[Snort-users] attack

Erek Adams erek at ...577...
Fri Feb 22 11:24:08 EST 2002


On Fri, 22 Feb 2002, Scott Taylor wrote:

> So what's the best thing to do with this type of attack? Turn'em in?
> To who? Is there a way I can let them know that I know what their
> doing? Any ideas?

Welcome to our Nightmare.  This is called "Damned things that fill up our logs
due to M$ not having a fnorking clue."  Also known as Ndima, CodeRed or just
"Pain in the Ass.".

Dig around.  See who the IP belongs to.
---
[erek at ...3978...]~>whois -h whois.geektools.com 63.204.135.168
Query:     63.204.135.168
Registry:  whois.arin.net
Results:
Pac Bell Internet Services (NETBLK-PBI-NET-7) PBI-NET-7
                                                   63.192.0.0 - 63.207.255.255
PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)
SBCIS-100216-175755
                                                 63.204.132.0 - 63.204.135.255

[erek at ...3978...]~>whois -h whois.geektools.com NETBLK-SBCIS-100216-175755
Query:     netblk-sbcis-100216-175755
Registry:  whois.arin.net
Results:
PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)
   303 2nd St.
   San Francisco, CA 94107
   US

   Netname: SBCIS-100216-175755
   Netblock: 63.204.132.0 - 63.204.135.255

   Coordinator:
      Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin at ...5053...
      888-212-5411

   Record last updated on 17-Feb-2000.
   Database last updated on  21-Feb-2002 19:56:30 EDT.

---

Now since I know some folks who used to work for PBI/SBC, let's just say don't
expect a quick fix response.  If my info was correct (8-10 months ago) they
had like 4 people to work all abuse complaints for
SBC/SWbell/NevadaBell/Ameritech/PBI.  That's 4 very overworked people in my
book.

Of course if you want to give them a helpful hand....  You could add the
following to your httpd.conf--You _are_ running Apache aren't you?  :)

---
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
#
RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1
RedirectMatch (.*)\root.exe(.*) http://127.0.0.1
RedirectMatch (.*)\default.ida(.*) http://127.0.0.1
---

Now since CR and company use blocking threads, as the connections get
redirected back to thier own box, it slowly starts to die.  It will eventually
quit when it runs out of threads.  Till they reboot that is....  :-/

*shrug*

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net






More information about the Snort-users mailing list