Thank you everyone for replying. I have gotten some more information from my ISP regarding this. What caused me to panic originally, was I thought I was subject to a DoS attack with 10.x addresses being spoofed. What I missed was that my machine has 2 network card. If you look below, the NetBios packets come from eth1 which is connected to an internal network that my ISP uses for backup purposes, and other server management. My company doesn't pay for this service, plus it's a Linux machine and not NT, they don't support Linux. They are looking into the cause of this, it might be a new machine on the network, or, (they didn't say this) it could be their machines have been infected with Nimida (I know of another ISP that got hit by this, who are supposedly security experts!?).
If you look below, I was hit from two external IP's on eth0, which is connected to the internet. I think it just may have been coincidence... but i'm not ruling out foul play yet! I may have been part of an initial IP range vulnerability scan, and machine within the network have been infected. I'm not an expert on these matter since my job is webmastery, and web page development. Has anyone got any opinions on this? Thank you. Steve ----- Original Message ----- From: "Andrew Blevins" <[EMAIL PROTECTED]> To: "'scott [gts]'" <[EMAIL PROTECTED]>; "security-basics" <[EMAIL PROTECTED]> Sent: Friday, October 26, 2001 10:02 PM Subject: RE: help - can someone explain this to me? > That these reserved addresses can't be routed I don't think is entirely true > (but I'm not a network spec. either! :-) . I have seen many ISP's use 10. > addresses for their own routers, and for all intent's and purposes "The > Internet" includes some ISP networks (cable, DSL). It is very possible that > someone is spoofing those 10. addresses, and they are still being routed > through to your box. many times a DoS contains many spoofed source > addresses. > > Andrew Blevins > Arrowhead Help Desk > 1-800-669-1889 > x. 8569 > > > -----Original Message----- > From: scott [gts] [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 26, 2001 12:26 PM > To: security-basics > Subject: RE: help - can someone explain this to me? > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > im pretty sure that 10.*, 127.* and 198.* are not routable > on the internet (which is why so many LANs use them), so it > looks like whatever happened to your machine is coming > from inside the LAN where your machine is hosted. > > perhaps a machine that the ISP hosts is infected with something > and throwing out packets to everything on the LAN...? > (maybe it's another damn IIS worm, since it appears > that your ISP hosts mostly NT/IIS machines) > > but dont take my word, that's just a speculation, i'm > not a networking specialist or anything. > > > -----Original Message----- > > From: Steven M Bloomfield [mailto:[EMAIL PROTECTED]] > > Subject: help - can someone explain this to me? > > > > Hi, > > I'm webmaster of a large-ish website and yesterday the server went > down. > > It is a Redhat 6.1 Linux server. All my ISP would do was press the > 'reset' > > button - very kind of them (they are NT specialists). > > Inspecting my log files I found thousands of denied packets, all seem to > be > > within a period of 6 hours. > > My question is, could such an attack disable my machine and crash it? Can > > anyone identify what sort of attack it was? > > > > Here's a summary below: > > > > Denied packets from modem-392.awesome.dialup.pol.co.uk (62.25.129.136). > > Port https (tcp,eth0,input): 5 packet(s). > > Total of 5 packet(s). > > > > Denied packets from 10.10.71.237. > > Port netbios-dgm (udp,eth1,input): 69 packet(s). > > Port netbios-ns (udp,eth1,input): 333 packet(s). > > Total of 402 packet(s). > > > > Denied packets from 10.10.0.4. > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > Total of 3421 packet(s). > > > > Denied packets from userSg017.videon.wave.ca (204.112.48.37). > > Port 500 (udp,eth0,input): 6 packet(s). > > Total of 6 packet(s). > > > > Denied packets from 207.190.199.102. > > Port https (tcp,eth0,input): 11 packet(s). > > Total of 11 packet(s). > > > > Denied packets from 10.10.32.21. > > Port netbios-dgm (udp,eth1,input): 338 packet(s). > > Port netbios-ns (udp,eth1,input): 1742 packet(s). > > Total of 2080 packet(s). > > > > Denied packets from 172.17.0.18. > > Port 1434 (udp,eth1,input): 2 packet(s). > > Total of 2 packet(s). > > > > Denied packets from 10.10.1.37. > > Port netbios-dgm (udp,eth1,input): 496 packet(s). > > Port netbios-ns (udp,eth1,input): 2925 packet(s). > > Total of 3421 packet(s). > > > > Denied packets from 10.10.32.27. > > Port netbios-dgm (udp,eth1,input): 59 packet(s). > > Port netbios-ns (udp,eth1,input): 324 packet(s). > > Total of 383 packet(s). > > > > Denied packets from 10.10.32.28. > > Port netbios-dgm (udp,eth1,input): 107 packet(s). > > Port netbios-ns (udp,eth1,input): 513 packet(s). > > Total of 620 packet(s). > > > > Denied packets from 10.10.0.1. > > Port 0 (tcp,eth1,input): 3 packet(s). > > Total of 3 packet(s). > > > > Denied packets from 10.10.0.3. > > Port bootpc (udp,eth1,input): 19 packet(s). > > Port netbios-dgm (udp,eth1,input): 475 packet(s). > > Port netbios-ns (udp,eth1,input): 2259 packet(s). > > Total of 2753 packet(s). > > > > Thanks, > Steve > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO9m43caXTGgZdrSUEQIcvgCfZ+8J4IIJNGsEITW9jBHaEhU0bFUAoME/ > jsdkTYNv3uylkRyyhvvyuQzi > =mXgL > -----END PGP SIGNATURE----- > >
