Security Incidents mailing list archives

Re: Connection Attempts

From: Anders Thulin <Anders.Thulin () kiconsulting se>
Date: Tue, 15 Jan 2002 08:24:37 +0100



Jeremy Hoover wrote:


Today I was going through my server logs.  And I came across this.

Jan 14 11:46:51 penguin ftp(pam_unix)[7256]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=63.240. xxx.xxx
Jan 14 11:46:53 penguin ftpd: 63.240.xxx.xxx: connected: IDLE
[...etc.]

On Dec. 26th, I found a syn flood coming from the same ip.   What actions
should I take?  What kind of legal matters are involved in
this.  As I dig deeper, I keep finding connection attempts.  There is NO
reason for them to be trying to access our servers.


  Start detailed logging, for instance sniffing on these nets, so that you can
see what usernames and passwords that are being used. At the same
time alert any other sysadmins or net admins to enable and check logging
for your other servers, routers, whatnot. Tread carefully, though.
And have a chat with your company's risk manager and/or legal adviser, as well
as other concerned people. You don't seem to have any policies for handling
security problems or incidents -- you (or someone else) may need to take the
time to begin thinking deeper about that later. (Recommended book: van Wyk &
Forno: Incident Response).

  Overtly, treat it as a mistake, and inquire about it, including the relevant
logs. Make sure your logs show the correct time, and also what time zone they're
from. Also report this to CERT, and make sure you tell that to the person at the
sending end that you contact about it. As it is, they could have been hacked, and
what you're seeing is those hacker's activities. If they have been hacked, be
prepared for a certain amount of incredulity. That why you should pass on logs
from the very beginning.
  
  If it doesn't stop, you may bare your teeth. 

-- 
Anders Thulin   anders.thulin () kiconsulting se   040-661 50 63          
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Connection Attempts Jeremy Hoover (Jan 14)
- Re: Connection Attempts Anders Thulin (Jan 15)
- Re: Connection Attempts Andrew Simmons (Jan 15)
- Re: Connection Attempts Kevin . Reardon (Jan 15)