[Dshield] 90.* etc and hacked

Susan pobox2 at pinn.net
Sun Mar 17 19:46:59 GMT 2002

I've got Labrea on a standalone machine. How would that pass through as 
a request is what I'm wondering? Unless it's coming from my machine 
meaning something in here made the request. My website was hacked last 
week, its on a 3rd party webhost who denies the problem... password 
files etc were deleted, they set the disk quota to 3 megs so that the 
site was not functional.. who knows what else I have to reload it from 
backup no big deal but still obviously someone is accessing root on 
their servers. Biz is totally dead for months. We use to have a business 
now we have an expense I have no idea why whoever it is who has done 
this chooses us, we can barely afford lunch, we are such a teeny tiny 
little biz, I was just starting out even. we did real welkl for 4-5 
months then wham. One thing after another. How do you catch these guys? 
They never quit this goes on every single day. Is it possible for 
someone to sniff my router address? How do they do that? Maybe if I 
sniff my own router instead of just my eth card I could see their mac 
source no and wipe them out? Ideas?  Any ideas on firing back at the 
machines that hit the firewall, Ideas?

Remember the guy last week who said they were being attacked, well we 
were too. then our site got hacked on a totally separate server 100 
miles away. Anyway labrea isn't doing much here kind of quiet on the 
inside even when the modem connection is being pounded. where can I 
place labrea so it functions better? I suppose it would be best right on 
the firewall itself but then again if the firewall works real good the 
modem still gets pounded while it's quiet on the inside. I'm trying to 
stop the light from blinking 2 times a second...

 >>> /labrea: ARP request - IP address not in netblock

I would guess it is a host on your net that is somehow configured with a
90. IP address...

- --
- -------
jullrich at sans.org

More information about the list mailing list