Security Incidents mailing list archives
RE: DoS "Probing" on one of our hosts
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 30 Jun 2003 10:14:27 -0700 (PDT)
To me, that pattern sounds a lot more like someone's hacked a server and set up a warez site.
This could very well be, particularly if there is an FTP server floating around on the connection.
See if you can put a sniffer on the outbound connection (Sniffer is my commercial favorite) to find the endpoints.
Sniffer isn't needed to find the endpoints...only netstat on the local box.
There are lots of reasons your IDS isn't raising alarms: the system that was hacked was already an FTP server, or if your IDS isn't monitoring common protocols from servers, or the IDS system doesn't see the traffic going to the hacked system, et al.
Well, not so much that the IDS didn't see it, but the IDS didn't have a signature for the traffic that it did see... Harlan __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Re: DoS "Probing" on one of our hosts, (continued)
- Re: DoS "Probing" on one of our hosts Edward Balas (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- re: DoS "Probing" on one of our hosts Harlan Carvey (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- RE: DoS "Probing" on one of our hosts Donald Voss (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Edward Balas (Jun 30)
- RE: DoS "Probing" on one of our hosts Keith T. Morgan (Jun 30)
- RE: DoS "Probing" on one of our hosts King, Brian (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- RE: DoS "Probing" on one of our hosts Cook, Christopher S. (Jun 30)
- RE: DoS "Probing" on one of our hosts Harlan Carvey (Jun 30)
- RE: DoS "Probing" on one of our hosts Stone, Alexander (Jun 30)