Snort mailing list archives

Re: attack

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 22 Feb 2002 11:23:16 -0800 (PST)

On Fri, 22 Feb 2002, Scott Taylor wrote:

So what's the best thing to do with this type of attack? Turn'em in?
To who? Is there a way I can let them know that I know what their
doing? Any ideas?


Welcome to our Nightmare.  This is called "Damned things that fill up our logs
due to M$ not having a fnorking clue."  Also known as Ndima, CodeRed or just
"Pain in the Ass.".

Dig around.  See who the IP belongs to.
---
[erek@merf]~>whois -h whois.geektools.com 63.204.135.168
Query:     63.204.135.168
Registry:  whois.arin.net
Results:
Pac Bell Internet Services (NETBLK-PBI-NET-7) PBI-NET-7
                                                   63.192.0.0 - 63.207.255.255
PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)
SBCIS-100216-175755
                                                 63.204.132.0 - 63.204.135.255

[erek@merf]~>whois -h whois.geektools.com NETBLK-SBCIS-100216-175755
Query:     netblk-sbcis-100216-175755
Registry:  whois.arin.net
Results:
PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755)
   303 2nd St.
   San Francisco, CA 94107
   US

   Netname: SBCIS-100216-175755
   Netblock: 63.204.132.0 - 63.204.135.255

   Coordinator:
      Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin () PBI NET
      888-212-5411

   Record last updated on 17-Feb-2000.
   Database last updated on  21-Feb-2002 19:56:30 EDT.

---

Now since I know some folks who used to work for PBI/SBC, let's just say don't
expect a quick fix response.  If my info was correct (8-10 months ago) they
had like 4 people to work all abuse complaints for
SBC/SWbell/NevadaBell/Ameritech/PBI.  That's 4 very overworked people in my
book.

Of course if you want to give them a helpful hand....  You could add the
following to your httpd.conf--You _are_ running Apache aren't you?  :)

---
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Format: Redirect old-URI new-URL
#
RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1
RedirectMatch (.*)\root.exe(.*) http://127.0.0.1
RedirectMatch (.*)\default.ida(.*) http://127.0.0.1
---

Now since CR and company use blocking threads, as the connections get
redirected back to thier own box, it slowly starts to die.  It will eventually
quit when it runs out of threads.  Till they reboot that is....  :-/

*shrug*

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

attack Scott Taylor (Feb 22)
- Re: attack Erek Adams (Feb 22)
  - Re: attack Phil Wood (Feb 22)
- RE: attack Wayne Work (Feb 22)
- Re: attack Skip Carter (Feb 22)
  - A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
    - Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
    - Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
    - Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
    - Message not available
    - Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
    - Re: A case of beer on 63.204.135.168 Ryan Lindsey (Feb 22)
    - Re: A case of beer on 63.204.135.168 John Sage (Feb 22)

(Thread continues...)