intrusion alert
in [Firewalls]
|
Prev: Wireless Security in Corporation?
Next: Tivo TCP Data
From: Rick on 11 Mar 2010 08:12 Burkhard Ott wrote: > On Wed, 10 Mar 2010 18:29:23 -0500, Rick wrote: > >> Burkhard Ott wrote: >>> On Wed, 10 Mar 2010 14:29:14 +0000, Jon Solberg wrote: >>> >>>> On 2010-03-10, Rick<rick0.merrill(a)gmail.com.lessspam> wrote: >>>>> My firewall emails me the following: >>>>> >>>>> 03/09/2010 10:58:19.736 - Alert - Intrusion Prevention - FTP: PORT >>>>> bounce attack dropped. - 192.168.248.213, 3629, X1 (rick) - >>>>> 192.168.248.205, 21, X0 - Target host: 216.87.188.9, 59310 This email >>>>> was generated by: SonicOS Enhanced 5.3.0.0-16o (0017-C54A-D6FC) >>>>> >>>>> Comments? >>>> >>>> Get a real firewall. >>> >>> Nope, a dropped packet on a Sonicwall. >> >> I think it means Affinity has an infected/zombied server. What do you >> think? > > Yes for sure, format all your servers you are at high risk since you've > tried to access their servers, call them and tell them this serious > problem what your fancy sonicwall told you and you end up as the hero of > the day. > > cheers Believe it or not I did (once) get that to happen with a US based server because I found the owner (not IT savy) who leaned on his IT people and made them find the infected server. Blessings, - Don Quixote
From: Burkhard Ott on 11 Mar 2010 11:30 On Thu, 11 Mar 2010 08:12:07 -0500, Rick wrote: > Burkhard Ott wrote: >> On Wed, 10 Mar 2010 18:29:23 -0500, Rick wrote: >> >>> Burkhard Ott wrote: >>>> On Wed, 10 Mar 2010 14:29:14 +0000, Jon Solberg wrote: >>>> >>>>> On 2010-03-10, Rick<rick0.merrill(a)gmail.com.lessspam> wrote: >>>>>> My firewall emails me the following: >>>>>> >>>>>> 03/09/2010 10:58:19.736 - Alert - Intrusion Prevention - FTP: PORT >>>>>> bounce attack dropped. - 192.168.248.213, 3629, X1 (rick) - >>>>>> 192.168.248.205, 21, X0 - Target host: 216.87.188.9, 59310 This >>>>>> email was generated by: SonicOS Enhanced 5.3.0.0-16o >>>>>> (0017-C54A-D6FC) >>>>>> >>>>>> Comments? >>>>> >>>>> Get a real firewall. >>>> >>>> Nope, a dropped packet on a Sonicwall. >>> >>> I think it means Affinity has an infected/zombied server. What do you >>> think? >> >> Yes for sure, format all your servers you are at high risk since you've >> tried to access their servers, call them and tell them this serious >> problem what your fancy sonicwall told you and you end up as the hero >> of the day. >> >> cheers > > > Believe it or not I did (once) get that to happen with a US based server > because I found the owner (not IT savy) who leaned on his IT people and > made them find the infected server. > > Blessings, - Don Quixote OK, while analyzed this stream, since you surely mirror your ports and log it to a logging server, what did you find. As far as I understand your logged message, the firewall dropped evil Rick with the IP 192.168.248.213 (RFC1918!) to open a communication to server 216.87.188.9 on port 21 (ftp auth). The crappy sonicwall thinks this might be a bounce attack, so go to evil Rick this is the guy you need to hunt. cheers
