[Dshield] 90.* etc and hacked
pobox2 at pinn.net
Sun Mar 17 19:46:59 GMT 2002
I've got Labrea on a standalone machine. How would that pass through as
a request is what I'm wondering? Unless it's coming from my machine
meaning something in here made the request. My website was hacked last
week, its on a 3rd party webhost who denies the problem... password
files etc were deleted, they set the disk quota to 3 megs so that the
site was not functional.. who knows what else I have to reload it from
backup no big deal but still obviously someone is accessing root on
their servers. Biz is totally dead for months. We use to have a business
now we have an expense I have no idea why whoever it is who has done
this chooses us, we can barely afford lunch, we are such a teeny tiny
little biz, I was just starting out even. we did real welkl for 4-5
months then wham. One thing after another. How do you catch these guys?
They never quit this goes on every single day. Is it possible for
someone to sniff my router address? How do they do that? Maybe if I
sniff my own router instead of just my eth card I could see their mac
source no and wipe them out? Ideas? Any ideas on firing back at the
machines that hit the firewall, Ideas?
Remember the guy last week who said they were being attacked, well we
were too. then our site got hacked on a totally separate server 100
miles away. Anyway labrea isn't doing much here kind of quiet on the
inside even when the modem connection is being pounded. where can I
place labrea so it functions better? I suppose it would be best right on
the firewall itself but then again if the firewall works real good the
modem still gets pounded while it's quiet on the inside. I'm trying to
stop the light from blinking 2 times a second...
>>> /labrea: ARP request - IP address not in netblock 18.104.22.168
I would guess it is a host on your net that is somehow configured with a
90. IP address...
jullrich at sans.org
More information about the list