427 Botnet fm qxd

really were high work weights (94, 92, 79). Our host was sending about one
packet per second, and the destination ports 8080 and 8000 were the target.
The target did not seem to be sending many packets back.There is one more
point we can make: We still didn’t figure out exactly what the host was doing.
Given the ports in question, it is possible that this host was scanning for open
Web relay hosts, which are often used for sending spam. If the host is active at
this point, you might go and look at Layer 7 payloads with a sniffer. For
example, you can use tcpdump as we mentioned or ngrep, which we will dis-
cuss briefly in the next section.
Regarding the port report search question, one trick worth mentioning is
a somewhat sneaky way to search the port report logging directory. If you
have a case like Case Study #2 with a dominant scanner count spike in a par-
ticular day, you really want to find the biggest port report file in that day.This
is because there is one line per IP address in the 30-second port report file.
So, given one line per IP address, obviously the scan in Figure 6.3 will pro-
duce the largest files in the directory for that day. We use the 
wc 
(word count)
utility to determine the lines in each file, and we sort by that output like so:
# cd /home/mrourmon/logs/portreport/Fri
# find . |
xargs wc –l
| sort
…
196 ./Tue_Jan_18_01:24:03_PDT_2005.portreport.txt
509 ./Tue_Jan_18_01:24:33_PDT_2005.portreport.txt
2214./Tue_Jan_18_01:25:04_PDT_2005.portreport.txt
The sort makes the largest file come out last. When examined, this file
(the one with 2214 lines) showed one IP address as the target for many
external hosts. which were all doing the same form of attack.Thus the port
report file itself fingered the target IP host. In general, parallel scans or DDoS
attacks will result in large port report files.

Download 6,98 Mb.

Do'stlaringiz bilan baham: