[Dshield] My server is an attacker

David Kennedy CISSP david.kennedy at acm.org
Fri Oct 25 05:25:57 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----

At 02:28 PM 10/24/02 +0000, mathieu008 . wrote:
>Your IP (xxx.xxx.xxx.xxx) appears as an
>attacker 7 times in the DShield database.

<snip>

>This thing really looks like a Trojan or something on my PDC (which
>is used  as a proxy for my users too).  Everything is my Lan is
>behind a Pix  Firewall.

So to the outside world, all your machines appear to be one IP
address?  If so, one or several inside machines may be to blame,
based on those source ports and dates, maybe two 2382-4 and 2102-2106
but I'd guess one.  The logs you read were from the PIX or the PDC? 
Try the PIX if you didn't already.  Or try netflow logs to find the
culprit.

With all destination ports of 80 it could be some kind of web server
glitch.  Nimda's the most common port 80 trojan and they usually come
in groups larger than four.

HTH




-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3
Comment: hacker=cybercriminal--the definition changed; get over it

iQCVAwUBPbjVsPGfiIQsciJtAQHAewQAveQJknh+xa6TBQdjXM0zvP7OiobXnzr8
yMzMyzAL79v3/Dh5uLXgUFuOXm7vge/o4hjp4USQhLGF4i15eGQYZRukM2K6Tqwy
oCRj/sxHdyvAA9doLBIwRYEtaVyC2PAx+Bv7d7v6V0HPI5mgLjHhn84Xn8CHsfCl
LGQrCHIOIKw=
=yhkl
-----END PGP SIGNATURE-----

-- 
Regards,

David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.




More information about the list mailing list