Should I take this further?

Should I take this further?

Post by David Tillotso » Fri, 01 Jun 2001 05:51:05



Below are a few firewall log entries from the last couple of days. I'm
assuming that the spoofed packets cam from the first host that attempted
to access our POP3 server. Is it worth taking this further with the ISP
concerned, or is it more likely that Hanlon's Razor should be applied?
FYI - Our internal servers are purely internal. Rule 6 in the firewall
script blocks all incoming packets not initiated by us, rule 5 blocks IP
spoofs.

_Log extracts (annotated)_
_xxx.xxx.xxx.xxx = my external IP_

05/28/01 13:43:18 input REJECT ippp0 PROTO=6 194.134.222.2:110
xxx.xxx.xxx.xxx:110 L=40 S=0x00 I=1535 F=0x0000 T=115 SYN (#6)
05/29/01 07:47:53 input REJECT ippp0 PROTO=6 194.134.222.2:4467
xxx.xxx.xxx.xxx:110 L=60 S=0x00 I=54216 F=0x4000 T=53 SYN (#6)


05/30/01 09:22:11 input REJECT ippp0 PROTO=6 192.168.2.221:80
xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=28865 F=0x4000 T=117 (#5)
05/30/01 09:22:23 input REJECT ippp0 PROTO=6 192.168.2.221:80
xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=10946 F=0x4000 T=117 (#5)
05/30/01 09:22:52 input REJECT ippp0 PROTO=6 192.168.2.221:80
xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=22979 F=0x4000 T=117 (#5)
05/30/01 09:23:41 input REJECT ippp0 PROTO=6 192.168.2.221:80
xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=54981 F=0x4000 T=117 (#5)
05/30/01 09:25:25 input REJECT ippp0 PROTO=6 192.168.2.221:80
xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=20172 F=0x4000 T=117 (#5)

--
David Tillotson
david at acmelabs dot demon dot co dot uk

 
 
 

Should I take this further?

Post by Doug Holt » Sat, 02 Jun 2001 05:05:57


David;

They got rejected.  They know you are "protected".  I'd leave it.  OR you
can do what I do: go visit them.  Try and telnet and ftp to them, causing
them some lines of file to read.  :)

D


> Below are a few firewall log entries from the last couple of days. I'm
> assuming that the spoofed packets cam from the first host that attempted
> to access our POP3 server. Is it worth taking this further with the ISP
> concerned, or is it more likely that Hanlon's Razor should be applied?
> FYI - Our internal servers are purely internal. Rule 6 in the firewall
> script blocks all incoming packets not initiated by us, rule 5 blocks IP
> spoofs.

> _Log extracts (annotated)_
> _xxx.xxx.xxx.xxx = my external IP_

> 05/28/01 13:43:18 input REJECT ippp0 PROTO=6 194.134.222.2:110
> xxx.xxx.xxx.xxx:110 L=40 S=0x00 I=1535 F=0x0000 T=115 SYN (#6)
> 05/29/01 07:47:53 input REJECT ippp0 PROTO=6 194.134.222.2:4467
> xxx.xxx.xxx.xxx:110 L=60 S=0x00 I=54216 F=0x4000 T=53 SYN (#6)


> 05/30/01 09:22:11 input REJECT ippp0 PROTO=6 192.168.2.221:80
> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=28865 F=0x4000 T=117 (#5)
> 05/30/01 09:22:23 input REJECT ippp0 PROTO=6 192.168.2.221:80
> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=10946 F=0x4000 T=117 (#5)
> 05/30/01 09:22:52 input REJECT ippp0 PROTO=6 192.168.2.221:80
> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=22979 F=0x4000 T=117 (#5)
> 05/30/01 09:23:41 input REJECT ippp0 PROTO=6 192.168.2.221:80
> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=54981 F=0x4000 T=117 (#5)
> 05/30/01 09:25:25 input REJECT ippp0 PROTO=6 192.168.2.221:80
> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=20172 F=0x4000 T=117 (#5)

> --
> David Tillotson
> david at acmelabs dot demon dot co dot uk


 
 
 

Should I take this further?

