Snort mailing list archives
Re: re: attack
From: "Scott Taylor" <scottt () soccer com>
Date: Fri, 22 Feb 2002 11:33:34 -0800
That's kinda what I thought. Thanks for the reply, I appreciate it. Scott ---- Begin Original Message ---- From: Glenn Forbes Fleming Larratt <glratt () io com> Sent: Fri, 22 Feb 2002 13:05:08 -0600 (CST) To: snort-users () lists sourceforge net Subject: re: [Snort-users] attack You could turn them in to PacBell: ================================================================ % whois -h whois.arin.net 63.204.135.168 ATTINGO (NETBLK-SBCIS-100217-154237) 303 Second Street San Francisco, Ca 94107 US Netname: SBCIS-100217-154237 Netblock: 63.204.136.168 - 63.204.136.175 Coordinator: Pacific Bell Internet (PIA2-ORG-ARIN) ip-admin () PBI NET 888-212-5411 ================================================================ but my experience with their 'abuse@' address has been autoreplies only (always with the text - "I will investigate your complaint and take appropriate action." , and nothing, *ever*, of substance - and I generally don't bother with Code Red or Nimda unless it's *inside* my border. This is the response I get when they portscan me for with ssh exploit tools, nmap, etc. Code Red and Nimda won't, IMO, *ever* really go away, given the prevalent standards among various international domains, uncaring top-level ISP's, and (*sigh*, because I'm at one) universities. Your most effective strategy is going to be to see to your own hosts and networks, frankly. On Fri, 22 Feb 2002, Scott Taylor wrote:
So what's the best thing to do with this type of attack? Turn'em in? To who? Is there a way I can let them know that I know what their doing? Any ideas? Cheers, Scott [**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:19.830419 63.204.135.168:2122 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:56151 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0x79EC6CC Ack: 0x21AE2090 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:24.084478 63.204.135.168:2313 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:56799 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0x841E21B Ack: 0x21DA22E5 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:26.015481 63.204.135.168:2415 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:57061 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0x897EDD4 Ack: 0x221B03CF Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:27.841065 63.204.135.168:2484 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:57309 IpLen:20 DgmLen:136 DF ***AP*** Seq: 0x8CD3F1E Ack: 0x21FF7EA1 Win: 0x4248 TcpLen: 20 [**] [1:1288:2] WEB-FRONTPAGE /_vti_bin/ access [**] [Classification: access to a potentually vulnerable web
application]
[Priority: 2] 02/22-10:13:29.720477 63.204.135.168:2572 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:57558 IpLen:20 DgmLen:157 DF ***AP*** Seq: 0x9162D26 Ack: 0x22164ADC Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:31.651168 63.204.135.168:2658 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:57814 IpLen:20 DgmLen:157 DF ***AP*** Seq: 0x95C4B1D Ack: 0x21AF8A4E Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:33.689744 63.204.135.168:2740 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:58087 IpLen:20 DgmLen:185 DF ***AP*** Seq: 0x9A01736 Ack: 0x22220C8E Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:35.794798 63.204.135.168:2839 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:58370 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0x9F34819 Ack: 0x2254F005 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:37.904728 63.204.135.168:2923 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:58654 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0xA3660EC Ack: 0x22D1A6E7 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:40.239684 63.204.135.168:3022 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:58965 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0xA882856 Ack: 0x22BD9884 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:42.598231 63.204.135.168:3126 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:59278 IpLen:20 DgmLen:137 DF ***AP*** Seq: 0xADC9A9C Ack: 0x22C0BEF4 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:44.946090 63.204.135.168:3227 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:59592 IpLen:20 DgmLen:138 DF ***AP*** Seq: 0xB2DF585 Ack: 0x230644E9 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:47.344817 63.204.135.168:3337 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:59917 IpLen:20 DgmLen:136 DF ***AP*** Seq: 0xB85E8FA Ack: 0x233A0541 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:49.826087 63.204.135.168:3440 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:60246 IpLen:20 DgmLen:140 DF ***AP*** Seq: 0xBDABDF7 Ack: 0x238A2DB3 Win: 0x4248 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 02/22-10:13:52.532260 63.204.135.168:3554 -> 63.169.127.223:80 TCP TTL:119 TOS:0x0 ID:60606 IpLen:20 DgmLen:136 DF ***AP*** Seq: 0xC37CE49 Ack: 0x22E5E0D1 Win: 0x4248 TcpLen: 20 THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Glenn Forbes Fleming Larratt Rice University Network Management glratt () rice edu -- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glratt () io com http://www.io.com/~glratt There are imaginary bugs to chase in heaven. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ---- End Original Message ---- THERE IS ONLY ONE... SOCCER.COM, The Center of the Soccer Universe http://www.soccer.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: A case of beer on 63.204.135.168, (continued)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
- Message not available
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 Ryan Lindsey (Feb 22)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 spyguy703 (Feb 22)
- OT: A case of beer on 63.204.135.168 Chris Keladis (Feb 22)
- Re: A case of beer on 63.204.135.168 John Kiehnle (Feb 23)