Security Incidents mailing list archives
Re: Connection Attempts
From: Anders Thulin <Anders.Thulin () kiconsulting se>
Date: Tue, 15 Jan 2002 08:24:37 +0100
Jeremy Hoover wrote:
Today I was going through my server logs. And I came across this. Jan 14 11:46:51 penguin ftp(pam_unix)[7256]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=63.240. xxx.xxx Jan 14 11:46:53 penguin ftpd: 63.240.xxx.xxx: connected: IDLE [...etc.]
On Dec. 26th, I found a syn flood coming from the same ip. What actions should I take? What kind of legal matters are involved in this. As I dig deeper, I keep finding connection attempts. There is NO reason for them to be trying to access our servers.
Start detailed logging, for instance sniffing on these nets, so that you can see what usernames and passwords that are being used. At the same time alert any other sysadmins or net admins to enable and check logging for your other servers, routers, whatnot. Tread carefully, though. And have a chat with your company's risk manager and/or legal adviser, as well as other concerned people. You don't seem to have any policies for handling security problems or incidents -- you (or someone else) may need to take the time to begin thinking deeper about that later. (Recommended book: van Wyk & Forno: Incident Response). Overtly, treat it as a mistake, and inquire about it, including the relevant logs. Make sure your logs show the correct time, and also what time zone they're from. Also report this to CERT, and make sure you tell that to the person at the sending end that you contact about it. As it is, they could have been hacked, and what you're seeing is those hacker's activities. If they have been hacked, be prepared for a certain amount of incredulity. That why you should pass on logs from the very beginning. If it doesn't stop, you may bare your teeth. -- Anders Thulin anders.thulin () kiconsulting se 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Connection Attempts Jeremy Hoover (Jan 14)
- Re: Connection Attempts Anders Thulin (Jan 15)
- Re: Connection Attempts Andrew Simmons (Jan 15)
- Re: Connection Attempts Kevin . Reardon (Jan 15)