[Dshield] What were the hackers trying to do?

Johannes Ullrich jullrich at euclidian.com
Mon Mar 3 13:25:48 GMT 2003

> ------------------------------------------------------------------------------------------------------------------------
> 3/3/2003 3:55:59 AM,Kevin,"This one time, the user has chosen to ""block"" communications.","This one time, the user has chosen to ""block"" communications. Inbound UDP packet Local address,service is (testadler-i1(999.999.190.58),ms-sql-m(1434)) Remote address,service is (,1502) Process name is ""N/A"""

This packet is interesting. It looks like SQL Slammer. It is possible that this comes from an infected lan machine an due to lack of ingress/egress filtering between you and the source the packet makes it true. 

> 3/3/2003 2:54:46 AM,Kevin,"Rule ""Default Block Inbound and Outbound ICMP"" blocked (,8).","Rule ""Default Block Inbound and Outbound ICMP"" blocked (,8). Inbound ICMP request Local address is (testadler-i1(999.999.190.58)) Remote address is ( Message type is ""Echo Request"" Process name is ""N/A"""

An 'echo request' is a 'ping'. Not a big deal IMHO unless they come
in large numbers. Essentially, this person did check if your IP
address is up/used. Hard to tell why they would do that. Maybe
to see if you are up and listening before launching an attack? or
maybe just to figure out some network problem.

jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

More information about the list mailing list