Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: When does a scan attempt become a focused attack?

From: "Karma" <steve () frij com>
Date: Wed, 22 Oct 2003 12:38:10 +1000
These attacks are very common in the internet. Many a times, it is created
by a worm such as Code Red, and other times, a person runs an automated
scanning script to look for 200 OK replies from the webserver.

Although you could let the owner of the machine, or the ISP know that their
machine is performing a scan (they probably don't even realise it) or is
silly enough to use their personal IP to run an IIS vulnerability scan
*grin*

I would suggest simply making sure your machines are patched, and not
returning 200 OK's to these scans, otherwise they will usually focus on your
machine a little further. Apart from that, get use to seeing these on your
snort sensor, they are an everyday occurance, and is not likely to die down
anytime soon.

kind regards


----- Original Message ----- 
From: "Hunt, Jim" <Jim.Hunt () nwsc k12 in us>
To: <security-basics () securityfocus com>
Sent: Wednesday, October 22, 2003 7:21 AM
Subject: When does a scan attempt become a focused attack?


I recently set up snort to look for intrusions and am still learning to
sort out all of my alerts.  However, I have one that has caught my eye
this afternoon and wonder what to do...

The scan/attack started about 1/2 hour ago and is still continuing as I
type this out.  The snort box is Windows and the attacker is happily
trying all the basic attempts over and over.  The pattern looks very
deliberate.

Here are the exploits -

http://www.snort.org/snort-db/sid.html?sid=1040
http://www.snort.org/snort-db/sid.html?sid=1002
http://www.snort.org/snort-db/sid.html?sid=1256
http://www.snort.org/snort-db/sid.html?sid=983
http://www.snort.org/snort-db/sid.html?sid=1286

We are at 150+ in 35 minutes.  Does it really do any good to report him?


Here is the whois data -
http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w
hois.arin.net

What is the correct thing to do?

Jim Hunt
Certified Network & Systems Engineer
Northwestern School Corporation
Technology Services Manager
http://technology.nwsc.k12.in.us

http://www.ProWinHost.com | Professional Windows Hosting | Professional
Windows Reselling
http://www.AlertServ.com | Managed and Incident Windows Server Support |
Custom Alerting
http://www.NetMon.org | Network Monitoring Tools and Tutorials |
Includes MRTG for Dummies



----------
Outgoing mail is certified virus free using Symantec Antivirus & Symantec
Antivirus for Microsoft Exchange.
Northwestern School Corporation - Kokomo, Indiana



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that
makes the complex - easy
www.clearsightnet.com/jmp6-downloadtrial.jsp
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: