NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2001-06

From: Jonathan C. Hamill (waspleghome.com)
Date: Sun Jun 10 2001 - 21:30:18 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is some information I've been compiling on a DoS kiddie from
irc.dal.net who goes by the handle cpio, these are the events that
transpired and what happened as a result. He's been using some hacked
account's bandwidth to drop down tons of traffic on me from various
misconfigured hosts which he probably got from netscan.org. I'm being
packeted even as I write this but he has yet to take down my connection
completely, what I'm wondering is if there is anything I can do to make this
stop, I realize that it's virtually impossible to find out where he's coming
from as he always uses various shell accounts and bnc's on irc, but from
previous conversations I know he lives in new jersey. As it is a Sunday
there is no one available at my local Home offices and I can't think of
anything else to do but wait it out, which as of this writing it's been 6
hours of continous packeting. My numerous attempts to get a continual log
of the attack have
been thwarted by the volume of traffic which my OpenBSD 2.7 system's kernel
keeps dropping most of and tcpdump/smurflog can't keep up and both crash
after a few seconds. I would appreciate any help anyone can offer me with
this matter.

Thanks in advance,

Jon Hamill
MCSE, A+, Network+
Computer Consultant

Sunday June 10, 2001

irc logs:

[cpio(cpioc1530360-a.bllvu1.wa.home.com)] in a few gigs get back to me
[cpio(cpioc1530360-a.bllvu1.wa.home.com)] i hope you treasure such things
as internet access and telephone service

ùíù Lastlog:
13:43 ùíù cpio [cpioc1530360-a.bllvu1.wa.home.com] has joined #unixgeeks
13:43 ùíù mode/#unixgeeks [+o cpio] by ChanServ
13:43 ùíù Topic (#unixgeeks): changed by cpio: Jon Hamill 7524 Old Oakland
Blvd. W. Dr. Indianapolis, IN 46236 Phone: 317-371-2828
13:44 ùíù mode/#unixgeeks [-o+b cpio *!*cpio*.home.com] by Godthe1st
13:44 ùíù cpio was kicked off #unixgeeks by Godthe1st (Take thy beak from
out my heart and take thy form from off my door!)
13:44 ùíù ServerMode/#unixgeeks [-b *!*cpio*.home.com] by
twisted.ma.us.dal.net
13:44 ùíù cpio [cpioc1530360-a.bllvu1.wa.home.com] has joined #unixgeeks
13:44 ùíù mode/#unixgeeks [+o cpio] by ChanServ
13:44 <cpio> you are dade!
13:44 ùíù mode/#unixgeeks [-o+b Godthe1st
*!*?v?r?c??t?1?9?5?b.?v?n?v?.?n.?o?e.?o?] by cpio
13:44 >>> You have been kicked off #unixgeeks by cpio (UNF)
13:48 [msg(cpio)] does dosing people make your penis look bigger when you
wake up and look in the mirror every morning
13:49 [cpio(cpioc1530360-a.bllvu1.wa.home.com)] in a few gigs get back to
me
13:50 [msg(cpio)] heh you're pathetic
13:50 -ChanServ(servicedal.net)- 1 - cpio
(cpioc1530360-a.bllvu1.wa.home.com)
13:50 [cpio(cpioc1530360-a.bllvu1.wa.home.com)] i hope you treasure such
things as internet access and telephone service
13:51 [msg(chanservservices.dal.net)] aop #unixgeeks del cpio
13:52 -ChanServ(servicedal.net)- cpio has been successfully removed from
the AOp list of #unixgeeks
13:52 1 [cpio(cpioc1530360-a.bllvu1.wa.home.com)] in a few gigs get back
to me
13:52 0 [cpio(cpioc1530360-a.bllvu1.wa.home.com)] i hope you treasure such
things as internet access and telephone service

system logs:

Jun 10 13:53:03 wrath smurflog[22787]: Threshold reached, 410.79kbps
399pkt/s, Looks like a smurf.
Jun 10 13:53:04 wrath smurflog[22787]: #1 - Probable Smurf attack detected
from 207.108.84.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #2 - Probable Smurf attack detected
from 169.130.17.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #3 - Probable Smurf attack detected
from 156.3.255.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #4 - Probable Smurf attack detected
from 204.142.116.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #5 - Probable Smurf attack detected
from 204.27.77.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #6 - Probable Smurf attack detected
from 24.88.55.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #7 - Probable Smurf attack detected
from 141.141.2.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #10 - Probable Smurf attack detected
from 216.172.225.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #14 - Probable Smurf attack detected
from 206.137.31.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #15 - Probable Smurf attack detected
from 207.62.143.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #18 - Probable Smurf attack detected
from 139.4.130.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #19 - Probable Smurf attack detected
from 255.255.255.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #20 - Probable Smurf attack detected
from 129.250.194.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #21 - Probable Smurf attack detected
from 209.114.130.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #22 - Probable Smurf attack detected
from 209.101.59.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #23 - Probable Smurf attack detected
from 206.14.230.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #24 - Probable Smurf attack detected
from 203.36.98.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #25 - Probable Smurf attack detected
from 203.37.105.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #26 - Probable Smurf attack detected
from 204.95.121.0/24 (1052 bytes)
Jun 10 13:53:04 wrath smurflog[22787]: #27 - Probable Smurf attack detected
from 208.22.190.0/24 (1052 bytes)
Jun 10 13:53:06 wrath smurflog[22787]: #28 - Probable Smurf attack detected
from 24.248.249.0/24 (1500 bytes)
Jun 10 14:00:01 wrath syslogd: restart

note the times coincide

the syslogd restart is the point at which the packets got to be too many for
it to handle and it literally crashed
and restarted itself..

Jun 10 18:13:20 wrath smurflog[6359]: Now monitoring ne0 for smurf attacks.
Jun 10 18:13:21 wrath smurflog[13273]: Threshold reached, 264.03kbps
257pkt/s, Looks like a smurf.
Jun 10 18:13:21 wrath smurflog[13273]: #1 - Probable Smurf attack detected
from 169.130.130.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #2 - Probable Smurf attack detected
from 129.250.194.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #3 - Probable Smurf attack detected
from 204.147.83.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #4 - Probable Smurf attack detected
from 169.130.17.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #5 - Probable Smurf attack detected
from 216.172.225.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #7 - Probable Smurf attack detected
from 139.4.130.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #11 - Probable Smurf attack detected
from 156.3.255.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #12 - Probable Smurf attack detected
from 24.88.55.0/24 (1052 bytes)
Jun 10 18:13:21 wrath smurflog[13273]: #13 - Probable Smurf attack detected
from 207.108.84.0/24 (1052 bytes)

we check back 4 hours later to see that cpio is still going...

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]