Snort mailing list archives
Re: Shaft?
From: Wayne T Work <securitygauntlet () snet net>
Date: Sun, 25 Aug 2002 14:40:47 -0400
Doing some research show this IP to belongs in Germany. Here is a bunck of info about that site. Not active right now but might want to contact the ISP to investigate
08/25/02 14:36:41 Spade Log 08/25/02 14:36:51 IP block 195.27.218.62 () whois internic net Trying 195.27.218.62 at ARIN Trying 195.27.218 at ARIN Redirecting to RIPE ... Trying 195.27.218.62 at RIPE Trying 195.27.218 at RIPE % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 195.27.218.0 - 195.27.218.63 netname: CW-DE-BMW-NET descr: BMW AG descr: Petuelring 130, 80199 Munich country: DE admin-c: PP3612-RIPE tech-c: PP3612-RIPE status: ASSIGNED PA mnt-by: CW-EUROPE-GSOC changed: fschneid () ecrc de 19991221 changed: smorhoff () ecrc de 20020402 source: RIPE route: 195.27.0.0/16 descr: DE-ECRC-195-27-0-0 origin: AS1273 mnt-by: CW-EUROPE-GSOC changed: wbe () ecrc de 19990415 changed: sticht () ecrc de 19991205 changed: theimes () de cw net 20010803 source: RIPE person: Patrick Peters address: Kabel New Media GmbH address: Schulterblatt 58 address: D-20357 Hamburg phone: +49 40 43 29 69 732 e-mail: ppeters () kabel de nic-hdl: PP3612-RIPE mnt-by: CW-EUROPE-GSOC changed: fschneid () ecrc de 19991221 changed: theimes () de cw net 20010803 source: RIPE 1 08/25/02 14:38:05 dig 195.27.218.62 @ 141.1.1.1 Dig 62.218.27.195.in-addr.arpa@141.1.1.1 ... Authoritative Answer Authoritative answer: Host doesn't exist Query for 62.218.27.195.in-addr.arpa type=255 class=1 218.27.195.in-addr.arpa SOA (Zone of Authority) Primary NS: ecrc.de Responsible person: dnsmaster () eu cw net serial:2002072300 refresh:28800s (8 hours) retry:7200s (2 hours) expire:604800s (7 days) minimum-ttl:86400s (24 hours) 08/25/02 14:38:15 Fast traceroute 195.27.218.62 Trace 195.27.218.62 ... 1 64.252.72.1 20ms 20ms 20ms TTL: 0 (1.72.252.64.snet.net ok) 2 204.60.203.129 20ms 20ms 20ms TTL: 0 (No rDNS) 3 204.60.219.33 30ms 20ms 20ms TTL: 0 (No rDNS)4 151.164.89.41 40ms 40ms 30ms TTL: 0 (bb1-p5-1.hrndva.sbcglobal.net ok) 5 151.164.243.26 31ms 40ms 40ms TTL: 0 (bb2-p15-0.hrndva.sbcglobal.net ok) 6 151.164.243.201 50ms 40ms 40ms TTL: 0 (bb2-p13-0.nycmny.sbcglobal.net ok) 7 151.164.243.17 40ms 50ms 40ms TTL: 0 (bb1-p15-0.nycmny.sbcglobal.net probable bogus rDNS: No DNS) 8 144.223.26.201 50ms 40ms 40ms TTL: 0 (sl-gw31-nyc-11-0.sprintlink.net ok) 9 144.232.13.33 40ms 40ms 40ms TTL: 0 (sl-bb23-nyc-12-0.sprintlink.net ok) 10 144.232.13.170 50ms 40ms 40ms TTL: 0 (sl-bb24-nyc-6-0.sprintlink.net ok)
11 144.232.9.118 40ms 40ms 40ms TTL: 0 (No rDNS) 12 166.63.194.62 150ms 151ms 150ms TTL: 0 (bcr2.Frankfurt.cw.net ok) 13 166.63.194.6 150ms 150ms 150ms TTL: 0 (iar1.Frankfurt.cw.net ok)14 166.63.198.38 161ms 160ms 150ms TTL: 0 (cable-and-wireless-internal-isp.Frankfurt.cw.net ok)
15 62.208.241.106 150ms 150ms 150ms TTL: 0 (pos1-0-bb1-MUC1.de.cw.net ok)16 62.208.224.15 170ms 160ms 150ms TTL: 0 (ge-0-0-0-arj1-MUC1.de.cw.net ok)
17 No Response * * * At 11:05 AM 8/25/2002 -0700, John Sage wrote:
J Craig:
In a word, Yes.
