[Wolves] Out of Curiosity.... Security

Sales wolves at mailman.lug.org.uk
Wed Jun 4 16:26:00 2003 

I wouldn't worry about the 193.38.113.34 address:
Thats the Blueyonder Abuse scanner checking to make sure you're not
running a unsecured News, ftp etc service.
Expect it up to 3-4 times a day!

Also don't waste your time on abuse@blueyonder, they said in the BY
feedback newsgroup that they receive 35,000 abuse emails a month, and
I'm still getting scans etc from BY customers I reported 3 months ago
(I'm on BY by the way)

Most attacks I seem to get picked up with my smoothwall are code red IIS
attacks, so you can ignore these too.

Oh, watch out for Snort switching itself off on a reboot, I thought it
was just mine, but someone else commented on it in Smootwall newsgroup
the other day.

Regards

Wayne Morris


On Wed, 2003-06-04 at 15:18, leo sandhu wrote:
> nice to be back online guys, sorry for taking so long in replying to your 
> good advice.
> 
> 
> thanks to the scriptkiddie that wants to be my friend, my server has been 
> off since about 17th may.   It has been rebuilt twice and curently will not 
> boot into debian such is the damage done.    Now that I'm on-line through 
> Smoothwall, I'm going to contact Telewest Abuse and push for some action.
> 
> The first probe of my system came just 9min 50seconds after smoothwall 
> activation last night, IP addresses pointing all over the world have been 
> reported through the firewall report and a Snort log is below. If Dick 
> Cheney was on this lug I would be asking the H-Bomb be dropped on China and 
> Amsterdam.   T***ers.
> 
> My plan for security is to now rebuild the debian server on a clean drive, 
> and use double level IP masqurading: Smoothwall - DebServer - Network.
> 
> Just for a laugh, take a look at my Smoothwall "Intrusion Detection System" 
> log,  (Dan I switched this on at 4am - somehow we missed it).   Are these as 
> funny as I thought? If so can anybody please tell me the crime of having 
> "medialcomms.kicks-ass.net" as a web address.
> 
> See Soon, Leo.
> 
> SmoothWall IDS snort log
> Date: 4 June
> 
> Date: 06/04 04:15:18
> Name: SCAN SOCKS Proxy attempt
> Priority: 2
> Type: Attempted Information Leak
> IP Info: 193.38.113.34:57557 -> 80.195.90.91:1080
> Refs: http://help.undernet.org/proxyscan/,
> 
> Date: 06/04 05:17:21
> Name: MS-SQL Worm propagation attempt
> Priority: 2
> Type: Misc Attack
> IP Info: 66.111.62.220:3702 -> 80.195.90.91:1434
> Refs: http://vil.nai.com/vil/content/v_99992.htm][Xref => 
> http://www.securityfocus.com/bid/5311][Xref => 
> http://www.securityfocus.com/bid/5310,
> 
> Date: 06/04 07:08:24
> Name: MS-SQL Worm propagation attempt
> Priority: 2
> Type: Misc Attack
> IP Info: 65.116.77.19:3306 -> 80.195.90.91:1434
> Refs: http://vil.nai.com/vil/content/v_99992.htm][Xref => 
> http://www.securityfocus.com/bid/5311][Xref => 
> http://www.securityfocus.com/bid/5310,
> 
> Date: 06/04 11:42:05
> Name: SCAN SOCKS Proxy attempt
> Priority: 2
> Type: Attempted Information Leak
> IP Info: 193.38.113.34:41628 -> 80.195.90.91:1080
> Refs: http://help.undernet.org/proxyscan/,
> 
> Date: 06/04 11:59:35
> Name: MS-SQL Worm propagation attempt
> Priority: 2
> Type: Misc Attack
> IP Info: 218.226.196.131:3027 -> 80.195.90.91:1434
> Refs: http://vil.nai.com/vil/content/v_99992.htm][Xref => 
> http://www.securityfocus.com/bid/5311][Xref => 
> http://www.securityfocus.com/bid/5310,
> 
> 
> 
> 
> On Fri, May 16, 2003 at 05:50:04AM +0000, leo sandhu wrote:
>  >
>  > On a positive note.... lol...... someone seems to be using my server to
>  > launch internet attacks.   To my dodgy eye I think this hacker may have
>  > left a trail home.   Is there anything I can do to screw the git?
> 
> Contact the relevant authorities. DO NOT ATTEMPT TO RETALLIATE!! Send all of
> your logs to the relevant people. I'm not sure who the CERT is in the UK but 
> a
> quick google will provide that info. Also if you can tell who the victims 
> are
> then it may be wise to contact them before they contact you, afterall they 
> will
> most likely just see the malicious traffic as originating from you. Trying 
> to
> trace back to the attackers home machine will be very difficult and will 
> require
> the co-operation of all the ISPs downstream between you and him/her.
> 
> HTH,
> 	Lee
> 
> (Unemployed security researcher :)
> 
> --
> --
> leep@bogus.net DOC #25 GLASS #136
> You can never break the chain
> There is never love without pain - Secret Touch, Rush
> 
> _______________________________________________
> Wolves mailing list
> Wolves@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/wolves
> 
> _________________________________________________________________
> On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
> 
> 
> _______________________________________________
> Wolves mailing list
> Wolves@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/wolves