RE: Security Question

["Hoyt Plunkett" <hoyt () matmon com>]

I run several of these SonicWall firewall appliances.  It appears the
same tool was used to scan you in both attacks.  Though, I would assume
these attacks are separate (unique attacker), since one comes from the
States and another from Japan.  From the attacker's perspective, what
would make him/her think it would work from a different block of ip
addresses on the next day, if the first attack didn't work?  The IP
spoof appears to be an ICMP ping from 194.153.255.99.. You say it's not
on your LAN..  Is this server at a colo?

Either way, I would definitely not be worried about this.

Hoyt Plunkett
Senior Linux Administrator
Matmon Internet, Inc.
(501) 375-4999

-----Original Message-----
From: Paul Speck [mailto:paul.speck () Solveris com] 
Sent: Wednesday, October 24, 2001 5:58 PM
To: 'incidents () securityfocus com'
Subject: Security Question


I am attaching log files whichshow  two days of attack and then an IP
Spoof. Is this an indication of a successful access of our Red Hat 7.1
Linux machine?  The Firewall manufacture (SonicWall) says no, but I am
not sure of that.  The MAC address is our Linux box.  On the IP Spoof,
neither Source nor Destination are on our LAN.
  

10/20/2001 08:12:46.160 - Possible Port Scan - Source:209.195.200.206,
53744, WAN - Destination:208.26.184.xxx, 5579, LAN - - 

10/20/2001 08:12:58.304 - Striker Attack Dropped -
Source:209.195.200.206, 55387, WAN - Destination:208.26.184.xxx, 2565,
WAN - - 

10/20/2001 08:13:00.368 - Sub Seven Attack Dropped -
Source:209.195.200.206, 55653, WAN - Destination:208.26.184.xxx, 1243,
WAN - - 

10/20/2001 08:13:06.592 - Ini Killer Attack Dropped -
Source:209.195.200.206, 56491, WAN - Destination:208.26.184.xxx, 9989,
WAN -
- 

10/20/2001 08:13:32.208 - Ripper Attack Dropped -
Source:209.195.200.206, 59280, WAN - Destination:208.26.184.xxx, 2023,
WAN - - 

10/20/2001 08:14:38.816 - Net Spy Attack Dropped -
Source:209.195.200.206, 65247, WAN - Destination:208.26.184.xxx, 1024,
WAN - -


10/21/2001 06:44:32.640 - Probable Port Scan - Source:202.219.52.137,
3162, WAN - Destination:208.26.184.xxx, 908, LAN - - 

10/21/2001 06:45:29.288 - Sub Seven Attack Dropped -
Source:202.219.52.137, 3619, WAN - Destination:208.26.184.xxx, 6711, WAN
- - 

10/21/2001 06:45:30.000 - Ripper Attack Dropped - Source:202.219.52.137,
3764, WAN - Destination:208.26.184.xxx, 2023, WAN - - 

10/21/2001 06:45:40.400 - Striker Attack Dropped -
Source:202.219.52.137, 1841, WAN - Destination:208.26.184.xxx, 2565, WAN
- - 

10/21/2001 06:45:41.176 - Net Spy Attack Dropped -
Source:202.219.52.137, 2002, WAN - Destination:208.26.184.xxx, 1024, WAN
- - 

10/21/2001 06:45:43.176 - Ini Killer Attack Dropped -
Source:202.219.52.137, 2438, WAN - Destination:208.26.184.xxx, 9989, WAN
- - 

10/21/2001 06:48:15.352 - Back Orifice Attack Dropped -
Source:202.219.52.137, 2220, WAN - Destination:208.26.184.xxx, 31337,
WAN -
- 

10/21/2001 06:48:44.032 - NetBus Attack Dropped - Source:202.219.52.137,
4238, WAN - Destination:208.26.184.xxx, 12345, WAN - - 

10/21/2001 06:49:14.368 - Priority Attack Dropped -
Source:202.219.52.137, 2770, WAN - Destination:208.26.184.xxx, 16969,
WAN - - 

10/21/2001 07:38:20.544 - IP spoof detected - Source:194.153.255.99, 8,
LAN
- Destination:192.117.189.191, 8, WAN - MAC address: 00.06.5B.1A.1E.EB -


Paul
 

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com