[Wolves] Out of Curiosity.... Security

leo sandhu wolves at mailman.lug.org.uk
Wed Jun 4 15:20:00 2003


nice to be back online guys, sorry for taking so long in replying to your 
good advice.


thanks to the scriptkiddie that wants to be my friend, my server has been 
off since about 17th may.   It has been rebuilt twice and curently will not 
boot into debian such is the damage done.    Now that I'm on-line through 
Smoothwall, I'm going to contact Telewest Abuse and push for some action.

The first probe of my system came just 9min 50seconds after smoothwall 
activation last night, IP addresses pointing all over the world have been 
reported through the firewall report and a Snort log is below. If Dick 
Cheney was on this lug I would be asking the H-Bomb be dropped on China and 
Amsterdam.   T***ers.

My plan for security is to now rebuild the debian server on a clean drive, 
and use double level IP masqurading: Smoothwall - DebServer - Network.

Just for a laugh, take a look at my Smoothwall "Intrusion Detection System" 
log,  (Dan I switched this on at 4am - somehow we missed it).   Are these as 
funny as I thought? If so can anybody please tell me the crime of having 
"medialcomms.kicks-ass.net" as a web address.

See Soon, Leo.

SmoothWall IDS snort log
Date: 4 June

Date: 06/04 04:15:18
Name: SCAN SOCKS Proxy attempt
Priority: 2
Type: Attempted Information Leak
IP Info: 193.38.113.34:57557 -> 80.195.90.91:1080
Refs: http://help.undernet.org/proxyscan/,

Date: 06/04 05:17:21
Name: MS-SQL Worm propagation attempt
Priority: 2
Type: Misc Attack
IP Info: 66.111.62.220:3702 -> 80.195.90.91:1434
Refs: http://vil.nai.com/vil/content/v_99992.htm][Xref => 
http://www.securityfocus.com/bid/5311][Xref => 
http://www.securityfocus.com/bid/5310,

Date: 06/04 07:08:24
Name: MS-SQL Worm propagation attempt
Priority: 2
Type: Misc Attack
IP Info: 65.116.77.19:3306 -> 80.195.90.91:1434
Refs: http://vil.nai.com/vil/content/v_99992.htm][Xref => 
http://www.securityfocus.com/bid/5311][Xref => 
http://www.securityfocus.com/bid/5310,

Date: 06/04 11:42:05
Name: SCAN SOCKS Proxy attempt
Priority: 2
Type: Attempted Information Leak
IP Info: 193.38.113.34:41628 -> 80.195.90.91:1080
Refs: http://help.undernet.org/proxyscan/,

Date: 06/04 11:59:35
Name: MS-SQL Worm propagation attempt
Priority: 2
Type: Misc Attack
IP Info: 218.226.196.131:3027 -> 80.195.90.91:1434
Refs: http://vil.nai.com/vil/content/v_99992.htm][Xref => 
http://www.securityfocus.com/bid/5311][Xref => 
http://www.securityfocus.com/bid/5310,




On Fri, May 16, 2003 at 05:50:04AM +0000, leo sandhu wrote:
 >
 > On a positive note.... lol...... someone seems to be using my server to
 > launch internet attacks.   To my dodgy eye I think this hacker may have
 > left a trail home.   Is there anything I can do to screw the git?

Contact the relevant authorities. DO NOT ATTEMPT TO RETALLIATE!! Send all of
your logs to the relevant people. I'm not sure who the CERT is in the UK but 
a
quick google will provide that info. Also if you can tell who the victims 
are
then it may be wise to contact them before they contact you, afterall they 
will
most likely just see the malicious traffic as originating from you. Trying 
to
trace back to the attackers home machine will be very difficult and will 
require
the co-operation of all the ISPs downstream between you and him/her.

HTH,
	Lee

(Unemployed security researcher :)

--
--
leep@bogus.net DOC #25 GLASS #136
You can never break the chain
There is never love without pain - Secret Touch, Rush

_______________________________________________
Wolves mailing list
Wolves@mailman.lug.org.uk
http://mailman.lug.org.uk/mailman/listinfo/wolves

_________________________________________________________________
On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile