[Dshield] My server is an attacker

mathieu008 . mathieu0008 at hotmail.com
Thu Oct 24 14:28:53 GMT 2002


Your IP (xxx.xxx.xxx.xxx) appears as an
attacker 7 times in the DShield database.

Date		Source		Source Port	Target Port	Protocol
2002-10-21	xxx.xxx.xxx.xxx	   2382		80		6
2002-10-21	xxx.xxx.xxx.xxx	   2383		80		6
2002-10-21	xxx.xxx.xxx.xxx	   2384		80		6
2002-10-22	xxx.xxx.xxx.xxx	   2106		80		6
2002-10-22	xxx.xxx.xxx.xxx	   2104		80		6
2002-10-22	xxx.xxx.xxx.xxx	   2105		80		6
2002-10-22	xxx.xxx.xxx.xxx	   2101		80		6

This thing really looks like a Trojan or something on my PDC (which is used 
as a proxy for my users too).  Everything is my Lan is behind a Pix 
Firewall.

Its very "fun" to know that I'm an attacker without my knowledge but is 
there a way to contact (IP address)the people that says that I'm an 
attacker...It would be much easier for me to know were to look in my logs.  
I did try to look in my logs for the source ports xxx.xxx.xxx.xxx/2382 
attackedIp/80 but found nothing unusual.  Maybe the Date posted is not the 
same as my log (but I did check the day before and after.  But again, this 
is manual checking thru 7 megs of text (do you know of a program that 
analyses Pix syslog log files for attacks....both inbound and outbound in my 
case).

Any help is appreciated.

Math


_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! 
http://search.msn.fr/worldwide.asp




More information about the list mailing list