[Dshield] What should I do next

Ram bitbucket at ram.ac
Fri May 10 15:57:14 GMT 2002


When I'm really bored or being hit really bad I use any available
exploit to send messages to the console like "your machine is infected
and attacking me and wasting my expensive resources. Please visit
windows update."... I include links to windowsupdate,
dslreports.com/tools [free intstant port scan], and daisy (automatically
scans for and finds missing windows security patches - relies on
trusting some VT.edu students http://vtntug.w2k.vt.edu/daisy.html).

If the problem persists after a few days of notice then it is time to
ratchet my defense up a notch (take down the machine).

The nicest thing to do after repeated fails to stop the assault would
probably be to configure the zombie to install all the latest patches
automatically at boot time, and set it to reboot regularly.

My legal opinion (and I have no legal education at all - so don't listen
to me!) is that so long as you try to be kind and reasonable it is legal
to escalate your defensive moves until you are successful in defending
yourself. I pay good $$ for my internet bandwidth - I am not ok with
careless sysops wasting my money, even if they don't know better.

Good luck.
ram


-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Jim Gifford
Sent: Thursday, May 09, 2002 21:51
To: list at dshield.org
Subject: [Dshield] What should I do next

I have question to pose. Over the last few weeks, I have had somebody
attempting to hack into my system. I got a little ticked off and wrote
my
own iptables firewall. I added the string blocking capability. I have it
log
informaition, about these attacks. I have contacted the owner of the IP
block to no avail, what should I do next. Here is a sample of what I am
seeing.

May 9 10:12:03 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00
TTL=111
ID=2054 DF PROTO=TCP SPT=3591 DPT=80 WINDOW=17520 RES=0x00 ACK PSH
URGP=0
May 9 10:33:01 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxxLEN=112 TOS=0x00 PREC=0x00
TTL=111
ID=49275 DF PROTO=TCP SPT=3629 DPT=80 WINDOW=17520 RES=0x00 ACK PSH
URGP=0
May 9 10:33:19 server IPT: Hacker_cmd.exe: IN=eth0 OUT= MAC=
SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=137 TOS=0x00 PREC=0x00
TTL=111
ID=52349 DF PROTO=TCP SPT=3976 DPT=80 WINDOW=17520 RES=0x00 ACK PSH
URGP=0
May 9 11:55:46 server IPT: Hacker_root.exe: IN=eth0 OUT= MAC=
SRC=xxx.xxx.xxx.xxx DST=xxx.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00
TTL=111
ID=11323 DF PROTO=TCP SPT=3317 DPT=80 WINDOW=17520 RES=0x00 ACK PSH
URGP=0

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list