Snort mailing list archives
Re: attack
From: Phil Wood <cpw () lanl gov>
Date: Fri, 22 Feb 2002 15:24:21 -0700
When I feel so inclined (as in pissed), I talk to the ra (Routing Authority). % ra 63.204.135.168 route: 63.204.128.0/19 descr: San Francisco, CA SBC Internet Services origin: AS5673 mnt-by: MAINT-AS5672 changed: rushingj () swbell net 20001115 source: RADB Then I look up the maintainer. cynosure% ra MAINT-AS5672 mntner: MAINT-AS5672 descr: Maintainer for AS 5672 (SBCIS - West) admin-c: Greg Harp tech-c: Greg Harp upd-to: infra () sbis sbc com upd-to: gharp () sbc com mnt-nfy: infra () sbis sbc com mnt-nfy: gharp () sbc com auth: MAIL-FROM gharp () sbc com auth: MAIL-FROM rushingj () sbc com auth: MAIL-FROM victor.summerour () sbc com auth: MAIL-FROM dwester () sbc com auth: MAIL-FROM jeffrey.young () sbc com auth: MAIL-FROM collette.downing () sbc com auth: MAIL-FROM felix.orozco () sbc com auth: MAIL-FROM trichardson () pbi net auth: MAIL-FROM swaters () pbi net auth: MAIL-FROM jmaniz () pbi net auth: MAIL-FROM frabe () pbi net auth: MAIL-FROM along () pbi net auth: MAIL-FROM mtuohey () pbi net auth: MAIL-FROM bratcliffe () pbi net auth: MAIL-FROM rweigart () pbi net auth: MAIL-FROM kburks () sbc com auth: MAIL-FROM jason.kleeh () sbc com auth: MAIL-FROM peter.russo () sbc com mnt-by: MAINT-AS5672 changed: rushingj () sbc com 20020208 source: RADB Then I copy everyone of the email addresses including relevent tcpdump or snort interpretation of the problem including a time range. I also include abuse@ all the different isp's. On Fri, Feb 22, 2002 at 11:23:16AM -0800, Erek Adams wrote:
On Fri, 22 Feb 2002, Scott Taylor wrote:So what's the best thing to do with this type of attack? Turn'em in? To who? Is there a way I can let them know that I know what their doing? Any ideas?Welcome to our Nightmare. This is called "Damned things that fill up our logs due to M$ not having a fnorking clue." Also known as Ndima, CodeRed or just "Pain in the Ass.". Dig around. See who the IP belongs to. --- [erek@merf]~>whois -h whois.geektools.com 63.204.135.168 Query: 63.204.135.168 Registry: whois.arin.net Results: Pac Bell Internet Services (NETBLK-PBI-NET-7) PBI-NET-7 63.192.0.0 - 63.207.255.255 PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755) SBCIS-100216-175755 63.204.132.0 - 63.204.135.255 [erek@merf]~>whois -h whois.geektools.com NETBLK-SBCIS-100216-175755 Query: netblk-sbcis-100216-175755 Registry: whois.arin.net Results: PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755) 303 2nd St. San Francisco, CA 94107 US Netname: SBCIS-100216-175755 Netblock: 63.204.132.0 - 63.204.135.255 Coordinator: Pacific Bell Internet (PIA2-ORG-ARIN) ip-admin () PBI NET 888-212-5411 Record last updated on 17-Feb-2000. Database last updated on 21-Feb-2002 19:56:30 EDT. --- Now since I know some folks who used to work for PBI/SBC, let's just say don't expect a quick fix response. If my info was correct (8-10 months ago) they had like 4 people to work all abuse complaints for SBC/SWbell/NevadaBell/Ameritech/PBI. That's 4 very overworked people in my book. Of course if you want to give them a helpful hand.... You could add the following to your httpd.conf--You _are_ running Apache aren't you? :) --- # Redirect allows you to tell clients about documents which used to exist in # your server's namespace, but do not anymore. This allows you to tell the # clients where to look for the relocated document. # Format: Redirect old-URI new-URL # RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1 RedirectMatch (.*)\root.exe(.*) http://127.0.0.1 RedirectMatch (.*)\default.ida(.*) http://127.0.0.1 --- Now since CR and company use blocking threads, as the connections get redirected back to thier own box, it slowly starts to die. It will eventually quit when it runs out of threads. Till they reboot that is.... :-/ *shrug* ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- attack Scott Taylor (Feb 22)
- Re: attack Erek Adams (Feb 22)
- Re: attack Phil Wood (Feb 22)
- RE: attack Wayne Work (Feb 22)
- Re: attack Skip Carter (Feb 22)
- A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
- Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
- Message not available
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
- Re: A case of beer on 63.204.135.168 Ryan Lindsey (Feb 22)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 spyguy703 (Feb 22)
- Re: attack Erek Adams (Feb 22)