Snort mailing list archives
Re: Shaft?
From: Wayne T Work <securitygauntlet () snet net>
Date: Sun, 25 Aug 2002 14:40:47 -0400
Doing some research show this IP to belongs in Germany. Here is a bunck of info about that site. Not active right now but might want to contact the ISP to investigate
08/25/02 14:36:41 Spade Log 08/25/02 14:36:51 IP block 195.27.218.62 () whois internic net Trying 195.27.218.62 at ARIN Trying 195.27.218 at ARIN Redirecting to RIPE ... Trying 195.27.218.62 at RIPE Trying 195.27.218 at RIPE % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 195.27.218.0 - 195.27.218.63 netname: CW-DE-BMW-NET descr: BMW AG descr: Petuelring 130, 80199 Munich country: DE admin-c: PP3612-RIPE tech-c: PP3612-RIPE status: ASSIGNED PA mnt-by: CW-EUROPE-GSOC changed: fschneid () ecrc de 19991221 changed: smorhoff () ecrc de 20020402 source: RIPE route: 195.27.0.0/16 descr: DE-ECRC-195-27-0-0 origin: AS1273 mnt-by: CW-EUROPE-GSOC changed: wbe () ecrc de 19990415 changed: sticht () ecrc de 19991205 changed: theimes () de cw net 20010803 source: RIPE person: Patrick Peters address: Kabel New Media GmbH address: Schulterblatt 58 address: D-20357 Hamburg phone: +49 40 43 29 69 732 e-mail: ppeters () kabel de nic-hdl: PP3612-RIPE mnt-by: CW-EUROPE-GSOC changed: fschneid () ecrc de 19991221 changed: theimes () de cw net 20010803 source: RIPE 1 08/25/02 14:38:05 dig 195.27.218.62 @ 141.1.1.1 Dig 62.218.27.195.in-addr.arpa@141.1.1.1 ... Authoritative Answer Authoritative answer: Host doesn't exist Query for 62.218.27.195.in-addr.arpa type=255 class=1 218.27.195.in-addr.arpa SOA (Zone of Authority) Primary NS: ecrc.de Responsible person: dnsmaster () eu cw net serial:2002072300 refresh:28800s (8 hours) retry:7200s (2 hours) expire:604800s (7 days) minimum-ttl:86400s (24 hours) 08/25/02 14:38:15 Fast traceroute 195.27.218.62 Trace 195.27.218.62 ... 1 64.252.72.1 20ms 20ms 20ms TTL: 0 (1.72.252.64.snet.net ok) 2 204.60.203.129 20ms 20ms 20ms TTL: 0 (No rDNS) 3 204.60.219.33 30ms 20ms 20ms TTL: 0 (No rDNS)4 151.164.89.41 40ms 40ms 30ms TTL: 0 (bb1-p5-1.hrndva.sbcglobal.net ok) 5 151.164.243.26 31ms 40ms 40ms TTL: 0 (bb2-p15-0.hrndva.sbcglobal.net ok) 6 151.164.243.201 50ms 40ms 40ms TTL: 0 (bb2-p13-0.nycmny.sbcglobal.net ok) 7 151.164.243.17 40ms 50ms 40ms TTL: 0 (bb1-p15-0.nycmny.sbcglobal.net probable bogus rDNS: No DNS) 8 144.223.26.201 50ms 40ms 40ms TTL: 0 (sl-gw31-nyc-11-0.sprintlink.net ok) 9 144.232.13.33 40ms 40ms 40ms TTL: 0 (sl-bb23-nyc-12-0.sprintlink.net ok) 10 144.232.13.170 50ms 40ms 40ms TTL: 0 (sl-bb24-nyc-6-0.sprintlink.net ok)
11 144.232.9.118 40ms 40ms 40ms TTL: 0 (No rDNS) 12 166.63.194.62 150ms 151ms 150ms TTL: 0 (bcr2.Frankfurt.cw.net ok) 13 166.63.194.6 150ms 150ms 150ms TTL: 0 (iar1.Frankfurt.cw.net ok)14 166.63.198.38 161ms 160ms 150ms TTL: 0 (cable-and-wireless-internal-isp.Frankfurt.cw.net ok)
15 62.208.241.106 150ms 150ms 150ms TTL: 0 (pos1-0-bb1-MUC1.de.cw.net ok)16 62.208.224.15 170ms 160ms 150ms TTL: 0 (ge-0-0-0-arj1-MUC1.de.cw.net ok)
17 No Response * * * At 11:05 AM 8/25/2002 -0700, John Sage wrote:
