Security Basics mailing list archives

RE: IPS log analysis

From: "Sergio Castro" <sergio.castro () unicin net>
Date: Mon, 12 May 2008 13:58:57 -0500

Hi Erika,

Nmap can easily spoof IPs using -S <IP_Address>
Does that answer your question? Or where you looking for a
down-to-the-packet answer?

As to what the attackers are trying to do, well, changing the password and
running executables is the aim of every single black hat out there :)

Question for you: if the DB is not supposed to have any traffic, why does it
have assigned a public IP?

- Sergio

-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En
nombre de erika_cissp () yahoo com
Enviado el: Lunes, 12 de Mayo de 2008 11:58 a.m.
Para: security-basics () securityfocus com
Asunto: Re: IPS log analysis

This is from TippingPoint central management console.

I'd really like to know:

How they are forging the source IP to appear as if it is on the same class C
as the destination (There should be no traffic to this DB)

What they are trying to do. I did some research and it looks as if they are
trying to change the password and then run an executable. 

Any ideas? Thanks in advance


__________ NOD32 3093 (20080512) Information __________

This message was checked by NOD32 antivirus system.
http://www.eset.com

Current thread:

IPS log analysis erika_cispp (May 12)
- Re: IPS log analysis LGM (May 12)
- <Possible follow-ups>
- Re: IPS log analysis erika_cissp (May 12)
  - RE: IPS log analysis Sergio Castro (May 12)