[Dshield] What were the hackers trying to do?

Johannes Ullrich jullrich at euclidian.com
Mon Mar 3 13:25:48 GMT 2003


> ------------------------------------------------------------------------------------------------------------------------
> 
> 3/3/2003 3:55:59 AM,Kevin,"This one time, the user has chosen to ""block"" communications.","This one time, the user has chosen to ""block"" communications. Inbound UDP packet Local address,service is (testadler-i1(999.999.190.58),ms-sql-m(1434)) Remote address,service is (10.0.1.40,1502) Process name is ""N/A"""

This packet is interesting. It looks like SQL Slammer. It is possible that this comes from an infected lan machine an due to lack of ingress/egress filtering between you and the source the packet makes it true. 


> 3/3/2003 2:54:46 AM,Kevin,"Rule ""Default Block Inbound and Outbound ICMP"" blocked (24.233.166.253,8).","Rule ""Default Block Inbound and Outbound ICMP"" blocked (24.233.166.253,8). Inbound ICMP request Local address is (testadler-i1(999.999.190.58)) Remote address is (24.233.166.253) Message type is ""Echo Request"" Process name is ""N/A"""

An 'echo request' is a 'ping'. Not a big deal IMHO unless they come
in large numbers. Essentially, this person did check if your IP
address is up/used. Hard to tell why they would do that. Maybe
to see if you are up and listening before launching an attack? or
maybe just to figure out some network problem.





-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org



More information about the list mailing list