J Craig: In a word, Yes. That same source IP, same date, same source port 13000, as well. There was a thread of about 6 posts regarding this specific probe, from this specific source IP, on the intrusions () incidents org list. Here was mine: < begin post > A rare bird: Date: Wed, 21 Aug 2002 21:29:20 -0700 Subject: ACID Incident Report Generated by ACID v0.9.6b21 on Wed August 21, 2002 21:29:19 ------------------------------------------------------------------------------ #(116 - 122) [2002-08-21 09:37:16] [arachNIDS/252-253] DDOS shaft synflood IPv4: 195.27.218.62 -> 12.82.128.178 hlen=5 TOS=0 dlen=40 ID=39977 flags=0 offset=0 TTL=16 chksum=42056 TCP: port=13000 -> dport: 13000 flags=******S* seq=674711609 ack=647068936 off=5 res=0 win=8768 urp=61171 chksum=64181 Payload: none ------------------------------------------------------------------------------ snort: =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 08/21-09:37:16.080331 195.27.218.62:13000 -> 12.82.128.178:13000 TCP TTL:16 TOS:0x0 ID:39977 IpLen:20 DgmLen:40 DF ******S* Seq: 0x28374839 Ack: 0x26917D08 Win: 0x2240 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Snort processed 1 packets. Breakdown by protocol: Action Stats: TCP: 1 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== [toot@sparky /usr/local/2]# ./2.pl hd 28374839 674711609 The relevant snort 1.8.7 rule: [toot@sparky /usr/local/snort-1.8.7]# grep shaft *.rules ddos.rules: alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags: S; seq: 674711609; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:2;) Note that the rule is bidirectional; ArachNIDS 252 is the best candidate here, as this packet was incoming... Ref: http://www.whitehats.com/info/IDS252 < end post > HTH.. - John -- "In those days, you could not buy a $2000 200MHz Pentium server." PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705 On Fri, Aug 23, 2002 at 09:19:18PM -0500, J. Craig Woods wrote: > No, not the movie. The trojan. I was wondering if anyone on the list has > run into the log entry: > > Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood > [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} > 195.27.218.62:13000 -> X.X.X.X:13000 > Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood > [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} > 195.27.218.62:6000 -> X.X.X.X:6000 > > I have left in the source ip because it is important in understanding > this alert. A simple whois will show this ip to be in the RIPE netblock. > It also has no reverse dns configured. Yes, it might very well be > spoofed or a false positive. > > I have checked out all of my security on my server, and things look > intact, and I can not find any penetration. I was hoping someone might > have some thoughts on this alert or maybe you can point me in the right > direction. Of course, neither of these ports are open to the internet. I > have ipchains logging for attempts on port 6000(X), and it clearly shows > a DENY on that one. No logging on 13000 but it is filtered (strange port > to be probing, yes?) > > Thanks for any assistance, > drjung > > -- > J. Craig Woods > UNIX Network/System Administration > http://www.trismegistus.net/resume.html > Character is built upon the debris of despair --Emerson ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shaft? J. Craig Woods (Aug 23)
- Re: Shaft? John Sage (Aug 25)
- Re: Shaft? Wayne T Work (Aug 25)
- Re: Shaft? Ralf Hildebrandt (Aug 25)
- Re: Shaft? Wayne T Work (Aug 25)
- <Possible follow-ups>
- RE: Shaft? Matt Yackley (Aug 24)
- Re: Shaft? John Sage (Aug 25)