From: Rick on 11 Mar 2010 12:58 Burkhard Ott wrote: > On Thu, 11 Mar 2010 08:12:07 -0500, Rick wrote: > >> Burkhard Ott wrote: >>> On Wed, 10 Mar 2010 18:29:23 -0500, Rick wrote: >>> >>>> Burkhard Ott wrote: >>>>> On Wed, 10 Mar 2010 14:29:14 +0000, Jon Solberg wrote: >>>>> >>>>>> On 2010-03-10, Rick<rick0.merrill(a)gmail.com.lessspam> wrote: >>>>>>> My firewall emails me the following: >>>>>>> >>>>>>> 03/09/2010 10:58:19.736 - Alert - Intrusion Prevention - FTP: PORT >>>>>>> bounce attack dropped. - 192.168.248.213, 3629, X1 (rick) - >>>>>>> 192.168.248.205, 21, X0 - Target host: 216.87.188.9, 59310 This >>>>>>> email was generated by: SonicOS Enhanced 5.3.0.0-16o >>>>>>> (0017-C54A-D6FC) >>>>>>> >>>>>>> Comments? >>>>>> >>>>>> Get a real firewall. >>>>> >>>>> Nope, a dropped packet on a Sonicwall. >>>> >>>> I think it means Affinity has an infected/zombied server. What do you >>>> think? >>> >>> Yes for sure, format all your servers you are at high risk since you've >>> tried to access their servers, call them and tell them this serious >>> problem what your fancy sonicwall told you and you end up as the hero >>> of the day. >>> >>> cheers >> >> >> Believe it or not I did (once) get that to happen with a US based server >> because I found the owner (not IT savy) who leaned on his IT people and >> made them find the infected server. >> >> Blessings, - Don Quixote > > OK, while analyzed this stream, since you surely mirror your ports and > log it to a logging server, what did you find. > As far as I understand your logged message, the firewall dropped evil > Rick with the IP 192.168.248.213 (RFC1918!) to open a communication to > server 216.87.188.9 on port 21 (ftp auth). > The crappy sonicwall thinks this might be a bounce attack, so go to evil > Rick this is the guy you need to hunt. > > cheers home-pwp.ccres.tpa.affinity.com ::= 216.87.188.9 is the one listening for the bounce - same name as I, so he must be a good guy and is more liable to be the victim (of zombie attack) than the bad guy ;-) The Arwin listing phone number is NIS! (Not In Service) Heck, maybe it is a honey pot that just goes out looking for possible zombies on other systems. Ah, in '07 Affinity was taken over by Hostway of Chicago - the plot thickens.
From: Burkhard Ott on 11 Mar 2010 13:27 On Thu, 11 Mar 2010 12:58:18 -0500, Rick wrote: > home-pwp.ccres.tpa.affinity.com ::= 216.87.188.9 is the one listening > for the bounce - same name as I, so he must be a good guy and is more > liable to be the victim (of zombie attack) than the bad guy ;-) No, impossible how can that be, maybe a name attack blocked by your sonicwall. > The Arwin listing phone number is NIS! > > (Not In Service) And what exactly makes it now more suspicious. > Heck, maybe it is a honey pot that just goes out looking for possible > zombies on other systems. No it's the illuminati, first they attack your sonicwall since they know that you are able to following their tracks, as long as you try to understand what sonicwall says in it's stupid email message they overtake the world, tonight! I guess you just try to troll or maybe you have the wrong job. cheers
From: Rick on 11 Mar 2010 13:38
Burkhard Ott wrote: > On Thu, 11 Mar 2010 12:58:18 -0500, Rick wrote: > >> home-pwp.ccres.tpa.affinity.com ::= 216.87.188.9 is the one listening >> for the bounce - same name as I, so he must be a good guy and is more >> liable to be the victim (of zombie attack) than the bad guy ;-) > > No, impossible how can that be, maybe a name attack blocked by your > sonicwall. > >> The Arwin listing phone number is NIS! >> >> (Not In Service) > > And what exactly makes it now more suspicious. > >> Heck, maybe it is a honey pot that just goes out looking for possible >> zombies on other systems. > > No it's the illuminati, first they attack your sonicwall since they know > that you are able to following their tracks, as long as you try to > understand what sonicwall says in it's stupid email message they overtake > the world, tonight! > > I guess you just try to troll or maybe you have the wrong job. > > cheers > Wrong job... |