Re: Update on Attacks
Grabbed this from the Defiance Forums, it is good to see you guys are making progress, I hope you nail the bastard/s soon.
Quote:
Dear Sir!
We are sorry about the incident and we are removing the server from the
net completely right now. Also we want to say thank you for the warning email,
and we would ask to end the network restrictions between our IP. We will
search for traceable logs within our system and if we find any valuable
data we will send it to you asap
thank you again for the warning and sorry for the inconvenience
Peter Horvath
One down.
Quote:
Hello Nick,
Your request is under investigation, the user of the IP is informed and
replied that this was not his fault. But the traffic can verify the DoS at
the given time. So we hope that the customer can find the fault and fix it.
thx
Berk Uysaler
--
SILVER SERVER \\ t_bbt \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\ \\
Two Down
Quote:
We did have traffic of ~50-70mbit between 2100 and 0100 (GMT+1) which I
have already started to look into this morning, though it seemed to have
originated from the wrong switch for that machine ... I will take a
closer look at the box and see if there are any usable traces left to
possibly track back the origin ... the box in question is a rather
"ancient" web server, up for replacement/migration ...
At the moment, I can't find any obvious info as for additional processes
or changes on the system itself - I will have to check the logfiles of
the http server for any info. Anyway, there have been multiple ftp
logins from unusual sources which may have abused some hole in the ftpd ...
Regards, G.Glendown / NETHINKS GmbH
Three Down.
More coming down now - Logs being sent from each server -- I hope this guy is smarter than me, as he just made a big mistake attacking my network.
We also have access to three of the servers that attacked and we are inspecting who has installed a packet daemon and where the packet daemon is receiving it's attack signals from.
Obviously I haven't posted the mail from the servers we have access too.
But when / if he launches another attack, we will have full logs of what / who sends the signal to launch via netgrep's and tcpdumps, then start our final stage of the investigation.
Once we trace back to the "ordering" server, it will be a simple matter of asking the ISP to let us have access to it, then we should be close to nailing this guy.