That same source IP, same date, same source port 13000, as well.
There was a thread of about 6 posts regarding this specific probe,
from this specific source IP, on the intrusions () incidents org list.
Here was mine:
< begin post >
A rare bird:
Date: Wed, 21 Aug 2002 21:29:20 -0700
Subject: ACID Incident Report
Generated by ACID v0.9.6b21 on Wed August 21, 2002 21:29:19
------------------------------------------------------------------------------
#(116 - 122) [2002-08-21 09:37:16] [arachNIDS/252-253] DDOS shaft synflood
IPv4: 195.27.218.62 -> 12.82.128.178
hlen=5 TOS=0 dlen=40 ID=39977 flags=0 offset=0 TTL=16 chksum=42056
TCP: port=13000 -> dport: 13000 flags=******S* seq=674711609
ack=647068936 off=5 res=0 win=8768 urp=61171 chksum=64181
Payload: none
------------------------------------------------------------------------------
snort:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
08/21-09:37:16.080331 195.27.218.62:13000 -> 12.82.128.178:13000
TCP TTL:16 TOS:0x0 ID:39977 IpLen:20 DgmLen:40 DF
******S* Seq: 0x28374839 Ack: 0x26917D08 Win: 0x2240 TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Snort processed 1 packets.
Breakdown by protocol:
Action Stats:
TCP: 1 (100.000%) ALERTS: 0
UDP: 0 (0.000%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
===============================================================================
[toot@sparky /usr/local/2]# ./2.pl hd 28374839
674711609
The relevant snort 1.8.7 rule:
[toot@sparky /usr/local/snort-1.8.7]# grep shaft *.rules
ddos.rules: alert tcp $HOME_NET any <> $EXTERNAL_NET any
(msg:"DDOS shaft synflood"; flags: S; seq: 674711609;
reference:arachnids,253; classtype:attempted-dos; sid:241; rev:2;)
Note that the rule is bidirectional; ArachNIDS 252 is the best
candidate here, as this packet was incoming...
Ref: http://www.whitehats.com/info/IDS252
< end post >
HTH..
- John
--
"In those days, you could not buy a $2000 200MHz Pentium server."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
On Fri, Aug 23, 2002 at 09:19:18PM -0500, J. Craig Woods wrote:
> No, not the movie. The trojan. I was wondering if anyone on the list has
> run into the log entry:
>
> Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood
> [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> 195.27.218.62:13000 -> X.X.X.X:13000
> Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood
> [Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
> 195.27.218.62:6000 -> X.X.X.X:6000
>
> I have left in the source ip because it is important in understanding
> this alert. A simple whois will show this ip to be in the RIPE netblock.
> It also has no reverse dns configured. Yes, it might very well be
> spoofed or a false positive.
>
> I have checked out all of my security on my server, and things look
> intact, and I can not find any penetration. I was hoping someone might
> have some thoughts on this alert or maybe you can point me in the right
> direction. Of course, neither of these ports are open to the internet. I
> have ipchains logging for attempts on port 6000(X), and it clearly shows
> a DENY on that one. No logging on 13000 but it is filtered (strange port
> to be probing, yes?)
>
> Thanks for any assistance,
> drjung
>
> --
> J. Craig Woods
> UNIX Network/System Administration
> http://www.trismegistus.net/resume.html
> Character is built upon the debris of despair --Emerson
-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone? Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shaft? J. Craig Woods (Aug 23)
- Re: Shaft? John Sage (Aug 25)
- Re: Shaft? Wayne T Work (Aug 25)
- Re: Shaft? Ralf Hildebrandt (Aug 25)
- Re: Shaft? Wayne T Work (Aug 25)
- <Possible follow-ups>
- RE: Shaft? Matt Yackley (Aug 24)
- Re: Shaft? John Sage (Aug 25)