[Dshield] continueing attacks (Angela)

Kelly Martin kellym at fb00.fb.org
Mon Mar 11 17:08:11 GMT 2002


The port 6970 connections represent RTP/RTSP streaming media connections and
are probably the result of users on your network attempting to view streamed
media content.  See, e.g.
http://www.akamai.com/en/html/misc/support_faq.html. These are not attacks.

Connections to TCP port 113 are not attacks; this is the ident service.  By
blocking this port, you may interfere with your ability to send email.  If
you do block it, you should configure your firewall to send back a TCP reset
or mail delivery will be slowed or prevented entirely.  Does the .69 machine
send mail to the Internet?

About the only bona fide attacks in this log fragment is the FTP scan from
ns1.upc.nl (212.83.94.147), the stuff from 10.1.1.68, which is either
spoofed or the result of network misconfiguration at your site (10.1.1.68 is
nonroutable, so those packets didn't get to your network in the normal
manner), and the HTTP scan from 110.200.64.100 (probably Nimda or Code Red).
None of these, except perhaps the stuff from 10.1.1.68, is a serious
concern.

Regards,

Kelly Martin

> -----Original Message-----
> From:	Davicrockit at netscape.net [SMTP:Davicrockit at netscape.net]
> Sent:	Monday, March 11, 2002 10:35 AM
> To:	list at dshield.org
> Cc:	securityoperations at level3.com; seasysadm_unix at interland.com;
> datasupport at newsouth.net
> Subject:	[Dshield] continueing attacks  (Angela)
> 
> Folks,
> Last week and this morning our network has been under a constant but still
> denied attack. Below are some of the ports and the ip #s from where they
> are coming from. My firebox is holding for now...we have at least four
> different attackers or they are bouncing around everywhere to strike at
> us. Any info about this would greatly be appreciated. Sorry I have to use
> my own web email to send this but our email is down and I think it is due
> to the hacks. The only ports open are 25 & 80. I hope, as well as my
> partner Brad Shifflet, that we can keep our service up and going.  My
> email address here at work is dstigers at kaco.org but it is not working now.
> Here are the logs...
>  
> 03/11/02 07:57  firewalld[105]:  deny in eth0 647 udp 20 50 205.188.228.33
> 66.147.xxx.69 8230 6970 (default)
> 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> 66.147.xxx.69 8230 6970 (default)
> 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> 66.147.xxx.69 8230 6970 (default)
> 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> 66.147.xxx.69 8230 6970 (default)
> 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50 205.188.228.33
> 66.147.xxx.69 8230 6970 (default)
> 
> 
> 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> 66.147.xxx.69 8056 6970 (default)
> 
> 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> 66.147.xxx.69 8056 6970 (default)
> 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> 66.147.xxx.69 8056 6970 (default)
> 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> 66.147.xxx.69 8056 6970 (default)
> 03/11/02 08:07  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.65
> 66.147.xxx.69 8056 6970 (default)
> 
> 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.65
> 66.147.xxx.69 8056 6970 (default)
> 
> 
> 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> 66.147.xxx.69 30204 6970 (default)
> 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> 66.147.xxx.69 30204 6970 (default)
> 03/11/02 08:23  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.17
> 66.147.xxx.69 30204 6970 (default)
> 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> 66.147.xxx.69 30204 6970 (default)
> 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> 66.147.xxx.69 30204 6970 (default)
> 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> 66.147.xxx.69 30204 6970 (default)
> 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.17
> 66.147.xxx.69 30204 6970 (default)
> 
> 
> 03/11/02 08:24  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> 66.147.xxx.69 80 9897 syn ack (blocked site)
> 03/11/02 08:26  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> 66.147.xxx.69 80 9897 syn ack (blocked site)
> 03/11/02 08:26  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> 66.147.xxx.69 80 9897 syn ack (blocked site)
> 
> 
> 03/11/02 09:14  firewalld[105]:  deny in eth0 60 tcp 20 52 64.112.189.41
> 66.147.xxx.69 1848 113 syn (default)
> 
> 03/11/02 09:27  firewalld[105]:  deny in eth0 44 tcp 20 52 66.111.75.234
> 66.147.xxx.69 3688 113 syn (default)
> 03/11/02 09:27  firewalld[105]:  deny in eth0 44 tcp 20 52 66.111.75.234
> 66.147.xxx.69 3688 113 syn (default)
> 
> 
> 
> 03/11/02 10:09  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.33
> 66.147.xxx.69 11282 6970 (default)
> 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> 66.147.xxx.69 11282 6970 (default)
> 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> 66.147.xxx.69 11282 6970 (default)
> 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> 66.147.xxx.69 11282 6970 (default)
> 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52 205.188.228.33
> 66.147.xxx.69 11282 6970 (default)
> 03/11/02 10:09  firewalld[105]:  deny in eth0 647 udp 20 52 205.188.228.33
> 66.147.xxx.69 11282 6970 (default)
> 
> 
> 
> 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> 66.147.xxx.64 4243 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0:0 48 tcp 20 105
> 212.83.94.147 66.147.xxx.67 4246 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0:1 48 tcp 20 105
> 212.83.94.147 66.147.xxx.68 4247 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 105 212.83.94.147
> 66.147.xxx.69 4248 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0:2 48 tcp 20 105
> 212.83.94.147 66.147.xxx.71 4250 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> 66.147.xxx.64 4243 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> 66.147.xxx.79 4258 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> 66.147.xxx.64 4243 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> 66.147.xxx.79 4258 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107 212.83.94.147
> 66.147.xxx.79 4258 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0:0 48 tcp 20 105
> 212.83.94.147 66.147.xxx.67 4246 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0:1 48 tcp 20 105
> 212.83.94.147 66.147.xxx.68 4247 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 105 212.83.94.147
> 66.147.xxx.69 4248 21 syn (FTP)
> 03/11/02 10:13  firewalld[105]:  deny in eth0:2 48 tcp 20 105
> 212.83.94.147 66.147.xxx.71 4250 21 syn (FTP)
> 
> 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110 200.64.100.213
> 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110 200.64.100.213
> 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110 200.64.100.213
> 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> -- 
> ---------------------------
> Davicrockit 
> David E. Stigers 
> 8946 Owenton Road
> Frankfort, KY 40601
> 502.223.8271
> ---------------------------
> 
> 
> 
> __________________________________________________________________
> Your favorite stores, helpful shopping tools and great gift ideas.
> Experience the convenience of buying online with Shop at Netscape!
> http://shopnow.netscape.com/
> 
> Get your own FREE, personal Netscape Mail account today at
> http://webmail.netscape.com/
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list