[Snort-users] attack

Phil Wood cpw at ...440...
Fri Feb 22 14:25:03 EST 2002


When I feel so inclined (as in pissed), I talk to the ra (Routing Authority).

% ra 63.204.135.168
route:              63.204.128.0/19
descr:              San Francisco, CA
                    SBC Internet Services
origin:             AS5673
mnt-by:             MAINT-AS5672
changed:            rushingj at ...3714... 20001115
source:             RADB

Then I look up the maintainer.

cynosure% ra MAINT-AS5672
mntner:             MAINT-AS5672
descr:              Maintainer for AS 5672 (SBCIS - West)
admin-c:            Greg Harp
tech-c:             Greg Harp
upd-to:             infra at ...5058...
upd-to:             gharp at ...5059...
mnt-nfy:            infra at ...5058...
mnt-nfy:            gharp at ...5059...
auth:               MAIL-FROM gharp at ...5059...
auth:               MAIL-FROM rushingj at ...5059...
auth:               MAIL-FROM victor.summerour at ...5059...
auth:               MAIL-FROM dwester at ...5059...
auth:               MAIL-FROM jeffrey.young at ...5059...
auth:               MAIL-FROM collette.downing at ...5059...
auth:               MAIL-FROM felix.orozco at ...5059...
auth:               MAIL-FROM trichardson at ...5060...
auth:               MAIL-FROM swaters at ...5060...
auth:               MAIL-FROM jmaniz at ...5060...
auth:               MAIL-FROM frabe at ...5060...
auth:               MAIL-FROM along at ...5060...
auth:               MAIL-FROM mtuohey at ...5060...
auth:               MAIL-FROM bratcliffe at ...5060...
auth:               MAIL-FROM rweigart at ...5060...
auth:               MAIL-FROM kburks at ...5059...
auth:               MAIL-FROM jason.kleeh at ...5059...
auth:               MAIL-FROM peter.russo at ...5059...
mnt-by:             MAINT-AS5672
changed:            rushingj at ...5059... 20020208
source:             RADB

Then I copy everyone of the email addresses including relevent tcpdump
or snort interpretation of the problem including a time range.  I also
include abuse@ all the different isp's.

On Fri, Feb 22, 2002 at 11:23:16AM -0800, Erek Adams wrote:
> On Fri, 22 Feb 2002, Scott Taylor wrote:
> 
> > So what's the best thing to do with this type of attack? Turn'em in?
> > To who? Is there a way I can let them know that I know what their
> > doing? Any ideas?
> 
> Welcome to our Nightmare.  This is called "Damned things that fill up our logs
> due to M$ not having a fnorking clue."  Also known as Ndima, CodeRed or just
> "Pain in the Ass.".
> 
> Dig around.  See who the IP belongs to.
> ---
> [erek at ...3978...]~>whois -h whois.geektools.com 63.204.135.168
> Query:     63.204.135.168
> Registry:  whois.arin.net
> Results:
> Pac Bell Internet Services (NETBLK-PBI-NET-7) PBI-NET-7
>                                                    63.192.0.0 - 63.207.255.255
> PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)
> SBCIS-100216-175755
>                                                  63.204.132.0 - 63.204.135.255
> 
> [erek at ...3978...]~>whois -h whois.geektools.com NETBLK-SBCIS-100216-175755
> Query:     netblk-sbcis-100216-175755
> Registry:  whois.arin.net
> Results:
> PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)
>    303 2nd St.
>    San Francisco, CA 94107
>    US
> 
>    Netname: SBCIS-100216-175755
>    Netblock: 63.204.132.0 - 63.204.135.255
> 
>    Coordinator:
>       Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin at ...5053...
>       888-212-5411
> 
>    Record last updated on 17-Feb-2000.
>    Database last updated on  21-Feb-2002 19:56:30 EDT.
> 
> ---
> 
> Now since I know some folks who used to work for PBI/SBC, let's just say don't
> expect a quick fix response.  If my info was correct (8-10 months ago) they
> had like 4 people to work all abuse complaints for
> SBC/SWbell/NevadaBell/Ameritech/PBI.  That's 4 very overworked people in my
> book.
> 
> Of course if you want to give them a helpful hand....  You could add the
> following to your httpd.conf--You _are_ running Apache aren't you?  :)
> 
> ---
> # Redirect allows you to tell clients about documents which used to exist in
> # your server's namespace, but do not anymore. This allows you to tell the
> # clients where to look for the relocated document.
> # Format: Redirect old-URI new-URL
> #
> RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1
> RedirectMatch (.*)\root.exe(.*) http://127.0.0.1
> RedirectMatch (.*)\default.ida(.*) http://127.0.0.1
> ---
> 
> Now since CR and company use blocking threads, as the connections get
> redirected back to thier own box, it slowly starts to die.  It will eventually
> quit when it runs out of threads.  Till they reboot that is....  :-/
> 
> *shrug*
> 
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list