Firewall Wizards: Internal denial hack, interpret pix logs

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Internal denial hack, interpret pix logs

From: Jim Cornelson <jcornelson () sheltonpublicschools org>
Date: 12 Jul 2002 17:32:18 -0000



We have a pix 520...ios 4.4
We were recently hacked.  Our exchange 5.5 had a ftp server installed by 
hackers and was used for spamming.
We terminated that problem....something strange started happening.

(I just started syslog after the hack.)

See the logs below.  a dns server for sis.com  (sis.com.tw) started doing 
a lot of business with our school servers.  The pix is denying its tcp 
attempts....however, we have internal servers and workstations (in another 
building that build a udp connection with it...then builds outbound tcp 
connections with it....then they are torn down.  Next, the Taiwan server 
tries to connect and is rejected.

What is going on?  There are an enormous number of connections going 
on....almost like a denial of service only internally.  This is occuring 
only in one building or network.  Internet access is slow even though only 
4 or 5 people are in that building this time of year.

Please note....someone over a year ago built a server in that location 
giving it an SIS NT domain name. SIS = Shelton Intermediate School.  It 
should have been called Sheltonpublicschools.org

A show ipconfig shows the correct name server being used.  We have an 
internal nameserver for the Windows 2000 stuff but it sends everything to 
Genuity which does our name service. 

I do not believe this is happening because of a corrupt dns file 
someplace.  I believe this is some type of internal denial of service.  
Can you help or point me to the right group.

Global addresses have been altered and are not correct!
Global addresses have been altered and are not correct!
Global addresses have been altered and are not correct.

2002-07-05 00:00:07     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:57: %PIX-6-106015: Deny TCP (no connection) from 203.67.208.2/53 to 
10.3.2.4/4922 flags ACK 
2002-07-05 00:00:07     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:58: %PIX-6-302002: Teardown TCP connection 22640 faddr 
203.67.208.2/53 gaddr 6.20.4.56/4923 laddr 10.3.2.4/4923 duration 0:00:01 
bytes 149 (TCP FIN)
2002-07-05 00:00:12     Local4.Info     10.2.0.1        Jul 05 2002 
00:01:02: %PIX-6-302005: Built UDP connection for faddr 6.20.2.1/15208 
gaddr 4.20.1.72/1192 laddr 10.2.0.93/1192





2002-07-05 00:00:05     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:55: %PIX-6-302005: Built UDP connection for faddr 203.67.208.2/63231 
gaddr 6.20.4.56/4920 laddr 10.3.2.4/4920
2002-07-05 00:00:06     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:56: %PIX-6-302001: Built outbound TCP connection 22638 for faddr 
203.67.208.2/53 gaddr 6.20.4.56/4921 laddr 10.3.2.4/4921
2002-07-05 00:00:06     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:56: %PIX-6-302001: Built outbound TCP connection 22639 for faddr 
203.67.208.2/53 gaddr 6.20.4.56/4922 laddr 10.3.2.4/4922
2002-07-05 00:00:06     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:56: %PIX-6-302002: Teardown TCP connection 22638 faddr 
203.67.208.2/53 gaddr 6.20.4.56/4921 laddr 10.3.2.4/4921 duration 0:00:01 
bytes 149 (TCP FIN)
2002-07-05 00:00:07     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:57: %PIX-6-302001: Built outbound TCP connection 22640 for faddr 
203.67.208.2/53 gaddr 6.20.4.56/4923 laddr 10.3.2.4/4923
2002-07-05 00:00:07     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:57: %PIX-6-302002: Teardown TCP connection 22639 faddr 
203.67.208.2/53 gaddr 6.20.4.56/4922 laddr 10.3.2.4/4922 duration 0:00:01 
bytes 149 (TCP FIN)
2002-07-05 00:00:07     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:57: %PIX-6-106015: Deny TCP (no connection) from 203.67.208.2/53 to 
10.3.2.4/4922 flags ACK 
2002-07-05 00:00:07     Local4.Info     10.2.0.1        Jul 05 2002 
00:00:58: %PIX-6-302002: Teardown TCP connection 22640 faddr 
203.67.208.2/53 gaddr 4.20.1.70/4923 laddr 10.3.2.4/4923 duration 0:00:01 
bytes 149 (TCP FIN)

Thanks,

Jim Cornelson
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Internal denial hack, interpret pix logs Jim Cornelson (Jul 12)