Firewall Wizards mailing list archives
Internal denial hack, interpret pix logs
From: Jim Cornelson <jcornelson () sheltonpublicschools org>
Date: 12 Jul 2002 17:32:18 -0000
We have a pix 520...ios 4.4 We were recently hacked. Our exchange 5.5 had a ftp server installed by hackers and was used for spamming. We terminated that problem....something strange started happening. (I just started syslog after the hack.) See the logs below. a dns server for sis.com (sis.com.tw) started doing a lot of business with our school servers. The pix is denying its tcp attempts....however, we have internal servers and workstations (in another building that build a udp connection with it...then builds outbound tcp connections with it....then they are torn down. Next, the Taiwan server tries to connect and is rejected. What is going on? There are an enormous number of connections going on....almost like a denial of service only internally. This is occuring only in one building or network. Internet access is slow even though only 4 or 5 people are in that building this time of year. Please note....someone over a year ago built a server in that location giving it an SIS NT domain name. SIS = Shelton Intermediate School. It should have been called Sheltonpublicschools.org A show ipconfig shows the correct name server being used. We have an internal nameserver for the Windows 2000 stuff but it sends everything to Genuity which does our name service. I do not believe this is happening because of a corrupt dns file someplace. I believe this is some type of internal denial of service. Can you help or point me to the right group. Global addresses have been altered and are not correct! Global addresses have been altered and are not correct! Global addresses have been altered and are not correct. 2002-07-05 00:00:07 Local4.Info 10.2.0.1 Jul 05 2002 00:00:57: %PIX-6-106015: Deny TCP (no connection) from 203.67.208.2/53 to 10.3.2.4/4922 flags ACK 2002-07-05 00:00:07 Local4.Info 10.2.0.1 Jul 05 2002 00:00:58: %PIX-6-302002: Teardown TCP connection 22640 faddr 203.67.208.2/53 gaddr 6.20.4.56/4923 laddr 10.3.2.4/4923 duration 0:00:01 bytes 149 (TCP FIN) 2002-07-05 00:00:12 Local4.Info 10.2.0.1 Jul 05 2002 00:01:02: %PIX-6-302005: Built UDP connection for faddr 6.20.2.1/15208 gaddr 4.20.1.72/1192 laddr 10.2.0.93/1192 2002-07-05 00:00:05 Local4.Info 10.2.0.1 Jul 05 2002 00:00:55: %PIX-6-302005: Built UDP connection for faddr 203.67.208.2/63231 gaddr 6.20.4.56/4920 laddr 10.3.2.4/4920 2002-07-05 00:00:06 Local4.Info 10.2.0.1 Jul 05 2002 00:00:56: %PIX-6-302001: Built outbound TCP connection 22638 for faddr 203.67.208.2/53 gaddr 6.20.4.56/4921 laddr 10.3.2.4/4921 2002-07-05 00:00:06 Local4.Info 10.2.0.1 Jul 05 2002 00:00:56: %PIX-6-302001: Built outbound TCP connection 22639 for faddr 203.67.208.2/53 gaddr 6.20.4.56/4922 laddr 10.3.2.4/4922 2002-07-05 00:00:06 Local4.Info 10.2.0.1 Jul 05 2002 00:00:56: %PIX-6-302002: Teardown TCP connection 22638 faddr 203.67.208.2/53 gaddr 6.20.4.56/4921 laddr 10.3.2.4/4921 duration 0:00:01 bytes 149 (TCP FIN) 2002-07-05 00:00:07 Local4.Info 10.2.0.1 Jul 05 2002 00:00:57: %PIX-6-302001: Built outbound TCP connection 22640 for faddr 203.67.208.2/53 gaddr 6.20.4.56/4923 laddr 10.3.2.4/4923 2002-07-05 00:00:07 Local4.Info 10.2.0.1 Jul 05 2002 00:00:57: %PIX-6-302002: Teardown TCP connection 22639 faddr 203.67.208.2/53 gaddr 6.20.4.56/4922 laddr 10.3.2.4/4922 duration 0:00:01 bytes 149 (TCP FIN) 2002-07-05 00:00:07 Local4.Info 10.2.0.1 Jul 05 2002 00:00:57: %PIX-6-106015: Deny TCP (no connection) from 203.67.208.2/53 to 10.3.2.4/4922 flags ACK 2002-07-05 00:00:07 Local4.Info 10.2.0.1 Jul 05 2002 00:00:58: %PIX-6-302002: Teardown TCP connection 22640 faddr 203.67.208.2/53 gaddr 4.20.1.70/4923 laddr 10.3.2.4/4923 duration 0:00:01 bytes 149 (TCP FIN) Thanks, Jim Cornelson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Internal denial hack, interpret pix logs Jim Cornelson (Jul 12)