Re: re: attack

["Scott Taylor" <scottt () soccer com>]

That's kinda what I thought. Thanks for the reply, I appreciate it.

Scott



---- Begin Original Message ----

From: Glenn Forbes Fleming Larratt <glratt () io com>
Sent: Fri, 22 Feb 2002 13:05:08 -0600 (CST)
To: snort-users () lists sourceforge net
Subject: re: [Snort-users] attack


You could turn them in to PacBell:
================================================================
% whois -h whois.arin.net 63.204.135.168
ATTINGO (NETBLK-SBCIS-100217-154237)
   303 Second Street
   San Francisco, Ca 94107
   US

   Netname: SBCIS-100217-154237
   Netblock: 63.204.136.168 - 63.204.136.175

   Coordinator:
      Pacific Bell Internet  (PIA2-ORG-ARIN)  ip-admin () PBI NET
      888-212-5411
================================================================
but my experience with their 'abuse@' address has been autoreplies
only (always with the text -

        "I will investigate your complaint and take appropriate
action."

, and nothing, *ever*,  of substance - and I generally don't bother
with
Code Red or Nimda unless it's *inside* my border. This is the response
I get when they portscan me for with ssh exploit tools, nmap, etc.

Code Red and Nimda won't, IMO, *ever* really go away, given the
prevalent
standards among various international domains, uncaring top-level
ISP's,
and (*sigh*, because I'm at one) universities.

Your most effective strategy is going to be to see to your own hosts
and
networks, frankly.

On Fri, 22 Feb 2002, Scott Taylor wrote:

> So what's the best thing to do with this type of attack? Turn'em in?
> To who? Is there a way I can let them know that I know what their
> doing? Any ideas?
>
> Cheers,
> Scott
>
>
> [**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:19.830419 63.204.135.168:2122 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF
> ***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:24.084478 63.204.135.168:2313 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:56799 IpLen:20 DgmLen:120 DF
> ***AP*** Seq: 0x841E21B Ack: 0x21DA22E5 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:26.015481 63.204.135.168:2415 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57061 IpLen:20 DgmLen:120 DF
> ***AP*** Seq: 0x897EDD4 Ack: 0x221B03CF Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:27.841065 63.204.135.168:2484 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57309 IpLen:20 DgmLen:136 DF
> ***AP*** Seq: 0x8CD3F1E Ack: 0x21FF7EA1 Win: 0x4248 TcpLen: 20
>
> [**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**]
> [Classification: access to a potentually vulnerable web
application]
> [Priority: 2]
> 02/22-10:13:29.720477 63.204.135.168:2572 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57558 IpLen:20 DgmLen:157 DF
> ***AP*** Seq: 0x9162D26 Ack: 0x22164ADC Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:31.651168 63.204.135.168:2658 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:57814 IpLen:20 DgmLen:157 DF
> ***AP*** Seq: 0x95C4B1D Ack: 0x21AF8A4E Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:33.689744 63.204.135.168:2740 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58087 IpLen:20 DgmLen:185 DF
> ***AP*** Seq: 0x9A01736 Ack: 0x22220C8E Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:35.794798 63.204.135.168:2839 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58370 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0x9F34819 Ack: 0x2254F005 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:37.904728 63.204.135.168:2923 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58654 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0xA3660EC Ack: 0x22D1A6E7 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:40.239684 63.204.135.168:3022 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:58965 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0xA882856 Ack: 0x22BD9884 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:42.598231 63.204.135.168:3126 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:59278 IpLen:20 DgmLen:137 DF
> ***AP*** Seq: 0xADC9A9C Ack: 0x22C0BEF4 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:44.946090 63.204.135.168:3227 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:59592 IpLen:20 DgmLen:138 DF
> ***AP*** Seq: 0xB2DF585 Ack: 0x230644E9 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:47.344817 63.204.135.168:3337 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:59917 IpLen:20 DgmLen:136 DF
> ***AP*** Seq: 0xB85E8FA Ack: 0x233A0541 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:49.826087 63.204.135.168:3440 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:60246 IpLen:20 DgmLen:140 DF
> ***AP*** Seq: 0xBDABDF7 Ack: 0x238A2DB3 Win: 0x4248 TcpLen: 20
>
> [**] [1:1002:2] WEB-IIS cmd.exe access [**]
> [Classification: Web Application Attack] [Priority: 1]
> 02/22-10:13:52.532260 63.204.135.168:3554 -> 63.169.127.223:80
> TCP TTL:119 TOS:0x0 ID:60606 IpLen:20 DgmLen:136 DF
> ***AP*** Seq: 0xC37CE49 Ack: 0x22E5E0D1 Win: 0x4248 TcpLen: 20
>
>
>
> THERE IS ONLY ONE...
> SOCCER.COM, The Center of the Soccer Universe
> http://www.soccer.com
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

                                Glenn Forbes Fleming Larratt
                                Rice University Network Management
                                glratt () rice edu



--
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


---- End Original Message ----




THERE IS ONLY ONE...
SOCCER.COM, The Center of the Soccer Universe
http://www.soccer.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users