[Dshield] What should I do next

John Sage jsage at finchhaven.com
Fri May 10 14:25:03 GMT 2002


On Thu, May 09, 2002 at 09:50:43PM -0700, Jim Gifford wrote:
> I have question to pose. Over the last few weeks, I have had somebody
> attempting to hack into my system. I got a little ticked off and wrote my
> own iptables firewall. I added the string blocking capability. I have it log
> informaition, about these attacks. I have contacted the owner of the IP
> block to no avail, what should I do next. Here is a sample of what I am
> seeing.

The destination port is 80/http..

Looks like you're seeing some variant of the Code Red/Nimda background
noise that anyone/everyone with a firewall has been seeing,
constantly, since last summer.

I regularily see 80-160 probes *daily* to port 80, and easily 200
probes total, on my dialup at home.

I wouldn't worry about it.

You mention iptables; your're running Linux; you're immune.

Ignore it. It's *not* going away.

This sort of thing goes on constantly.

If you feel you have to "do" something, join Dshield, and join the
Fight Back program there...


- John
-- 
Most people don't type their own logfiles;  but, what do I care?

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 


> 
> May 9 10:12:03 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
> SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00 TTL=111
> ID=2054 DF PROTO=TCP SPT=3591 DPT=80 WINDOW=17520 RES=0x00 ACK PSH URGP=0
> May 9 10:33:01 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
> SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxxLEN=112 TOS=0x00 PREC=0x00 TTL=111
> ID=49275 DF PROTO=TCP SPT=3629 DPT=80 WINDOW=17520 RES=0x00 ACK PSH URGP=0
> May 9 10:33:19 server IPT: Hacker_cmd.exe: IN=eth0 OUT= MAC=
> SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=137 TOS=0x00 PREC=0x00 TTL=111
> ID=52349 DF PROTO=TCP SPT=3976 DPT=80 WINDOW=17520 RES=0x00 ACK PSH URGP=0
> May 9 11:55:46 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
> SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00 TTL=111
> ID=11323 DF PROTO=TCP SPT=3317 DPT=80 WINDOW=17520 RES=0x00 ACK PSH URGP=0
> 




More information about the list mailing list