Snort mailing list archives
Re: attack
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 22 Feb 2002 11:23:16 -0800 (PST)
On Fri, 22 Feb 2002, Scott Taylor wrote:
So what's the best thing to do with this type of attack? Turn'em in? To who? Is there a way I can let them know that I know what their doing? Any ideas?
Welcome to our Nightmare. This is called "Damned things that fill up our logs due to M$ not having a fnorking clue." Also known as Ndima, CodeRed or just "Pain in the Ass.". Dig around. See who the IP belongs to. --- [erek@merf]~>whois -h whois.geektools.com 63.204.135.168 Query: 63.204.135.168 Registry: whois.arin.net Results: Pac Bell Internet Services (NETBLK-PBI-NET-7) PBI-NET-7 63.192.0.0 - 63.207.255.255 PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755) SBCIS-100216-175755 63.204.132.0 - 63.204.135.255 [erek@merf]~>whois -h whois.geektools.com NETBLK-SBCIS-100216-175755 Query: netblk-sbcis-100216-175755 Registry: whois.arin.net Results: PPPoX Pool #1 - Rback25 SNFC21 (NETBLK-SBCIS-100216-175755) 303 2nd St. San Francisco, CA 94107 US Netname: SBCIS-100216-175755 Netblock: 63.204.132.0 - 63.204.135.255 Coordinator: Pacific Bell Internet (PIA2-ORG-ARIN) ip-admin () PBI NET 888-212-5411 Record last updated on 17-Feb-2000. Database last updated on 21-Feb-2002 19:56:30 EDT. --- Now since I know some folks who used to work for PBI/SBC, let's just say don't expect a quick fix response. If my info was correct (8-10 months ago) they had like 4 people to work all abuse complaints for SBC/SWbell/NevadaBell/Ameritech/PBI. That's 4 very overworked people in my book. Of course if you want to give them a helpful hand.... You could add the following to your httpd.conf--You _are_ running Apache aren't you? :) --- # Redirect allows you to tell clients about documents which used to exist in # your server's namespace, but do not anymore. This allows you to tell the # clients where to look for the relocated document. # Format: Redirect old-URI new-URL # RedirectMatch (.*)\cmd.exe(.*) http://127.0.0.1 RedirectMatch (.*)\root.exe(.*) http://127.0.0.1 RedirectMatch (.*)\default.ida(.*) http://127.0.0.1 --- Now since CR and company use blocking threads, as the connections get redirected back to thier own box, it slowly starts to die. It will eventually quit when it runs out of threads. Till they reboot that is.... :-/ *shrug* ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- attack Scott Taylor (Feb 22)
- Re: attack Erek Adams (Feb 22)
- Re: attack Phil Wood (Feb 22)
- RE: attack Wayne Work (Feb 22)
- Re: attack Skip Carter (Feb 22)
- A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
- Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: A case of beer on 63.204.135.168 dr . kaos (Feb 22)
- Message not available
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- A case of beer on 63.204.135.168 Jeff Jennings (Feb 22)
- Re: A case of beer on 63.204.135.168 Ryan Lindsey (Feb 22)
- Re: A case of beer on 63.204.135.168 John Sage (Feb 22)
- Re: attack Erek Adams (Feb 22)