Post by David Tillotso » Sat, 02 Jun 2001 06:29:01




Quote:>David;

>They got rejected.  They know you are "protected".  I'd leave it.  OR you
>can do what I do: go visit them.  Try and telnet and ftp to them, causing
>them some lines of file to read.  :)

I have already done that, but I can't help wondering what on earth
someone was trying to do. Anyone know of an exploit/risk from this kind
of packet?

Quote:>> 05/30/01 09:22:11 input REJECT ippp0 PROTO=6 192.168.2.221:80
>> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=28865 F=0x4000 T=117 (#5)
>> 05/30/01 09:22:23 input REJECT ippp0 PROTO=6 192.168.2.221:80
>> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=10946 F=0x4000 T=117 (#5)
>> 05/30/01 09:22:52 input REJECT ippp0 PROTO=6 192.168.2.221:80
>> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=22979 F=0x4000 T=117 (#5)
>> 05/30/01 09:23:41 input REJECT ippp0 PROTO=6 192.168.2.221:80
>> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=54981 F=0x4000 T=117 (#5)
>> 05/30/01 09:25:25 input REJECT ippp0 PROTO=6 192.168.2.221:80
>> xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=20172 F=0x4000 T=117 (#5)

The interesting bit is that the alleged source IP was in the correct
subnet, but we haven't yet used that particular address (although we
have recently added one close to that [218]). This might imply inside
knowledge, but no-one except myself inside the company knows enough
about TCP/IP to do this AFAIK. If I do find that it was an insider, I
might be offering a change of role :-)
--
David Tillotson
david at acmelabs dot demon dot co dot uk
 
 
 

Should I take this further?

Post by Acid » Sun, 17 Jun 2001 12:10:18


Yeah, that's pretty much my favorite thing to do after reviewing the
previous days snort/acid logs.

I like to use VisuaRoute, trace the path of the offender, maybe do a whois,
of course they are usually in the Netherlands or something, not much I can
do about it.

Then kick off a short port scan or ping them for awhile with a couple of
large packets for fun, a couple of more traces...not to provoke, just to let
them know I am watching them...kind of cat and mouse stuff...fun...make them
look through their logs like they made me look at them and do the same..

Good luck...


> David;

> They got rejected.  They know you are "protected".  I'd leave it.  OR you
> can do what I do: go visit them.  Try and telnet and ftp to them, causing
> them some lines of file to read.  :)

> D



> > Below are a few firewall log entries from the last couple of days. I'm
> > assuming that the spoofed packets cam from the first host that attempted
> > to access our POP3 server. Is it worth taking this further with the ISP
> > concerned, or is it more likely that Hanlon's Razor should be applied?
> > FYI - Our internal servers are purely internal. Rule 6 in the firewall
> > script blocks all incoming packets not initiated by us, rule 5 blocks IP
> > spoofs.

> > _Log extracts (annotated)_
> > _xxx.xxx.xxx.xxx = my external IP_

> > 05/28/01 13:43:18 input REJECT ippp0 PROTO=6 194.134.222.2:110
> > xxx.xxx.xxx.xxx:110 L=40 S=0x00 I=1535 F=0x0000 T=115 SYN (#6)
> > 05/29/01 07:47:53 input REJECT ippp0 PROTO=6 194.134.222.2:4467
> > xxx.xxx.xxx.xxx:110 L=60 S=0x00 I=54216 F=0x4000 T=53 SYN (#6)


> > 05/30/01 09:22:11 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=28865 F=0x4000 T=117 (#5)
> > 05/30/01 09:22:23 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=10946 F=0x4000 T=117 (#5)
> > 05/30/01 09:22:52 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=22979 F=0x4000 T=117 (#5)
> > 05/30/01 09:23:41 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=54981 F=0x4000 T=117 (#5)
> > 05/30/01 09:25:25 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=20172 F=0x4000 T=117 (#5)

> > --
> > David Tillotson
> > david at acmelabs dot demon dot co dot uk

 
 
 

Should I take this further?

