Manntech Computers was started in 2005 with the vision of creating and investigating information security. Since that date we have strived to gain expert knowledge and use that to create processes, procedures and applications that meet that need.
11/3/2009
I was using Sphere of Influence to monitor a full NMAP scan (2). In the diagram you see two scans. The obvious full scan(2), which is like a shot gun , every port. You also see before it a more directed scan(1). This was also by NMAP. If you notice the lines going down the screen, this is indicative of a (3) p2p application running on the network. I found that by looking at my normal traffic, I can spot abnormal traffic real easy.
11/5/2009
I noticed today that I had what looked like a targeted scan (1). The traffic pattern matched it, it looked good. However when I analysed it, it looked more like a system of ours was trying "real hard" to make contact. It turned out to be a lot of traffic retrying and timing out to google. It looked initially like a scan. You can still see the p2p traffic (heavy vertical lines, port 6294 etc)
11/6/2009
Today is a pretty quite day but I thought I'd run some checks. One of which is to bring up the timeline in the Cisco pix/asa window. I entered the word "university" in organization window. Im looking to see large amounts of universities attempting to connect up to us. This would give me a good look at p2p traffic, but also may show up other stuff.
I click on a couple of flags and noticed that it was going to a particular server of ours. I was concerned to say the least. I entered the IP address of the server and looked at the traffic.
!
I click on a flag an monitor the traffic for a moment. I can see there is definitely something wrong with this server! (It is a webserver so i wasn't immediately alarmed at seeing allowed port 80 traffic. It's not that it has lots of traffic, just lots of traffic from outside my sphere of influence. The traffic is heading to port 80....so my thinking is something was wrong with the website. (maybe a new worm out?)
As it turns out this webserver has a BB board. I examined the web logs and it seems that a lot of spam was being posted. It turned out that the form was not using any kind of validation and the spam king bots noticed this. They started posting spam to this form. Although the database did not collect the spam, the spam bots kept sending traffic. The lesson here is do not have an unvalidated form, it doesnt take long for the spam bots to notice it.