Snort mailing list archives
RE: Shaft?
From: Matt Yackley <Matt.Yackley () perkinswill com>
Date: Sat, 24 Aug 2002 08:22:36 -0500
drjung, this came up on the 21st on the incidents.org mailing list. Four people from that list that I know of all had the :13000 scan on the 21st, I did not receive the one from the 22nd. Check out this thread from the mailing list: http://cert.uni-stuttgart.de/archive/intrusions/2002/08/msg00215.html Matt -----Original Message----- From: J. Craig Woods [mailto:drjung () trismegistus net] Sent: Friday, August 23, 2002 9:19 PM To: Snort Subject: [Snort-users] Shaft? No, not the movie. The trojan. I was wondering if anyone on the list has run into the log entry: Aug 21 16:32:47 lincoln snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 195.27.218.62:13000 -> X.X.X.X:13000 Aug 22 04:39:18 lincoln snort: [1:241:2] DDOS shaft synflood [Classification: Attempted Denial of Service] [Priority: 2]: {TCP} 195.27.218.62:6000 -> X.X.X.X:6000 I have left in the source ip because it is important in understanding this alert. A simple whois will show this ip to be in the RIPE netblock. It also has no reverse dns configured. Yes, it might very well be spoofed or a false positive. I have checked out all of my security on my server, and things look intact, and I can not find any penetration. I was hoping someone might have some thoughts on this alert or maybe you can point me in the right direction. Of course, neither of these ports are open to the internet. I have ipchains logging for attempts on port 6000(X), and it clearly shows a DENY on that one. No logging on 13000 but it is filtered (strange port to be probing, yes?) Thanks for any assistance, drjung -- J. Craig Woods UNIX Network/System Administration http://www.trismegistus.net/resume.html Character is built upon the debris of despair --Emerson ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Shaft? J. Craig Woods (Aug 23)
- Re: Shaft? John Sage (Aug 25)
- Re: Shaft? Wayne T Work (Aug 25)
- Re: Shaft? Ralf Hildebrandt (Aug 25)
- Re: Shaft? Wayne T Work (Aug 25)
- <Possible follow-ups>
- RE: Shaft? Matt Yackley (Aug 24)
- Re: Shaft? John Sage (Aug 25)