[Dshield] My server is an attacker

stephen galowski sgalow at ihug.com.au
Thu Oct 24 22:07:21 GMT 2002


have you left any ports open that should not be open like
telnet
stephen galowski

----- Original Message -----
From: "mathieu008 ." <mathieu0008 at hotmail.com>
To: <list at dshield.org>
Sent: Friday, October 25, 2002 12:28 AM
Subject: [Dshield] My server is an attacker


> Your IP (xxx.xxx.xxx.xxx) appears as an
> attacker 7 times in the DShield database.
>
> Date Source Source Port Target Port Protocol
> 2002-10-21 xxx.xxx.xxx.xxx    2382 80 6
> 2002-10-21 xxx.xxx.xxx.xxx    2383 80 6
> 2002-10-21 xxx.xxx.xxx.xxx    2384 80 6
> 2002-10-22 xxx.xxx.xxx.xxx    2106 80 6
> 2002-10-22 xxx.xxx.xxx.xxx    2104 80 6
> 2002-10-22 xxx.xxx.xxx.xxx    2105 80 6
> 2002-10-22 xxx.xxx.xxx.xxx    2101 80 6
>
> This thing really looks like a Trojan or something on my PDC (which is
used
> as a proxy for my users too).  Everything is my Lan is behind a Pix
> Firewall.
>
> Its very "fun" to know that I'm an attacker without my knowledge but is
> there a way to contact (IP address)the people that says that I'm an
> attacker...It would be much easier for me to know were to look in my logs.
> I did try to look in my logs for the source ports xxx.xxx.xxx.xxx/2382
> attackedIp/80 but found nothing unusual.  Maybe the Date posted is not the
> same as my log (but I did check the day before and after.  But again, this
> is manual checking thru 7 megs of text (do you know of a program that
> analyses Pix syslog log files for attacks....both inbound and outbound in
my
> case).
>
> Any help is appreciated.
>
> Math
>
>
> _________________________________________________________________
> MSN Search, le moteur de recherche qui pense comme vous !
> http://search.msn.fr/worldwide.asp
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list