Security Incidents mailing list archives
compromised host, annotated logs
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Tue, 17 Oct 2000 11:18:33 -0400
hi guys, i wanted to chime in with an annotated log for everyone. saw an attack on friday preceeded by a very large /16 sweep from out of the country. as you can see in the notes, they came back in and probed a bit further, then killed. they returned from IP 2 (the second probe address) and did their work from there. all ISP's have been contacted, and the netblock owner of the second IP has been cooperative and is investigating the account to see if was compromised or a malicious user. what's good to note about this is twofold: first of all, log and note all service sweeps. people aren't scanning large netblocks for statistics purposes as often as sweeps occur, it's 99% of the time a prelude to an attack. secondly, the mIRKfORCE toolkit installed is well known <http://hackreport.magicnet.org/>. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Attachment:
redbull.generic.notes
Description:
Current thread:
- compromised host, annotated logs Jose Nazario (Oct 17)