[Sderby] Help with in security please

Mark Challener mark-challener at whippet89.freeserve.co.uk
Tue Jul 20 18:53:08 BST 2004 

David Bottrill wrote:

>On Monday 19 July 2004 09:28, Mark Challener wrote:
>
>Some comments below:
>
>  
>
>>I've just installed snort and get the following alerts.  Should I be
>>worried about any of them?  Particularly the one marked OUTBOUND ?
>>
>>[**] [1:469:3] ICMP PING NMAP [**]
>>[Classification: Attempted Information Leak] [Priority: 2]
>>07/19-00:28:51.762175 4.29.3.56 -> MYIPADDR
>>ICMP TTL:114 TOS:0x0 ID:55173 IpLen:20 DgmLen:28
>>Type:8  Code:0  ID:512   Seq:9614  ECHO
>>[Xref => http://www.whitehats.com/info/IDS162]
>>    
>>
>
>So what somebody's NMAPing you, welcome to the real world this is just a ping 
>sweep that somebody is doing to see if there is anything worth looking at.
>
>  
>
>>[**] [1:469:3] ICMP PING NMAP [**]
>>[Classification: Attempted Information Leak] [Priority: 2]
>>07/19-00:33:52.885289 218.85.32.185 -> MYIPADDR
>>ICMP TTL:109 TOS:0x0 ID:5452 IpLen:20 DgmLen:28
>>Type:8  Code:0  ID:256   Seq:61161  ECHO
>>[Xref => http://www.whitehats.com/info/IDS162]
>>    
>>
>
>Same again.
>
>  
>
>>[**] [1:2003:6] MS-SQL Worm propagation attempt [**]
>>[Classification: Misc Attack] [Priority: 2]
>>07/19-00:34:17.845584 166.70.3.186:2740 -> MYIPADDR:1434
>>UDP TTL:113 TOS:0x0 ID:43510 IpLen:20 DgmLen:404
>>Len: 376
>>[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
>>http://www.securityfocus.com/bid/5311][Xref =>
>>http://www.securityfocus.com/bid/5310]
>>    
>>
>
>If you were running windows this should make you very worried, but as you are 
>not and you have a firewall running, don't worry.
>
>
>  
>
>>[**] [1:2004:5] MS-SQL Worm propagation attempt OUTBOUND [**]
>>[Classification: Misc Attack] [Priority: 2]
>>07/19-00:34:17.845584 166.70.3.186:2740 -> MYIPADDR:1434
>>UDP TTL:113 TOS:0x0 ID:43510 IpLen:20 DgmLen:404
>>Len: 376
>>[Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref =>
>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
>>http://www.securityfocus.com/bid/5311][Xref =>
>>http://www.securityfocus.com/bid/5310]
>>    
>>
>
>Same again.
>
>  
>
>>[**] [1:2050:5] MS-SQL version overflow attempt [**]
>>[Classification: Misc activity] [Priority: 3]
>>07/19-00:34:17.845584 166.70.3.186:2740 -> MYIPADDR:1434
>>UDP TTL:113 TOS:0x0 ID:43510 IpLen:20 DgmLen:404
>>Len: 376
>>[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674][Xref =>
>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref =>
>>http://www.securityfocus.com/bid/5310]
>>    
>>
>
>And again.
>  
>
>>[**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**]
>>[Classification: Attempted Information Leak] [Priority: 2]
>>07/19-00:48:33.203160 163.1.13.54:80 -> MYIPADDR:32945
>>TCP TTL:51 TOS:0x0 ID:58329 IpLen:20 DgmLen:649 DF
>>***AP*** Seq: 0x83E4BB45  Ack: 0x7465F89F  Win: 0x6030  TcpLen: 32
>>TCP Options (3) => NOP NOP TS: 1963851070 621905
>>    
>>
>
>This is a response to your attempt to connect to a webserver at Oxford 
>university (enterprise.molbiol.ox.ac.uk) and snort didn't like what it saw, 
>but since you are studying then I'm sure this is just a false positive that 
>snort detected.
>
>  
>
>>[**] [1:1201:7] ATTACK-RESPONSES 403 Forbidden [**]
>>[Classification: Attempted Information Leak] [Priority: 2]
>>07/19-00:48:33.578697 163.1.13.54:80 -> MYIPADDR:32945
>>TCP TTL:51 TOS:0x0 ID:58330 IpLen:20 DgmLen:618 DF
>>***AP*** Seq: 0x83E4BD9A  Ack: 0x7465F9FD  Win: 0x6030  TcpLen: 32
>>TCP Options (3) => NOP NOP TS: 1963851108 621952
>>    
>>
>
>And again maybe you were slightly naughty here and tried a URL that was 
>forbidden hence the 403 error.
>
>
>  
>
>>[**] [1:469:3] ICMP PING NMAP [**]
>>[Classification: Attempted Information Leak] [Priority: 2]
>>07/19-00:49:09.657746 216.67.204.220 -> MYIPADDR
>>ICMP TTL:110 TOS:0x0 ID:10878 IpLen:20 DgmLen:28
>>Type:8  Code:0  ID:768   Seq:4873  ECHO
>>[Xref => http://www.whitehats.com/info/IDS162]
>>    
>>
>
>And another blighter doing ping sweeps.
>
>I hope that puts your mind at rest.
>
>  
>
Thanks Dave
I feel a bit more comfortable with my internet connection now and that 
my paranoia isn't totally justified.
Best regards
    Mark

More information about the Sderby mailing list