Snort mailing list archives
A case of beer on 63.204.135.168
From: "Jeff Jennings" <jjennings () zoominternet net>
Date: Fri, 22 Feb 2002 16:48:32 -0500
This week's grand prize goes to 63.204.135.168 For allowing PUT rights on Port 80 (I wonder how many hackers are lurking here). Being vulnerable on Port 25 and many other ports... Anyone need an open relay? No wonder the guy is spewing Code Reds... We just ran a port scan and tested the guy. Some guy running IIS over a DSL connection with a site that is listed as "Under Construction". Just another unsuspecting guy who installed IIS on his home computer and has no idea of how to protect it. This message comes just in time as it's 4:45 pm here and I really need a beer! - jeff -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Skip Carter Sent: Friday, February 22, 2002 4:14 PM To: Scott Taylor Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] attack
So what's the best thing to do with this type of attack? Turn'em in? To who? Is there a way I can let them know that I know what their doing? Any ideas?
[**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:19.830419 63.204.135.168:2122 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20
Unfortunately, there isn't a lot you can do about these attacks other than defend yourself against them. I have gone as far as firewalling a few of the very persistent servers. I have tracked down sysadmins of the offending servers in some special cases (hospitals, insurance companies, financial institutions, and government agencies). The nearly universal response was "I didn't know we were running a web server on that machine!" (a consequence of MS efforts to brag that they have more deployed IIS servers than Apache, but turning on IIS by default). I suspect that most admins that are actually purposefully using IIS have long since patched their servers. Most of these admins of these infected systems have no idea what to do about fixing a problem that they didn't even know that they had, so if you do contact them, they would probably appreciate info on how to fix their servers. They clearly aren't running any type of IDS or they would have discovered the unusual outbound traffic themselves. -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- attack Scott Taylor (Feb 22)
- Re: attack Erek Adams (Feb 22)
- Re: attack Phil Wood (Feb 22)
- RE: attack Wayne Work (Feb 22)
- Re: attack Skip Carter (Feb 22)
- A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
- Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
- Message not available
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
- Re: A case of beer on 63.204.135.168 Ryan Lindsey (Feb 22)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 spyguy703 (Feb 22)
- OT: A case of beer on 63.204.135.168 Chris Keladis (Feb 22)
- Re: attack Erek Adams (Feb 22)
- Re: A case of beer on 63.204.135.168 John Kiehnle (Feb 23)
- <Possible follow-ups>
- re: attack Glenn Forbes Fleming Larratt (Feb 22)