RE: DoS "Probing" on one of our hosts

[Harlan Carvey <keydet89 () yahoo com>]

> To me, that pattern sounds a lot more like someone's
> hacked a server and set up a warez site.  

This could very well be, particularly if there is an
FTP server floating around on the connection.

> See if you can put a sniffer on the outbound
> connection (Sniffer is my commercial favorite) to
> find the endpoints. 

Sniffer isn't needed to find the endpoints...only
netstat on the local box.  

> There are lots of reasons your
> IDS isn't raising alarms: the system that was hacked
> was already an FTP server, or if your IDS isn't
> monitoring common protocols from servers, or the IDS
> system doesn't see the traffic going to the hacked
> system, et al.

Well, not so much that the IDS didn't see it, but the
IDS didn't have a signature for the traffic that it
did see...

Harlan

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------