Hosting Provided By

Re: IIS and leech

From: atrinsig <atrinsig(at)yahoo.co.nz>
Date: Sat Nov 09 2002 - 07:26:22 EST

Hi Randall. Check out this post 30/1/02. Sounds like you may have just found your Huckelberry! Same port - and service name - different prognosis however.

Danny P
e-Secure-it.co.nz

Subject: DDoS to microsoft sites

Follow Up Flag: Follow up
Flag Status: Flagged

We've observed two disparate clients apparently rooted (both are Win2K I
believe), being used to packet flood a variety of Microsoft sites (msn.com,
hotmail.com and microsoft.com itself).

Just a few seconds of IP accounting showed:

Destination              Packets               Bytes
 64.4.32.251                  14201           
20940508
 207.68.171.254               11862           
17764328
 64.4.32.1                    12142           
18184104
 207.46.197.102               59698

89401960

These clients are on very different CIDR blocks (from the first octet). We
don't have any further information at this time, other than one client
saturated their T1 and the other saturated a 10Mb/s connection.

I haven't observed any noticeable impacts to the microsoft sites being
attacked. We have been able to track back the activity on MRTG graphs to
last Thurs for both clients. We investigated the traffic volume the first
day it appeared and at that time saw what appeared to be an attack against
two hosts in .fr and one in .de. The client assured us at this time it was
legitimate traffic.

Do you need help?

A port scan of one of the infected hosts shows:

     7  Echo
     9  Discard

    13 Daytime
    17 Quote of the Day
    19 Character Generator
    21 File Transfer Protocol [Control]     25 Simple Mail Transfer
    80 World Wide Web HTTP
   135 DCE endpoint resolution
   139 NETBIOS Session Service
   443 https MCom
   445 Microsoft-DS
   548 AFP over TCP
  1025 network blackjack
  1026
  1027 ICQ?
  1433 Microsoft-SQL-Server
  5631 pcANYWHEREdata

The client claims that they are not running Appletalk (548) but I'm not sure
whether to believe. We haven't been able to get console access to that
machine to do any further investigation (but have blocked it upstream). Of
the above services, most look legit from what I can tell with the exception
of 548 and 1025-1027

Mike

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:
http://aris.securityfocus.com

randall perry <randallp@domain-logic.com> wrote:
> Greets.
>

> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>

http://careers.yahoo.com.au - Yahoo! Careers - 1,000's of jobs waiting online for you!

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Nov 11 16:22:02 2002

This message: [ Message body ]
Next message: Nick FitzGerald: "Re: 030.com"
Previous message: Arnold, Jamie: "RE: 030.com"
In reply to randall perry: "IIS and leech"
Next in thread: Ken Schaefer: "Re: IIS and leech"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:50 EDT