[Snort-users] attack

Erek Adams erek at ...577...
Fri Feb 22 11:24:08 EST 2002

On Fri, 22 Feb 2002, Scott Taylor wrote:

> So what's the best thing to do with this type of attack? Turn'em in?
> To who? Is there a way I can let them know that I know what their
> doing? Any ideas?

Welcome to our Nightmare.  This is called "Damned things that fill up our logs
due to M$ not having a fnorking clue."  Also known as Ndima, CodeRed or just
"Pain in the Ass.".

Dig around.  See who the IP belongs to.
[erek at ...3978...]~>whois -h whois.geektools.com
Registry:  whois.arin.net
Pac Bell Internet Services (NETBLK-PBI-NET-7) PBI-NET-7
PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)

[erek at ...3978...]~>whois -h whois.geektools.com NETBLK-SBCIS-100216-175755
Query:     netblk-sbcis-100216-175755
Registry:  whois.arin.net
PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)
   303 2nd St.
   San Francisco, CA 94107

   Netname: SBCIS-100216-175755
   Netblock: -

      Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin at ...5053...

   Record last updated on 17-Feb-2000.
   Database last updated on  21-Feb-2002 19:56:30 EDT.


Now since I know some folks who used to work for PBI/SBC, let's just say don't
expect a quick fix response.  If my info was correct (8-10 months ago) they
had like 4 people to work all abuse complaints for
SBC/SWbell/NevadaBell/Ameritech/PBI.  That's 4 very overworked people in my

Of course if you want to give them a helpful hand....  You could add the
following to your httpd.conf--You _are_ running Apache aren't you?  :)

# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
RedirectMatch (.*)\cmd.exe(.*)
RedirectMatch (.*)\root.exe(.*)
RedirectMatch (.*)\default.ida(.*)

Now since CR and company use blocking threads, as the connections get
redirected back to thier own box, it slowly starts to die.  It will eventually
quit when it runs out of threads.  Till they reboot that is....  :-/


Erek Adams

More information about the Snort-users mailing list