Is your outlook server running web access? Nevermind I see that it is. It looks like the traffic is standard HTTP since it is coming to a dest. port of 80, I would also track what traffic usually comes over the src prts 1568, and 1136 off the top of my head I am not certain. I would if nothing else make sure that your Outlook server is patched, and also if not setup to do so I would strongly recommend that you setup your web access to use SSL instead of standard HTTP if not already done. --- Regards,
On Tue, 15 Jan 2002 11:58:36 Reichert Holger wrote: >Hello Trevor > >first of all as you may guess, (nobody else replied), i think that this list >is not the right one to post such events. >I propose to cross post it to [EMAIL PROTECTED] > >There you're more likely to find the specialists in logfile reading. >I myself am only a beginner in intrusion analysis, but what I've read by >this time the first two Packets from Snort show the third part of the TCP >3-way-handshake. >So to know if there has been ever a complete TCP connection you should >search your logfiles for SYN/ACK which your machine sent to 12.224.241.144 >and SYN which 12.224.241.144 sent to your site. >Only if you see all these Pakets there has been an active TCP-Connection to >your server. >If you only see these ACK, there are two possibilities: >1) You've been scanned with ACK to see if your server is listening on >Port 80 > If you only see these ACK's to this server you should take this for >serious, because the attacker allready knows your server >2) Somebody has spoofed your IP-Adress and scanned another host with >SYN/ACK Packets. > >The last Packet in your mail says definitly that there has been a connect. >But for the analysation im not yet smart enough. >For more assistance in discovering if your server got compromised there is >another list >[EMAIL PROTECTED] >For help with interpreting snort messages search in snort.org or ask >questions in their mailing list. >Probably you can get advise from your local CERT. Try to phone them and ask >for routines you should go through. > >For future problem solving I suggest to use Tripwire which is one >possibility to know fast if you were compromised. > >Best wishes > >Holger Reichert >www.holysword.de >[EMAIL PROTECTED] > > >Trevor wrote: >___________________________________________________ >Hi all, > > These are entries from my Snort IDS logs and my firewall logs for the IP >address reported by Snort. It looks like an attempt to get into our Outlook >Web Access server. If it was a hack how could I tell if it was successful or >not? I did a google on it and did not come up with much > >[**] [1:882:1] WEB-CGI calendar access [**] > >[Classification: Attempted Information Leak] [Priority: 3] > >01/08-12:54:08.793287 12.224.241.144:1136 -> 63.xxx.xxx.xxx:80 > >TCP TTL:51 TOS:0x0 ID:2276 IpLen:20 DgmLen:730 DF > >***AP*** Seq: 0xF608349 Ack: 0xFC8B5BF0 Win: 0x8ECD TcpLen: 20 > > >[**] [1:882:1] WEB-CGI calendar access [**] > >[Classification: Attempted Information Leak] [Priority: 3] > >01/08-18:53:45.398355 12.224.241.144:1568 -> 63.xxx.xxx.xxx:80 > >TCP TTL:51 TOS:0x0 ID:5645 IpLen:20 DgmLen:818 DF > >***AP*** Seq: 0x5C2AE779 Ack: 0x36609C29 Win: 0x8ECF TcpLen: 20 > > >Jan 09 21:53:31.093 xxxxxxxxx httpd[339]: 121 Statistics: duration=4.23 >id=51ZeM sent=544 rcvd=707 srcif=Vpn4 src=12.224.241.144/3172 >cldst=63.xxx.xxx.xxx/80 svsrc=192.xxx.xxx.xxx dstif=Vpn3 >dst=192.xxx.xxx.xxx/80 op=GET >arg=http://www.venocoinc.com/exchange/forms/IPM/NOTE/frmRoot.asp?index=0&obj >=000000005DDB3712FA5CD411A7EF00A0C9E0A0180700085F598189CED211A7BD00A0C9E0A01 >8000000AC4A6B00006AC011B1CB7FD411BC78001083FC58260000006245B20000&command=op >en result="302 Object moved" proto=http rule=6 > >Thanks for the help > >Trevor Maingot >* 805-745-2121 >* 805-455-9660 >* 805-745-1926 >* [EMAIL PROTECTED] > > > > Is your boss reading your email? ....Probably Keep your messages private by using Lycos Mail. Sign up today at http://mail.lycos.com
