[Sderby] Help with in security please

Tue Jul 20 01:14:09 BST 2004

On Monday 19 July 2004 09:28, Mark Challener wrote:

Some comments below:

> I've just installed snort and get the following alerts.  Should I be
> worried about any of them?  Particularly the one marked OUTBOUND ?
>
> [**] [1:469:3] ICMP PING NMAP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 07/19-00:28:51.762175 4.29.3.56 -> MYIPADDR
> ICMP TTL:114 TOS:0x0 ID:55173 IpLen:20 DgmLen:28
> Type:8  Code:0  ID:512   Seq:9614  ECHO
> [Xref => http://www.whitehats.com/info/IDS162]

So what somebody's NMAPing you, welcome to the real world this is just a ping 
sweep that somebody is doing to see if there is anything worth looking at.

> [**] [1:469:3] ICMP PING NMAP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 07/19-00:33:52.885289 218.85.32.185 -> MYIPADDR
> ICMP TTL:109 TOS:0x0 ID:5452 IpLen:20 DgmLen:28
> Type:8  Code:0  ID:256   Seq:61161  ECHO
> [Xref => http://www.whitehats.com/info/IDS162]

Same again.

> [**] [1:2003:6] MS-SQL Worm propagation attempt [**]
> [Classification: Misc Attack] [Priority: 2]
> 07/19-00:34:17.845584 166.70.3.186:2740 -> MYIPADDR:1434
> UDP TTL:113 TOS:0x0 ID:43510 IpLen:20 DgmLen:404
> Len: 376
> [Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
> http://www.securityfocus.com/bid/5311][Xref =>
> http://www.securityfocus.com/bid/5310]

If you were running windows this should make you very worried, but as you are 
not and you have a firewall running, don't worry.

> [**] [1:2004:5] MS-SQL Worm propagation attempt OUTBOUND [**]
> [Classification: Misc Attack] [Priority: 2]
> 07/19-00:34:17.845584 166.70.3.186:2740 -> MYIPADDR:1434
> UDP TTL:113 TOS:0x0 ID:43510 IpLen:20 DgmLen:404
> Len: 376
> [Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
> http://www.securityfocus.com/bid/5311][Xref =>
> http://www.securityfocus.com/bid/5310]

Same again.

> [**] [1:2050:5] MS-SQL version overflow attempt [**]
> [Classification: Misc activity] [Priority: 3]
> 07/19-00:34:17.845584 166.70.3.186:2740 -> MYIPADDR:1434
> UDP TTL:113 TOS:0x0 ID:43510 IpLen:20 DgmLen:404
> Len: 376
> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
> http://www.securityfocus.com/bid/5310]

And again.
>
> [**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 07/19-00:48:33.203160 163.1.13.54:80 -> MYIPADDR:32945
> TCP TTL:51 TOS:0x0 ID:58329 IpLen:20 DgmLen:649 DF
> ***AP*** Seq: 0x83E4BB45  Ack: 0x7465F89F  Win: 0x6030  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1963851070 621905

This is a response to your attempt to connect to a webserver at Oxford 
university (enterprise.molbiol.ox.ac.uk) and snort didn't like what it saw, 
but since you are studying then I'm sure this is just a false positive that 
snort detected.

> [**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 07/19-00:48:33.578697 163.1.13.54:80 -> MYIPADDR:32945
> TCP TTL:51 TOS:0x0 ID:58330 IpLen:20 DgmLen:618 DF
> ***AP*** Seq: 0x83E4BD9A  Ack: 0x7465F9FD  Win: 0x6030  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1963851108 621952

And again maybe you were slightly naughty here and tried a URL that was 
forbidden hence the 403 error.

> [**] [1:469:3] ICMP PING NMAP [**]
> [Classification: Attempted Information Leak] [Priority: 2]
> 07/19-00:49:09.657746 216.67.204.220 -> MYIPADDR
> ICMP TTL:110 TOS:0x0 ID:10878 IpLen:20 DgmLen:28
> Type:8  Code:0  ID:768   Seq:4873  ECHO
> [Xref => http://www.whitehats.com/info/IDS162]

And another blighter doing ping sweeps.

I hope that puts your mind at rest.

-- 
David Bottrill
www.bottrill.org
Internet SIP Phone: 1-747-244-2699
Registered Linux user number 330730