Re: Attack attempts from 195.86.128.45

[Neil Dickey <neil () geol niu edu>]

Christian Stigen Larsen <csl () sublevel3 org> wrote asking:

> we've gotten a lot of attempted attacks from 195.86.128.45, which
> maps to kes.wirehub.nl.  I've already notified abuse () nl easynet net,
> but have anybode else seen attacks from this ip ?

I agree with Hamish Stanaway in that you are unlikely to hear
anything substantive from the ISP.  That doesn't mean they are
ignoring you, and it may mean that they are simply swamped with
similar complaints.

> > From our log:
>
> 05/06/2003 12:29:53.048 Sub Seven Attack Dropped 195.86.128.45, 4341, WAN 195.119.0.181, 6776, 
DMZ     
> [ ... ]
> Plus numerous portscans.

You don't mention what tool is generating these log entries.  How is
it identifying the nature of the "attack," e.g. "Sub Seven," "Back
Orifice," etc.?  From what you sent, it appears to be doing this on
the basis of the destination port and this is no longer reliable as
a means of identifying the nature of an attack.  It's so easy to
tweak the malware, and by doing so one avoids ports that are very
closely watched.  If the packets being dropped are all just "SYN"
packets, then the situation isn't nearly so alarming as it seems to
be.  The "numerous portscans" could simply involve activity to ports
not commonly associated with malware by whatever you are using as
an IDS.

Do you have packet captures from any of these events?  That would
help you decide whether or not the line I quoted above is actually
a SubSeven attack, or just a SYN packet sent to that port.  If you
don't have anything listening on port 6776, or at least not anything
that's vulnerable, then all's well.  Traffic like this is part of
what has become normal noise on the internet.

> What should I do next, besides wait for a reply?

As Hamish indicated, the usual sorts of things are appropriate:  Don't
run any services you don't actually need.  Keep your system patched up
to date.  Use a firewall, e.g. IPFilter, to control access to your
machine by remote domain and local port.  TCPwrappers perform a similar
function, and can be useful for security on ports commonly used for
remote access, such as SSH on port 22.  Don't run telnet or ftp daemons,
but use SSH instead.

If you already have a firewall up, then block the offending IP address.
If you are feeling particularly paranoid, then use the RIPE "whois"
database to find out the IP address range of this clown's IPS, and
block all of it.  ( I will admit to having done that on occasion. ;-)

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115



----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------