... 20010803
source:       RIPE

person:       Patrick Peters
address:      Kabel New Media GmbH
address:      Schulterblatt 58
address:      D-20357 Hamburg
phone:        +49 40 43 29 69 732
e-mail:       ppeters at ...6690...
nic-hdl:      PP3612-RIPE
mnt-by:       CW-EUROPE-GSOC
changed:      fschneid at ...6688... 19991221
changed:      theimes at ...6689... 20010803
source:       RIPE





1

08/25/02 14:38:05 dig 195.27.218.62 @ 141.1.1.1
Dig 62.218.27.195.in-addr.arpa at ...6691... ...
Authoritative Answer
Authoritative answer: Host doesn't exist
  Query for 62.218.27.195.in-addr.arpa type=255 class=1
   218.27.195.in-addr.arpa SOA (Zone of Authority)
         Primary NS: ecrc.de
         Responsible person: dnsmaster at ...6692...
         serial:2002072300
         refresh:28800s (8 hours)
         retry:7200s (2 hours)
         expire:604800s (7 days)
         minimum-ttl:86400s (24 hours)


08/25/02 14:38:15 Fast traceroute 195.27.218.62
Trace 195.27.218.62 ...
  1 64.252.72.1      20ms   20ms   20ms  TTL:  0  (1.72.252.64.snet.net ok)
  2 204.60.203.129   20ms   20ms   20ms  TTL:  0  (No rDNS)
  3 204.60.219.33    30ms   20ms   20ms  TTL:  0  (No rDNS)
  4 
151.164.89.41    40ms   40ms   30ms  TTL:  0 
(bb1-p5-1.hrndva.sbcglobal.net ok)
  5 
151.164.243.26   31ms   40ms   40ms  TTL:  0 
(bb2-p15-0.hrndva.sbcglobal.net ok)
  6 
151.164.243.201  50ms   40ms   40ms  TTL:  0 
(bb2-p13-0.nycmny.sbcglobal.net ok)
  7 
151.164.243.17   40ms   50ms   40ms  TTL:  0 
(bb1-p15-0.nycmny.sbcglobal.net probable bogus rDNS: No DNS)
  8 
144.223.26.201   50ms   40ms   40ms  TTL:  0 
(sl-gw31-nyc-11-0.sprintlink.net ok)
  9 
144.232.13.33    40ms   40ms   40ms  TTL:  0 
(sl-bb23-nyc-12-0.sprintlink.net ok)
10 
144.232.13.170   50ms   40ms   40ms  TTL:  0 
(sl-bb24-nyc-6-0.sprintlink.net ok)
11 144.232.9.118    40ms   40ms   40ms  TTL:  0  (No rDNS)
12 166.63.194.62   150ms  151ms  150ms  TTL:  0  (bcr2.Frankfurt.cw.net ok)
13 166.63.194.6    150ms  150ms  150ms  TTL:  0  (iar1.Frankfurt.cw.net ok)
14 
166.63.198.38   161ms  160ms  150ms  TTL:  0 
(cable-and-wireless-internal-isp.Frankfurt.cw.net ok)
15 62.208.241.106  150ms  150ms  150ms  TTL:  0  (pos1-0-bb1-MUC1.de.cw.net ok)
16 
62.208.224.15   170ms  160ms  150ms  TTL:  0  (ge-0-0-0-arj1-MUC1.de.cw.net ok)
17   No Response      *      *      *




At 11:05 AM 8/25/2002 -0700, John Sage wrote:
>J Craig:
>
>In a word, Yes.
>
>That same source IP, same date, same source port 13000, as well.
>
>There was a thread of about 6 posts regarding this specific probe,
>from this specific source IP, on the intrusions at ...2034... list.
>
>Here was mine:
>
>
>< begin post >
>
>A rare bird:
>
>Date: Wed, 21 Aug 2002 21:29:20 -0700
>Subject: ACID Incident Report
>Generated by ACID v0.9.6b21 on Wed August 21, 2002 21:29:19
>
>------------------------------------------------------------------------------
>#(116 - 122) [2002-08-21 09:37:16] [arachNIDS/252-253]  DDOS shaft synflood
>IPv4: 195.27.218.62 -> 12.82.128.178
>       hlen=5 TOS=0 dlen=40 ID=39977 flags=0 offset=0 TTL=16 chksum=42056
>TCP:  port=13000 -> dport: 13000  flags=******S* seq=674711609
>       ack=647068936 off=5 res=0 win=8768 urp=61171 chksum=64181
>Payload: none
>------------------------------------------------------------------------------
>
>snort:
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
>08/21-09:37:16.080331 195.27.218.62:13000 -> 12.82.128.178:13000
>TCP TTL:16 TOS:0x0 ID:39977 IpLen:20 DgmLen:40 DF
>******S* Seq: 0x28374839  Ack: 0x26917D08  Win: 0x2240  TcpLen: 20
>
>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>Snort processed 1 packets.
>Breakdown by protocol:
>Action Stats:
>     TCP: 1        (100.000%)          ALERTS: 0
>     UDP: 0          (0.000%)          LOGGED: 0
>    ICMP: 0          (0.000%)          PASSED: 0
>     ARP: 0          (0.000%)
>    IPv6: 0          (0.000%)
>     IPX: 0          (0.000%)
>   OTHER: 0          (0.000%)
>===============================================================================
>
>
>[toot at ...2057... /usr/local/2]# ./2.pl hd 28374839
>674711609
>
>
>The relevant snort 1.8.7 rule:
>
>[toot at ...2057... /usr/local/snort-1.8.7]# grep shaft *.rules
>ddos.rules: alert tcp $HOME_NET any <> $EXTERNAL_NET any
>  (msg:"DDOS shaft synflood"; flags: S; seq: 674711609;
>  reference:arachnids,253; classtype:attempted-dos; sid:241; rev:2;)
>
>
>Note that the rule is bidirectional; ArachNIDS 252 is the best
>candidate here, as this packet was incoming...
>
>Ref: http://www.whitehats.com/info/IDS252
>
>< end post >
>
>
>HTH..
>
>- John
>
>--
>"In those days, you could not buy a $2000 200MHz Pentium server."
>
>PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
>Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705
>
>
>
>On Fri, Aug 23, 2002 at 09:19:18PM -0500, J. Craig Woods wrote:
> > No, not the movie. The trojan. I was wondering if anyone on the list has
> > run into the log entry:
> >
> > Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood
> > [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> > 195.27.218.62:13000 -> X.X.X.X:13000
> > Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood
> > [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> > 195.27.218.62:6000 -> X.X.X.X:6000
> >
> > I have left in the source ip because it is important in understanding
> > this alert. A simple whois will show this ip to be in the RIPE netblock.
> > It also has no reverse dns configured. Yes, it might very well be
> > spoofed or a false positive.
> >
> > I have checked out all of my security on my server, and things look
> > intact, and I can not find any penetration. I was hoping someone might
> > have some thoughts on this alert or maybe you can point me in the right
> > direction. Of course, neither of these ports are open to the internet. I
> > have ipchains logging for attempts on port 6000(X), and it clearly shows
> > a DENY on that one. No logging on 13000 but it is filtered (strange port
> > to be probing, yes?)
> >
> > Thanks for any assistance,
> > drjung
> >
> > --
> > J. Craig Woods
> > UNIX Network/System Administration
> > http://www.trismegistus.net/resume.html
> > Character is built upon the debris of despair --Emerson
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list