[Dshield] What were the hackers trying to do?

Ed Truitt ed.truitt at etee2k.net
Mon Mar 3 13:24:27 GMT 2003


I reserve the right to be wrong, but:

In the first case, it looks like the machine is infected with SQL-Slammer or
Sapphire, and is doing its thing (mindlessly probing for other machines to
infect, as fast as its CPU and NIC will let it.)  And, the IP may well be
legit.  Some people *do* set up internal networks using private address
ranges (unlike me, who prefers to use the real stuff)..  The was no evidence
of spoofing code in the analysis of Sapphire, and there are ISPs who route
private network addresses, believe it or not (at least within their
networks)!

In the second case, it looks like someone is trying to PING you.  Maybe out
of curiosity, maybe as part of an NMAP port scan, who knows?  Since you
block inbound ICMP, I don't think they will get very much out of it.


Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."


----- Original Message -----
From: "KJS_Public" <kjs_public at sbcglobal.net>
To: <list at dshield.org>
Sent: Monday, March 03, 2003 5:43 AM
Subject: [Dshield] What were the hackers trying to do?


> I'm new to Dshield and I'm just curious.
>
> In this first example the hacker has spoofed their IP address with a
private address. What are they doing?
>
> --------------------------------------------------------------------------
----------------------------------------------
>
> 3/3/2003 3:55:59 AM,Kevin,"This one time, the user has chosen to ""block""
communications.","This one time, the user has chosen to ""block""
communications. Inbound UDP packet Local address,service is
(testadler-i1(999.999.190.58),ms-sql-m(1434)) Remote address,service is
(10.0.1.40,1502) Process name is ""N/A"""
>
> Rejected: Source IP (010.000.001.040) is filtered
>
> --------------------------------------------------------------------------
----------------------------------------------
>
> In this example the hacker has used an "Echo Request". What are they
doing?
>
> --------------------------------------------------------------------------
----------------------------------------------
>
> 3/3/2003 2:54:46 AM,Kevin,"Rule ""Default Block Inbound and Outbound
ICMP"" blocked (24.233.166.253,8).","Rule ""Default Block Inbound and
Outbound ICMP"" blocked (24.233.166.253,8). Inbound ICMP request Local
address is (testadler-i1(999.999.190.58)) Remote address is (24.233.166.253)
Message type is ""Echo Request"" Process name is ""N/A"""
>
> Not a valid log line for our purposes.
>
> --------------------------------------------------------------------------
----------------------------------------------
>
> Thank you in advance for any information/help provided.
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list