Post by Mr.Pin » Sun, 17 Jun 2001 16:28:58


one time i got scanned by someone, so i run a scan on them.. and they had a
web page with all their personal stuff on it.


> Yeah, that's pretty much my favorite thing to do after reviewing the
> previous days snort/acid logs.

> I like to use VisuaRoute, trace the path of the offender, maybe do a
whois,
> of course they are usually in the Netherlands or something, not much I can
> do about it.

> Then kick off a short port scan or ping them for awhile with a couple of
> large packets for fun, a couple of more traces...not to provoke, just to
let
> them know I am watching them...kind of cat and mouse stuff...fun...make
them
> look through their logs like they made me look at them and do the same..

> Good luck...



> > David;

> > They got rejected.  They know you are "protected".  I'd leave it.  OR
you
> > can do what I do: go visit them.  Try and telnet and ftp to them,
causing
> > them some lines of file to read.  :)

> > D



> > > Below are a few firewall log entries from the last couple of days. I'm
> > > assuming that the spoofed packets cam from the first host that
attempted
> > > to access our POP3 server. Is it worth taking this further with the
ISP
> > > concerned, or is it more likely that Hanlon's Razor should be applied?
> > > FYI - Our internal servers are purely internal. Rule 6 in the firewall
> > > script blocks all incoming packets not initiated by us, rule 5 blocks
IP
> > > spoofs.

> > > _Log extracts (annotated)_
> > > _xxx.xxx.xxx.xxx = my external IP_

> > > 05/28/01 13:43:18 input REJECT ippp0 PROTO=6 194.134.222.2:110
> > > xxx.xxx.xxx.xxx:110 L=40 S=0x00 I=1535 F=0x0000 T=115 SYN (#6)
> > > 05/29/01 07:47:53 input REJECT ippp0 PROTO=6 194.134.222.2:4467
> > > xxx.xxx.xxx.xxx:110 L=60 S=0x00 I=54216 F=0x4000 T=53 SYN (#6)


08:57_

> > > 05/30/01 09:22:11 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=28865 F=0x4000 T=117 (#5)
> > > 05/30/01 09:22:23 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=10946 F=0x4000 T=117 (#5)
> > > 05/30/01 09:22:52 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=22979 F=0x4000 T=117 (#5)
> > > 05/30/01 09:23:41 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=54981 F=0x4000 T=117 (#5)
> > > 05/30/01 09:25:25 input REJECT ippp0 PROTO=6 192.168.2.221:80
> > > xxx.xxx.xxx.xxx:62514 L=40 S=0x00 I=20172 F=0x4000 T=117 (#5)

> > > --
> > > David Tillotson
> > > david at acmelabs dot demon dot co dot uk

 
 
 

1. sed not taking [\t]+ tho it takes [\t]*

===================================================
THIS IS OK

% cat test.sh
#!/bin/sh
cat <<EOF | sed 's/^[ \t]*/XXX /'
   abc def
  123 456
 uvw xyz
EOF

% test.sh
XXX abc def
XXX 123 456
XXX uvw xyz

===================================================
BUT CHANGE "[ \t]*" to "[ \t]+" AND IT FAILS - WHY?

% cat test2.sh
#!/bin/sh
cat <<EOF2 | sed 's/^[ \t]+/XXX /'
   abc def
  123 456
 uvw xyz
EOF2

% test2.sh
   abc def
  123 456
 uvw xyz

===================================================
Thanks for any comments,
-Bob
 Andover, MA

Sent via Deja.com http://www.deja.com/
Before you buy.

2. DHCP on Solaris 8

3. Help - I can't use setup to load further software!

4. vi (0602-101 Out of memory saving lines for undo)

5. Unable to install further Slackware disk sets

6. FTP over SSH

7. Further Optimizations for XF86Config?

8. intl_con - console internationalization - corrections!

9. mgetty doesn't respawn AND further frustrations

10. 2 further serial ports ???

11. Further problems with ftape....

12. SSH Remote access Always getting: Disconnected; authentication error (No further authentication methods available).

13. m$ deletes more evidence, spurs further investigations !