| chodan 2002-12-18, 9:43 pm |
| The Kentucky State Police got hit with a virus attack called iraq_oil recently which evidently sends out queries to port 445 SMB to find open shares to infiltrate.
They had a heck of a time getting rid of I heard.
At our network we had a server get trounce by a DDOS attack on an FTP site we had setup on one of our affiliate servers for one of their consultants.
It didn't have enough volume to shut down the server but it did eat up 95% of the bandwidth of the T1 that the hosted site was on.
We got a call about sluggish response on requests from the site and checked MRTG and that subnet was pegged on incoming/outgoing.
I traced it back to a specific server and checked the event viewer "it was a windows 2000 server" and saw hundreds of 900 second times outs on the MSFTP service.
I checked the open connections and it slowly reavealed hundreds of open connections waitng to each coming from a different source address.
I shut down the FTP service on the server and in 15 minutes the bandwidth on the circuit returned to normal as the attackers no longer had a port to attack.
I think it was random but you never know.
It may be a blessing in disguise I think because I've been pushing for IDS and true firewalling on our hosting network for over a year and this may be the event that brings it about. |