compromised host, annotated logs

[Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>]

hi guys,

i wanted to chime in with an annotated log for everyone. saw an attack on
friday preceeded by a very large /16 sweep from out of the country. as
you can see in the notes, they came back in and probed a bit further, then
killed. they returned from IP 2 (the second probe address) and did their
work from there. all ISP's have been contacted, and the netblock owner of
the second IP has been cooperative and is investigating the account to see
if was compromised or a malicious user.

what's good to note about this is twofold: first of all, log and note all
service sweeps. people aren't scanning large netblocks for statistics
purposes as often as sweeps occur, it's 99% of the time a prelude to an
attack. secondly, the mIRKfORCE toolkit installed is well known
<http://hackreport.magicnet.org/>.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Attachment: redbull.generic.notes
Description: