Security Basics mailing list archives
Re: When does a scan attempt become a focused attack?
From: "Karma" <steve () frij com>
Date: Wed, 22 Oct 2003 12:38:10 +1000
These attacks are very common in the internet. Many a times, it is created by a worm such as Code Red, and other times, a person runs an automated scanning script to look for 200 OK replies from the webserver. Although you could let the owner of the machine, or the ISP know that their machine is performing a scan (they probably don't even realise it) or is silly enough to use their personal IP to run an IIS vulnerability scan *grin* I would suggest simply making sure your machines are patched, and not returning 200 OK's to these scans, otherwise they will usually focus on your machine a little further. Apart from that, get use to seeing these on your snort sensor, they are an everyday occurance, and is not likely to die down anytime soon. kind regards ----- Original Message ----- From: "Hunt, Jim" <Jim.Hunt () nwsc k12 in us> To: <security-basics () securityfocus com> Sent: Wednesday, October 22, 2003 7:21 AM Subject: When does a scan attempt become a focused attack? I recently set up snort to look for intrusions and am still learning to sort out all of my alerts. However, I have one that has caught my eye this afternoon and wonder what to do... The scan/attack started about 1/2 hour ago and is still continuing as I type this out. The snort box is Windows and the attacker is happily trying all the basic attempts over and over. The pattern looks very deliberate. Here are the exploits - http://www.snort.org/snort-db/sid.html?sid=1040 http://www.snort.org/snort-db/sid.html?sid=1002 http://www.snort.org/snort-db/sid.html?sid=1256 http://www.snort.org/snort-db/sid.html?sid=983 http://www.snort.org/snort-db/sid.html?sid=1286 We are at 150+ in 35 minutes. Does it really do any good to report him? Here is the whois data - http://www.dnsstuff.com/tools/whois.ch?ip=!NET-63-126-130-224-1&server=w hois.arin.net What is the correct thing to do? Jim Hunt Certified Network & Systems Engineer Northwestern School Corporation Technology Services Manager http://technology.nwsc.k12.in.us http://www.ProWinHost.com | Professional Windows Hosting | Professional Windows Reselling http://www.AlertServ.com | Managed and Incident Windows Server Support | Custom Alerting http://www.NetMon.org | Network Monitoring Tools and Tutorials | Includes MRTG for Dummies ---------- Outgoing mail is certified virus free using Symantec Antivirus & Symantec Antivirus for Microsoft Exchange. Northwestern School Corporation - Kokomo, Indiana --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy www.clearsightnet.com/jmp6-downloadtrial.jsp ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Visual & Easy-to-use are not words that you think of when talking about network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new network analysis tool that makes the complex - easy http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021 ----------------------------------------------------------------------------
Current thread:
- When does a scan attempt become a focused attack? Hunt, Jim (Oct 21)
- RE: When does a scan attempt become a focused attack? dave kleiman (Oct 22)
- Re: When does a scan attempt become a focused attack? Sebastian Schneider (Oct 22)
- Re: When does a scan attempt become a focused attack? Karma (Oct 22)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- Re: When does a scan attempt become a focused attack? Ivan Hernandez (Oct 23)
- Re: When does a scan attempt become a focused attack? Byron Sonne (Oct 23)
- <Possible follow-ups>
- RE: When does a scan attempt become a focused attack? Fields, James (Oct 22)
- Re: When does a scan attempt become a focused attack? salgak (Oct 22)