RFC 1819 or 1918 sorry not sure which one.. ietf.org ----- Original Message ----- From: "Lutz Badenheuer" <[EMAIL PROTECTED]> To: "security-basics" <[EMAIL PROTECTED]> Sent: Friday, October 26, 2001 5:41 PM Subject: Re: help - can someone explain this to me?
> Please have another look at your documentation. The so-called > "unregistered" IP-addresses are 10.0.0.0/8, 172.0.0.0/16 (i think, i > don't use these ones) and 192.168.0.0/16. > > In fact, to me it doesn't seem that one of the denied connects listed > below could have done any harm to your system. In fact, you shouldn't > be too serious about the connects on ports "netbios-.*" (137, 139), > because that is normal windows file sharing and can be seen within > every network that has Wintendo boxes in it. > > Possibly, your log files filled up your harddisk so that the machine > crashed. > > If those connects where all within a short period of time and you've > not seen connects like these in this massive amount before, something > changed in that network, and your ISP should immediately scan his > boxes for the Nimda worm. He could be vulnearable because of using > the inherently insecure Windows operating system. Nimda replicates > (among other mechanisms) using these ports which are used by the SMB > protocol. This worm cannot do any harm to your Linux box. > > RedHat 6.1 is a very, very old release and can be easily attacked by > using information or ready-to-use exploits that can be found at > rootshell.com or similar sites. You should upgrade IMMEDIATELY - that > means, NOW! > > Sorry for any inconveniences because of my bad english, but i'm a > german and suffer from a lack of training in that language. > > HTH, > Lutz > > Am Freitag, 26. Oktober 2001 21:26 schrieb scott [gts]: > > im pretty sure that 10.*, 127.* and 198.* are not routable > > on the internet (which is why so many LANs use them), so it > > looks like whatever happened to your machine is coming > > from inside the LAN where your machine is hosted. > > > > perhaps a machine that the ISP hosts is infected with something > > and throwing out packets to everything on the LAN...? > > (maybe it's another damn IIS worm, since it appears > > that your ISP hosts mostly NT/IIS machines) > > > > but dont take my word, that's just a speculation, i'm > > not a networking specialist or anything. > > > > > -----Original Message----- > > > From: Steven M Bloomfield [mailto:[EMAIL PROTECTED]] > > > Subject: help - can someone explain this to me? > > > > > > Hi, > > > I'm webmaster of a large-ish website and yesterday the server > > > went down. It is a Redhat 6.1 Linux server. All my ISP would do > > > was press the 'reset' button - very kind of them (they are NT > > > specialists). > > > Inspecting my log files I found thousands of denied packets, all > > > seem to be within a period of 6 hours. > > > My question is, could such an attack disable my machine and crash > > > it? Can anyone identify what sort of attack it was? > > > > > > Here's a summary below: > > > > > > Denied packets from modem-392.awesome.dialup.pol.co.uk > > > (62.25.129.136). Port https (tcp,eth0,input): 5 packet(s). > > > Total of 5 packet(s). > > > > > > Denied packets from 10.10.71.237. > > > Port netbios-dgm (udp,eth1,input): 69 packet(s). > > > Port netbios-ns (udp,eth1,input): 333 packet(s). > > > Total of 402 packet(s). > > > > > > Denied packets from 10.10.0.4. > > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > > Total of 3421 packet(s). > > > > > > Denied packets from userSg017.videon.wave.ca (204.112.48.37). > > > Port 500 (udp,eth0,input): 6 packet(s). > > > Total of 6 packet(s). > > > > > > Denied packets from 207.190.199.102. > > > Port https (tcp,eth0,input): 11 packet(s). > > > Total of 11 packet(s). > > > > > > Denied packets from 10.10.32.21. > > > Port netbios-dgm (udp,eth1,input): 338 packet(s). > > > Port netbios-ns (udp,eth1,input): 1742 packet(s). > > > Total of 2080 packet(s). > > > > > > Denied packets from 172.17.0.18. > > > Port 1434 (udp,eth1,input): 2 packet(s). > > > Total of 2 packet(s). > > > > > > Denied packets from 10.10.1.37. > > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > > Total of 3421 packet(s). > > > > > > Denied packets from 10.10.32.27. > > > Port netbios-dgm (udp,eth1,input): 59 packet(s). > > > Port netbios-ns (udp,eth1,input): 324 packet(s). > > > Total of 383 packet(s). > > > > > > Denied packets from 10.10.32.28. > > > Port netbios-dgm (udp,eth1,input): 107 packet(s). > > > Port netbios-ns (udp,eth1,input): 513 packet(s). > > > Total of 620 packet(s). > > > > > > Denied packets from 10.10.0.1. > > > Port 0 (tcp,eth1,input): 3 packet(s). > > > Total of 3 packet(s). > > > > > > Denied packets from 10.10.0.3. > > > Port bootpc (udp,eth1,input): 19 packet(s). > > > Port netbios-dgm (udp,eth1,input): 475 packet(s). > > > Port netbios-ns (udp,eth1,input): 2259 packet(s). > > > Total of 2753 packet(s). > > > > > > Thanks, > > > > Steve > > -- > Microsoft's Software ist zu 99 % von UNIX abgeschrieben. 1 % dient > dazu, MS zum Rest der Welt inkompatibel zu machen. > Lutz Badenheuer | IT-Consulting, Development, Networksolutions > [EMAIL PROTECTED] | C/C++, Perl, bash | Linux, SCO UNIX, Solaris >
