Incidents Mode:
(Page 2 of 170)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >
Re: [Pinguzilla] Weird Traffic 2008-05-28
Jonathan Adams (keirre adams gmail com) (1 replies)
John,

I am running late for my real job :) but when i come back Ill run
some more test and post the results.

BTW, 1.5 GB transferred yesterday. there is no way this is valid web
or ftp traffic... something is proxying through my box...

Im sure of it

On Tue, May 27, 2008 at 11:06 PM, John Duks

[ more ]  [ reply ]
Re: [Pinguzilla] Weird Traffic 2008-05-29
Leon Ward (seclists rm-rf co uk)
Re: [Pinguzilla] Weird Traffic 2008-05-28
Jonathan Adams (keirre adams gmail com) (1 replies)
Well... I got the results of an 11hr TCPDUMP run.. and it shows...
NOTHING.. a couple of probes, lots of network traffic (router
messages, ARP requests, Windows NETBIOS noise from my ISP's lan) only
got a few probes today... apparently the FW rules shut down most of
the traffic for now.

What is wei

[ more ]  [ reply ]
R: [Pinguzilla] Weird Traffic 2008-05-29
Vega - Brunello Ivan (I Brunello vegaspa it)
Re: Weird Traffic 2008-05-28
Jonathan Adams (keirre adams gmail com)
Im on freeBSD, netstat doesnt like the -p without a parameter [protocol]

im familiar with pstree and lsof.. there's still no smoking guns

On Tue, May 27, 2008 at 5:31 PM, Michael Loftis <mloftis (at) wgops (dot) com [email concealed]> wrote:
> if on linux -- the latter requires psmisc (or your dists equivalent)
> installed...

[ more ]  [ reply ]
Re: Weird Traffic 2008-05-27
Jonathan Adams (keirre adams gmail com)
I've not found the source of the majority of the data, but I have
found a huge amount of weird requests in my apache log, and I'm fairly
certain its http traffic... I may cron of a protocol analysis tool
tonite to see if I can find more. I've run nmap scans, but stupidly
have not used the udp scan

[ more ]  [ reply ]
Re: Weird Traffic 2008-05-27
Jonathan Adams (keirre adams gmail com) (2 replies)
Well since the last post, I've scanned the drive for large files
(warez) nothing there...

aside from the proxying Im getting alot of weird (botnet I guess) traffic

looks like this:
[Tue May 27 14:30:33 2008] [error] [client 123.233.174.136] File does
not exist: /home/[snip]/www/sibbs3/admin/board/

[ more ]  [ reply ]
Re: Weird Traffic 2008-05-28
Richard Sammet (richard sammet googlemail com)
Re: Weird Traffic 2008-05-27
Gary Baribault (gary baribault net) (1 replies)
Re: Weird Traffic 2008-05-27
Michael Gorsuch (michael styledbits com)
Weird Traffic 2008-05-27
Jonathan Adams (keirre adams gmail com) (3 replies)
All,

I have a leased server I use to host some websites and for the past
week I have been getting traffic warnings. The server has been
transferring > 1GB of data per day, which is unusually high,
especially since I moved my mail to Google Apps. I have noticed a
ridiculous amount of attempted pro

[ more ]  [ reply ]
Re: Weird Traffic 2008-05-28
pinowudi (pinowudi gmail com)
Re: Weird Traffic 2008-05-27
Michael Loftis (mloftis wgops com)
RE: Weird Traffic 2008-05-27
Jackson, Ben (ITD) (Ben Jackson state ma us)
RE: Possible Zombie/Bot? 2008-05-17
admin systemstates net (1 replies)
Hi Tony,

Never seen this before with a bot - would be worth running some of the
rootkit checking programs (e.g. Rootkit Revealer -
http://technet.microsoft.com/en-gb/sysinternals/bb897445.aspx) and
having a look through the startup entries using HijackThis.

Having said that, if it comes up 'clean'

[ more ]  [ reply ]
Re: Possible Zombie/Bot? 2008-05-19
xelerated (xelerated gmail com)
Re: Weird SSH attack last night and this morning (still ongoing) 2008-05-16
Valdis Kletnieks vt edu
On Fri, 16 May 2008 17:19:16 EDT, dxp said:

> Correction, one would only need to generate the amount of keys which
> would equal the size of maximum PID value on Linux based system
> (PID_MAX_DEFAULT). That equals to 32768 (2^15) on 32bit platform or
> more precisely on LP32 data model systems.

T

[ more ]  [ reply ]
Re: Weird SSH attack last night and this morning (still ongoing) 2008-05-16
Valdis Kletnieks vt edu
On Fri, 16 May 2008 01:17:48 BST, Alex Howells said:

> > of possible keys, it would only generate one of some 2^18 keys, making the
> > brute forcing much easier (if you had a botnet of 10,000 bots, you could
> > break a weak key with an average of only 13 probes per bot, as opposed to
> > the seve

[ more ]  [ reply ]
Re: Distributed Bruteforce against SSH 2008-05-12
Gary Baribault (gary baribault net)
Yep, that's what I use, and that's what the distributed atack is all
about, since the same IP is not always used, then the DenyHost script
dows not kick in .. I actually get about 30 DenyHost messages per hour,
so there is some re-use of IPs happening, but not that many.

Gary B

Joel Esler wr

[ more ]  [ reply ]
Distributed Bruteforce against SSH 2008-05-12
Gary Baribault (gary baribault net) (2 replies)
I guess what I reported last week was the warmup round .. Where now
getting thousands of attemped logins with the standars dictionary of
potential login names.

As I stated, I'm not interested in avoiding these attacks, so please
don't sugges that I change the SSH port, my machines are safe enoug

[ more ]  [ reply ]
RE: Distributed Bruteforce against SSH 2008-05-12
Keith T. Morgan (keith morgan terradon com) (1 replies)
Re: Distributed Bruteforce against SSH 2008-05-12
Tim Kennedy (tim timkennedy net)
RE: Distributed Bruteforce against SSH 2008-05-12
Keith T. Morgan (keith morgan terradon com)
Possible Zombie/Bot? 2008-05-12
Tony Raboza (tonyraboza gmail com) (1 replies)
Hi,

I saw on our MRTG graph and monitoring tool that a PC on our LAN is
sending out large ICMP traffic to a public IP address. Upon checking
on our Internet gateway, I saw this:

09:23:23.062502 IP 172.16.210.210 > ns2.majordomo.ru: ICMP echo
request, id 43013, seq 511, length 1480
09:23:23.062520

[ more ]  [ reply ]
Re: Possible Zombie/Bot? 2008-05-13
john lokka (merigoth gmail com)
(Page 2 of 170)  < Prev  1 2 3 4 5 6 7 8 9 10 11  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus