| View previous topic :: View next topic |
| Author |
Message |
The Dark
Tux's lil' helper
Joined: 01 Feb 2003
Posts: 126
Location: BACK ON PLANET GENTOO
|
 Posted: Thu Sep 04, 2003 6:21 pm Post subject: MS-SQL Worm propagation attempt OUTBOUND |
 |
|
Hello every one.
Can someone tell me if i'm beeing hacked or allready hacked.
Check my snort log output.
| Code: |
MS-SQL Worm propagation attempt
MS-SQL Worm propagation attempt OUTBOUND (this one scrares me )
ICMP PING CyberKit 2.2 Windows(get this one a lot fiiling my HD) |
Any body has a clue what's going on here. ??
_________________
-=The Dark=-
Linux Rules
i686 Pentium III (Coppermine) GenuineIntel
http://www.gentoo.org |
|
| Back to top |
|
 |
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Thu Sep 04, 2003 11:28 pm Post subject: |
|
|
The "ICMP PING CyberKit 2.2 Windows" is probably the Nachia/Welchia worm.
Do you have any Windows hosts behind this machine? It seems that would the explanation for "MS-SQL Worm propagation attempt OUTBOUND". |
|
| Back to top |
|
|
The Dark
Tux's lil' helper
Joined: 01 Feb 2003
Posts: 126
Location: BACK ON PLANET GENTOO
|
| Posted: Fri Sep 05, 2003 1:34 am Post subject: |
|
|
| devon wrote: | The "ICMP PING CyberKit 2.2 Windows" is probably the Nachia/Welchia worm.
Do you have any Windows hosts behind this machine? It seems that would the explanation for "MS-SQL Worm propagation attempt OUTBOUND". |
Hmmm yeah a dual boot machine for games.
So i'm infected with this worm..??
_________________
-=The Dark=-
Linux Rules
i686 Pentium III (Coppermine) GenuineIntel
http://www.gentoo.org |
|
| Back to top |
|
|
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Sat Sep 06, 2003 5:25 am Post subject: |
|
|
| I would think the "ICMP PING CyberKit 2.2 Windows" line is hosts outside your Snort sensor that are trying to hit IPs behind your box. Regarding the MS-SQL worm, I would check any Windows boxes behind your Snort box and run WindowsUpdate as needed. |
|
| Back to top |
|
|
stonent
Veteran
Joined: 07 Aug 2003
Posts: 1139
Location: Texas
|
| Posted: Sun Sep 07, 2003 6:34 am Post subject: |
|
|
Get their IP's and e-mail abuse@(the user's isp)
For example if 4.2.2.1 (yeah right, big dns server) was doing it:
| Code: | bash-2.05b# whois 4.2.2.1
OrgName: Genuity
OrgID: GNTY
Address: Genuity
Address: 225 Presidential Way
City: Woburn
StateProv: MA
PostalCode: 01888
Country: US
NetRange: 4.0.0.0 - 4.255.255.255
CIDR: 4.0.0.0/8
NetName: GNTY-4-0
NetHandle: NET-4-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: DNSAUTH1.SYS.GTEI.NET
NameServer: DNSAUTH2.SYS.GTEI.NET
NameServer: DNSAUTH3.SYS.GTEI.NET
Comment:
RegDate:
Updated: 2002-05-02
|
e-mail abuse@genuity.com
Tell them that one of the hosts in their netblock has a virus or a cracking utility that is setting off intrusion detection on your network.
_________________
Inspiron 4100 & Sun UltraAXe
Portage on Solaris|Dell Laptop Hacks
The way you feel about organized religion is the same way I feel about organized socialism. |
|
| Back to top |
|
|
The Dark
Tux's lil' helper
Joined: 01 Feb 2003
Posts: 126
Location: BACK ON PLANET GENTOO
|
| Posted: Sun Sep 07, 2003 12:43 pm Post subject: |
|
|
| devon wrote: | | I would think the "ICMP PING CyberKit 2.2 Windows" line is hosts outside your Snort sensor that are trying to hit IPs behind your box. Regarding the MS-SQL worm, I would check any Windows boxes behind your Snort box and run WindowsUpdate as needed. |
Yeah your right, Its a bunch of Hosts outside trying to get in.
Makes me think that there where all in the system before this new aproach of me to secure things a little better.
I use dualboot for games playing .
So i ran the Welchia worm fix from norton the site, and came up with a clean system .
Not that i beleive this, because something destroyed a dll file needed to stop the restore option of XP.
So i can't stop the restore of XP, and i know from a encounter with and old worm/virus called SUBSEVEN, that even if you delete the VIRUS/WORM it will still come back restored and well.
