[PLUG] DShield, anyone using this?

Cooper Stevenson cooper at linux-enterprise.net
Thu Nov 21 17:21:06 PST 2002


I had a similiar situation with my Apache access logs. I used this sight
to perform a reverse IP address lookup: 

  http://eamnesia.com/index.jsp

>From this information I gathered that many of the attacks were coming
from attbi.com's domain.

The nature of the attacks tells me that a worm had infected innocent
computers and was hitting my port 80.

I simply mailed a copy of the relavent portions of the log to
abuse at attbi.com. To their credit, they dispacted several automated
emails and the activity seems to have reduced.

This isn't the technical answer but if it gets the job done effectively
then who cares?

Hope This Helps,


Cooper


On Thu, 2002-11-21 at 16:16, Jim Webb wrote:
> Russell,
> 
> Thanks for this website.  I've seen this site or a site similar to this
> recently.  I can say that I'm getting probed for port 137 every 2 - 3
> minutes all day for several months.  I'm not sure why this is happening
> at such an increased rate recently.  I used to see this rarely, but not
> any more.  I hope that some of the people at CRIME have an insight.  I'm
> more than happy to share my log files.
> 
> Are the rest of you seeing this much activity?
> 
> TIA,
> 
> Jim
> 
> On Thu, 2002-11-21 at 18:16, Russell Evans wrote:
> > DShield provides a platform for users of firewalls to share intrusion
> > information. DShield is a free and open service. 
> > http://www.dshield.org/index.html
> > 
> > I hope not!
> > http://www.dshield.org/warning_explanation.php
> > 
> > Top ports probed
> > http://www.dshield.org/topports.html
> > 
> > The worst
> > http://www.dshield.org/top10.html
> > 
> > There were 3669393 reports of port 137 being probed on 2002-11-20. How much of
> > a percentage of that 3.6 million do think is required to put one of the above
> > addresses on the top 10 list? 
> > 
> > Thank you
> > Russell
> > 
> > 
> > _______________________________________________
> > PLUG mailing list
> > PLUG at lists.pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> -- 
> 
> 
> _______________________________________________
> PLUG mailing list
> PLUG at lists.pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
> 






More information about the PLUG mailing list