[Dshield] [Fwd: WHY IS YOUR CUSTOMER ATTEMPTING ILLEGAL ACCESS TO THIS COMPUTER]

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Fri Aug 25 17:01:46 GMT 2006


On Fri, 25 Aug 2006 09:20:20 EDT, "BOYD S. (SPENCE) MINER" said:
> I FILLED OUT THEIR ON LINE COMPLAINT AND THEY ACKNOWLEDGED WITH WE WILL
> CHECK IT OUT.
> 
> BUT PROBES STILL ARE ACTIVE.

What port(s) are they probing, specifically?  Have you ruled out things such as:

Your site has advertised having an NTP server, but you failed to open your
firewall for it?

Your site has firewalled connections on port 25, and they're trying to send
you mail?

Your site has a DNS server, and you've firewalled it so people can't contact it?

(I mention all 3 of these because I've seen all too many cases of things like
this happening - an incorrect firewall rule blocking things that should have
been permitted, and the permitted traffic being flagged an incident.  I've
even had the joy of trying to send mail to the registered mail server for an
*.navy.mil domain - and their firewall was blocking it.)

As a special case - this can *also* happen if you have gotten the address
space relatively recently (within a year or so), and people have hard-coded an
IP address and not fixed it.  The current IP address of one of the boxes in
my office used to be a secondary DNS server and an NTP server.  It has in fact
been neither of those for over 5 *years*, but still:

Chain udp-in (1 references)
 pkts bytes target     prot opt in     out     source               destination                           
2121K  165M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                     udp dpt:53 
2360K  179M DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0                                     udp dpt:123 

In just 5 days.  Yes, that's well over 10 packets *per second* heading to
someplace that left 5 years ago.

Have you ruled out backscatter?  That's when some hacker *elsewhere* on the
net sends packets with a forged source address (yours) to thehideout.net's
machines - and the "Dave's not here, man" error packets come back to your
site (these are usually either TCP SYN+ACK or RST packets if the forged
packet was TCP - or ICMP Port Unreachable packets in reply to a UDP packet).

> 204.16.208.75:59785 dedicated.thehideout.net

This shows what appears to be an ephemeral port on the source end, but doesn't
say what port they're trying to connect to.  Oh, and saying if it's a TCP, UDP,
or ICMP is helpful as well.  Even better are SNORT logs or full packet
captures, if you can get tcpdump or ethereal/wireshark or other packet sniffer
to catch the traffic.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.dshield.org/pipermail/list/attachments/20060825/e175928f/attachment.bin 


More information about the list mailing list