[Snort-users] attack

Glenn Forbes Fleming Larratt glratt at ...152...
Fri Feb 22 11:06:28 EST 2002


You could turn them in to PacBell:
================================================================
% whois -h whois.arin.net 63.204.135.168
ATTINGO (NETBLK-SBCIS-100217-154237)
   303 Second Street
   San Francisco, Ca 94107
   US

   Netname: SBCIS-100217-154237
   Netblock: 63.204.136.168 - 63.204.136.175

   Coordinator:
      Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin at ...5053...
      888-212-5411
================================================================
but my experience with their 'abuse@' address has been autoreplies
only (always with the text -

	"I will investigate your complaint and take appropriate action."

, and nothing, *ever*,  of substance - and I generally don't bother with
Code Red or Nimda unless it's *inside* my border. This is the response
I get when they portscan me for with ssh exploit tools, nmap, etc.

Code Red and Nimda won't, IMO, *ever* really go away, given the prevalent
standards among various international domains, uncaring top-level ISP's, 
and (*sigh*, because I'm at one) universities. 

Your most effective strategy is going to be to see to your own hosts and
networks, frankly.

On Fri, 22 Feb 2002, Scott Taylor wrote:

> So what's the best thing to do with this type of attack? Turn'em in?
> To who? Is there a way I can let them know that I know what their 
> doing? Any ideas?
> 
> Cheers,
> Scott
> 
> 
> [**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:19.830419 63.204.135.168:2122 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF
> ***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:24.084478 63.204.135.168:2313 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:56799 IpLen:20 DgmLen:120 DF
> ***AP*** Seq: 0x841E21B Ack: 0x21DA22E5 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:26.015481 63.204.135.168:2415 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57061 IpLen:20 DgmLen:120 DF
> ***AP*** Seq: 0x897EDD4 Ack: 0x221B03CF Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:27.841065 63.204.135.168:2484 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57309 IpLen:20 DgmLen:136 DF
> ***AP*** Seq: 0x8CD3F1E Ack: 0x21FF7EA1 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
> [Classification: access to a potentually vulnerable web application] 
> [Priority: 2]
> 02/22-10:13:29.720477 63.204.135.168:2572 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57558 IpLen:20 DgmLen:157 DF
> ***AP*** Seq: 0x9162D26 Ack: 0x22164ADC Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:31.651168 63.204.135.168:2658 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57814 IpLen:20 DgmLen:157 DF
> ***AP*** Seq: 0x95C4B1D Ack: 0x21AF8A4E Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:33.689744 63.204.135.168:2740 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58087 IpLen:20 DgmLen:185 DF
> ***AP*** Seq: 0x9A01736 Ack: 0x22220C8E Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:35.794798 63.204.135.168:2839 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58370 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0x9F34819 Ack: 0x2254F005 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:37.904728 63.204.135.168:2923 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58654 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0xA3660EC Ack: 0x22D1A6E7 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:40.239684 63.204.135.168:3022 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58965 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0xA882856 Ack: 0x22BD9884 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:42.598231 63.204.135.168:3126 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:59278 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0xADC9A9C Ack: 0x22C0BEF4 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:44.946090 63.204.135.168:3227 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:59592 IpLen:20 DgmLen:138 DF
> ***AP*** Seq: 0xB2DF585 Ack: 0x230644E9 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:47.344817 63.204.135.168:3337 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:59917 IpLen:20 DgmLen:136 DF
> ***AP*** Seq: 0xB85E8FA Ack: 0x233A0541 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:49.826087 63.204.135.168:3440 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:60246 IpLen:20 DgmLen:140 DF
> ***AP*** Seq: 0xBDABDF7 Ack: 0x238A2DB3 Win: 0x4248 TcpLen: 20 
> 
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:52.532260 63.204.135.168:3554 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:60606 IpLen:20 DgmLen:136 DF
> ***AP*** Seq: 0xC37CE49 Ack: 0x22E5E0D1 Win: 0x4248 TcpLen: 20 
> 
> 
> 
> THERE IS ONLY ONE... 
> SOCCER.COM, The Center of the Soccer Universe
> http://www.soccer.com
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

				Glenn Forbes Fleming Larratt
				Rice University Network Management 
				glratt at ...604...



-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at ...152...                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.





More information about the Snort-users mailing list