[Intrusions] Interesting development using tcpdump inconjunctionwith SQUID filtering and thiis hostname -bubba.scps.k12.fl.us

David McCall david at atgi.net
Fri Jan 28 15:16:25 GMT 2005 

Thanks for the advice,

after watching them for a 2nd day, and seeing them disappear from the
net for about 38 min. (seeing my hit rate go way down), and reappear
will full force I did consider contacting them.  But finally they have
vanished from the logs entirely.  Good sign.


Oh,  and yes, the attacks sill continue.  

I'm surprised we haven't seen anything from the reverse engineering/virus
killing/Symantic-Mckfee-ISS-and community friends about this thing.  I've
got to still call it a thing cause it's not threatening enough for the 
global internet community to even bother a look or a comment (watch, just
after I make the icky remark - someone will hunt me down and tie my shoes
together)..

todays snipplet:

1106925023.432     23 68.217.248.169 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925038.826     58 65.149.15.193 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925043.249      0 136.142.163.163 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925074.765      0 68.255.162.186 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925094.499      3 85.65.90.221 TCP_DENIED/403 432 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925096.949      4 138.89.60.182 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925112.126     12 65.11.90.193 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925153.346      5 64.222.111.71 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925170.129     20 68.211.91.158 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925171.576      0 208.251.77.28 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html
1106925191.636     65 172.160.226.197 TCP_DENIED/403 427 GET http://mpecllc.com/robots.txt - NONE/- text/html

By the way, for some reason our network engineer decided to zero out the untrusted file on Monday which 
had reached about 56,000 + blocked IP numbers. So heres the count today:

wc -l /etc/untrusted
   33563 /etc/untrusted
root:/var/squid/logs:5# 

And I also want to mention that Verio & Global Crossing have been exlemplary in taking care of their specific
IP blocks of possible infected machines....this was nice to see from an admins point of view.

David C.McCall
UNIX Administrator
===================
EschelonTelecom
admin at atgi.net
david at atgi.net 


David McCall wrote Tuesday, January 25, 2005 11:47 AM

> The IP for bubba doesn't appear in the untrusted list and after each new 
> IP the appears in the SQUID list something gets sent to bubba,........

Have you looked through the SQUID logs for the seemingly legitimate queries
that bubba is making, corresponding with the new DoS bots and the tcpdump
records? Is it just asking for the same page over and over? Is it trying to
do something naughty that did not trigger any previous alarms?

Florida k12 schools do have overworked security people who go around taking
care of problems, and have some experience with botnets etc. A phone call to
them might get your problem to the top of their list if there is a strong
correlation with the drones or if the k12 host is trying something obviously
wrong. 

_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions


!DSPAM:41fa4ee2256126449014439!

More information about the Intrusions mailing list