Make me wonder if my GENTOO BOX if SAFE ..??
So i think it's time to get rid of this ILGL version of WIN XP, because i can't update the thing any how. SHAME ON ME I KNOW 
_________________
-=The Dark=-
Linux Rules
i686 Pentium III (Coppermine) GenuineIntel
http://www.gentoo.org |
|
| Back to top |
|
|
The Dark
Tux's lil' helper
Joined: 01 Feb 2003
Posts: 126
Location: BACK ON PLANET GENTOO
|
| Posted: Sun Sep 07, 2003 12:51 pm Post subject: |
|
|
| stonent wrote: | Get their IP's and e-mail abuse@(the user's isp)
For example if 4.2.2.1 (yeah right, big dns server) was doing it:
| Code: | bash-2.05b# whois 4.2.2.1
OrgName: Genuity
OrgID: GNTY
Address: Genuity
Address: 225 Presidential Way
City: Woburn
StateProv: MA
PostalCode: 01888
Country: US
NetRange: 4.0.0.0 - 4.255.255.255
CIDR: 4.0.0.0/8
NetName: GNTY-4-0
NetHandle: NET-4-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: DNSAUTH1.SYS.GTEI.NET
NameServer: DNSAUTH2.SYS.GTEI.NET
NameServer: DNSAUTH3.SYS.GTEI.NET
Comment:
RegDate:
Updated: 2002-05-02
|
e-mail abuse@genuity.com
Tell them that one of the hosts in their netblock has a virus or a cracking utility that is setting off intrusion detection on your network. |
| Code: | Date: 09/07 00:27:17 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.59.218.75:n/a -> myIP:n/a
Date: 09/07 00:37:32 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.57.130.139:n/a -> myIP:n/a
Date: 09/07 02:02:08 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.59.218.74:n/a -> myIP:n/a
Date: 09/07 02:08:04 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 24.212.0.254:1750 -> myIP:1434
Date: 09/07 04:07:04 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.59.218.74:n/a -> myIP:n/a
Date: 09/07 05:16:53 Name: ICMP PING NMAP
Priority: 2 Type: Attempted Information Leak
IP info: 68.114.165.81:n/a -> myIP:n/a
Date: 09/07 05:37:57 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 38.112.96.162:4808 -> myIP:1434
Date: 09/07 09:13:38 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.59.218.75:n/a -> myIP:n/a
Date: 09/07 09:30:14 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.57.130.139:n/a -> myIP:n/a
Date: 09/07 10:14:45 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.59.255.68:n/a -> myIP:n/a
Date: 09/07 10:34:53 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 200.203.120.200:1671 -> myIP:1434
Date: 09/07 10:42:48 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.59.218.74:n/a -> myIP:n/a
Date: 09/07 10:45:38 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 80.57.208.117:n/a -> myIP:n/a
Date: 09/07 12:52:12 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 202.108.61.213:2467 -> myIP:1434
|
This is just to give you an idea of how much this warning happens in a day.
It's like the whole world is full of HACKERS today...
You think that mailing the abuse, will cool them down, or make them more pissed at me.. ??
I wonder.... i wonder...
_________________
-=The Dark=-
Linux Rules
i686 Pentium III (Coppermine) GenuineIntel
http://www.gentoo.org |
|
| Back to top |
|
|
stonent
Veteran
Joined: 07 Aug 2003
Posts: 1139
Location: Texas
|
| Posted: Sun Sep 07, 2003 3:37 pm Post subject: |
|
|
Well, ISP's take hacking seriously.
_________________
Inspiron 4100 & Sun UltraAXe
Portage on Solaris|Dell Laptop Hacks
The way you feel about organized religion is the same way I feel about organized socialism. |
|
| Back to top |
|
|
The Dark
Tux's lil' helper
Joined: 01 Feb 2003
Posts: 126
Location: BACK ON PLANET GENTOO
|
| Posted: Sun Sep 07, 2003 3:54 pm Post subject: |
|
|
| stonent wrote: | | Well, ISP's take hacking seriously. |
Maybe it's time to give it a try..
_________________
-=The Dark=-
Linux Rules
i686 Pentium III (Coppermine) GenuineIntel
http://www.gentoo.org |
|
| Back to top |
|
|
devon
l33t
Joined: 23 Jun 2003
Posts: 943
|
| Posted: Sun Sep 07, 2003 10:07 pm Post subject: |
|
|
| There is a service called MyNetWatchman that automates the process of contacting ISPs for you. I would check them out. |
|
| Back to top |
|
|
|
Networking & Security
