Always build your systems with a nice warning:
This server is private property; you have no permission to access.
After catching some fly in your spider trap, grab their addresses for iptables immediately. If you can't protect your adjacent machines, or are unsure of everything, turn down your machine and network.
Always always always always report to the SWIP or Network hosting
authority (usually
abuse@privatedns.org or
abuse@cox.net) when you find
packet traffic on your systems.
Here's the addresses I caught via snort on my honeypot DMZ system (built for the PLUG Hamachi HackFest).
iptables -A INPUT -s 66.114.50.78 -j DROP
iptables -A INPUT -s 70.38.56.186 -j DROP
iptables -A INPUT -s 146.137.96.7 -j DROP
iptables -A INPUT -s 169.237.215.148 -j DROP
iptables -A INPUT -s 74.125.95.101 -j DROP
iptables -A INPUT -s 208.80.152.2 -j DROP
iptables -A INPUT -s 65.55.172.87 -j DROP
iptables -A INPUT -s 70.183.191.46 -j DROP
iptables -A INPUT -s 17.250.248.95 -j DROP
iptables -A INPUT -s 70.183.191.89 -j DROP
iptables -A INPUT -s 72.215.225.96 -j DROP
iptables -A INPUT -s 65.55.172.87 -j DROP
So step one is to lookup the address here:
http://www.network-tools.com
Take a full snapshot of the log (using grep) for each person and send it off to the authority listed in DNS records, including time, date, and time zone.
It's very important that you rebuild all systems, revert to restore points, remove all browser settings, and reconfigure your routers including changing all passwords. The whole process seems daunting, but once you pick up a case of these lusers, they love to continue to cyber stalk, and will find a way back in if you do not remove:
a) Possible XSS browser plugs
b) exploited root for any system where ssh or apache was open
c) All router configurations; they are probably not what they seem.
A common side effect for systems people who are infested is a vague feeling that something is changing and they are not doing it. If this is happening to your various firewall systems (which is trivial to do via XSS), you will be best to backup or note changes. It's a good bet that you will need to rebuild everything.
NOTE: It's probable that you will not be able to run your systems in a secure manner and have them usable, so if you are targeted, you must report it. The intention to get into a system will usually win out even with an ASA, and most of us cannot live without email - the greatest risk.
I always report encroachments, I hope you will too.
Obnosis | (503)754-4452
PLUG Linux Security Labs 2nd Saturday Each Month@Noon - 3PM
_________________________________________________________________
Internet Explorer 8 – Get your Hotmail Accelerated. Download free!
http://clk.atdmt.com/MRT/go/141323790/direct/01/---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss