[Dshield] continueing attacks (Angela)

Malcolm Joosse malcolm at hotlinesupport.com
Mon Mar 11 21:36:33 GMT 2002


If you are using a Watchguard firebox you should remove the Outgoing
UDP/TCP service and manually ad services that they need like Proxy -HTTP
and FTP, but do not put any Realmedia or video services.
Also expect background noise from Pier to Pier, Nimda/CodeRed and badly
configured networks.
You will know when someone is intrested in your network.  Do Not panic
and let the firewall do its job.
Regards

Malcolm Joosse
Hotline Support P/L
www.hotlinesupport.com



-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Angel G. Polanco Rodriguez
Sent: Tuesday, March 12, 2002 6:12 AM
To: 'list at dshield.org'
Cc: 'Davicrockit at netscape.net'
Subject: RE: [Dshield] continueing attacks (Angela)



Hi,

How I can to filter traffic of RTSP (multimedia traffic, as mp3 files or
napster). This is a problem if the network have a little bandwide.

Thanks ina advance.


                   ************************************
                   |   ANGEL G. POLANCO RODRIGUEZ     |
                   | UNIVERSIDAD AUTONOMA DE YUCATAN  |
                   | DIRECCION      GENERAL        DE |
                   |      DESARROLLO ACADEMICO        |
                   | DEPARTAMENTO  DE  TELEINFORMATICA|
                   | CALLE 59 POR  AV.  ITZAEZ  # 490 |
                   | MERIDA,      YUCATAN,     MEXICO |
                   |      CODIGO POSTAL :  97 000     |
                   |     TELEFONO:52 (99)  23 74 28   |
                   |    E-mail: angel at tunku.uady.mx   |
                   |        http://www.uady.mx        |
                   ************************************






On Mon, 11 Mar 2002, Kelly Martin wrote:

> The port 6970 connections represent RTP/RTSP streaming media
connections and
> are probably the result of users on your network attempting to view
streamed
> media content.  See, e.g.
> http://www.akamai.com/en/html/misc/support_faq.html. These are not
attacks.
>
> Connections to TCP port 113 are not attacks; this is the ident
service.  By
> blocking this port, you may interfere with your ability to send email.
If
> you do block it, you should configure your firewall to send back a TCP
reset
> or mail delivery will be slowed or prevented entirely.  Does the .69
machine
> send mail to the Internet?
>
> About the only bona fide attacks in this log fragment is the FTP scan
from
> ns1.upc.nl (212.83.94.147), the stuff from 10.1.1.68, which is either
> spoofed or the result of network misconfiguration at your site
(10.1.1.68 is
> nonroutable, so those packets didn't get to your network in the normal
> manner), and the HTTP scan from 110.200.64.100 (probably Nimda or Code
Red).
> None of these, except perhaps the stuff from 10.1.1.68, is a serious
> concern.
>
> Regards,
>
> Kelly Martin
>
> > -----Original Message-----
> > From:	Davicrockit at netscape.net [SMTP:Davicrockit at netscape.net]
> > Sent:	Monday, March 11, 2002 10:35 AM
> > To:	list at dshield.org
> > Cc:	securityoperations at level3.com; seasysadm_unix at interland.com;
> > datasupport at newsouth.net
> > Subject:	[Dshield] continueing attacks  (Angela)
> >
> > Folks,
> > Last week and this morning our network has been under a constant but
still
> > denied attack. Below are some of the ports and the ip #s from where
they
> > are coming from. My firebox is holding for now...we have at least
four
> > different attackers or they are bouncing around everywhere to strike
at
> > us. Any info about this would greatly be appreciated. Sorry I have
to use
> > my own web email to send this but our email is down and I think it
is due
> > to the hacks. The only ports open are 25 & 80. I hope, as well as my
> > partner Brad Shifflet, that we can keep our service up and going.
My
> > email address here at work is dstigers at kaco.org but it is not
working now.
> > Here are the logs...
> >
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 647 udp 20 50
205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50
205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50
205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50
205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> > 03/11/02 07:57  firewalld[105]:  deny in eth0 638 udp 20 50
205.188.228.33
> > 66.147.xxx.69 8230 6970 (default)
> >
> >
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> >
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 647 udp 20 52
205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> >
> > 03/11/02 08:07  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.65
> > 66.147.xxx.69 8056 6970 (default)
> >
> >
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 647 udp 20 52
205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> > 03/11/02 08:23  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.17
> > 66.147.xxx.69 30204 6970 (default)
> >
> >
> > 03/11/02 08:24  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> > 66.147.xxx.69 80 9897 syn ack (blocked site)
> > 03/11/02 08:26  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> > 66.147.xxx.69 80 9897 syn ack (blocked site)
> > 03/11/02 08:26  firewalld[105]:  deny in eth0 48 tcp 20 50 10.1.1.68
> > 66.147.xxx.69 80 9897 syn ack (blocked site)
> >
> >
> > 03/11/02 09:14  firewalld[105]:  deny in eth0 60 tcp 20 52
64.112.189.41
> > 66.147.xxx.69 1848 113 syn (default)
> >
> > 03/11/02 09:27  firewalld[105]:  deny in eth0 44 tcp 20 52
66.111.75.234
> > 66.147.xxx.69 3688 113 syn (default)
> > 03/11/02 09:27  firewalld[105]:  deny in eth0 44 tcp 20 52
66.111.75.234
> > 66.147.xxx.69 3688 113 syn (default)
> >
> >
> >
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 647 udp 20 52
205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 638 udp 20 52
205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> > 03/11/02 10:09  firewalld[105]:  deny in eth0 647 udp 20 52
205.188.228.33
> > 66.147.xxx.69 11282 6970 (default)
> >
> >
> >
> > 03/11/02 07:58  firewalld[105]:  deny in eth0 503 udp 20 51
> > 209.246.122.135 66.147.xxx.69 11918 6970 (default)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107
212.83.94.147
> > 66.147.xxx.64 4243 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:0 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.67 4246 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:1 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.68 4247 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 105
212.83.94.147
> > 66.147.xxx.69 4248 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:2 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.71 4250 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107
212.83.94.147
> > 66.147.xxx.64 4243 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107
212.83.94.147
> > 66.147.xxx.79 4258 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107
212.83.94.147
> > 66.147.xxx.64 4243 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107
212.83.94.147
> > 66.147.xxx.79 4258 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 107
212.83.94.147
> > 66.147.xxx.79 4258 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:0 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.67 4246 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:1 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.68 4247 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0 48 tcp 20 105
212.83.94.147
> > 66.147.xxx.69 4248 21 syn (FTP)
> > 03/11/02 10:13  firewalld[105]:  deny in eth0:2 48 tcp 20 105
> > 212.83.94.147 66.147.xxx.71 4250 21 syn (FTP)
> >
> > 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110
200.64.100.213
> > 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> > 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110
200.64.100.213
> > 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> > 03/11/02 10:40  firewalld[105]:  deny in eth0 48 tcp 20 110
200.64.100.213
> > 66.147.xxx.79 3938 80 syn (Filtered-HTTP)
> > --
> > ---------------------------
> > Davicrockit
> > David E. Stigers
> > 8946 Owenton Road
> > Frankfort, KY 40601
> > 502.223.8271
> > ---------------------------
> >
> >
> >
> > __________________________________________________________________
> > Your favorite stores, helpful shopping tools and great gift ideas.
> > Experience the convenience of buying online with Shop at Netscape!
> > http://shopnow.netscape.com/
> >
> > Get your own FREE, personal Netscape Mail account today at
> > http://webmail.netscape.com/
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list