Hi Jeremy/Greig/All,
We had a discussion in OSCT on this issue. Although some non UK sites also
observed the similar scanning (as mentioned in Greig email), we can not
conclude that it is a specific attack against SRM services. ROC security
officers will follow it up in their regions and will report to OSCT if any
suspicious actives were found. Meanwhile, please let me know if you have new
findings on it.
I analysed the suspicious traffic captured by Ewan
(http://www-pnp.physics.ox.ac.uk/~macmahon/planet-packets/) with Wireshark.
So far, they seem to be normal tcp/ip handshaking traffic followed by a
https request/response, then the SRM server closed the connection. No
meaningful payload has been found so far.
As Jeremy mentioned, please provide log information if you wish to follow up
on it.
Cheers,
Mingchao
-----Original Message-----
From: Testbed Support for GridPP member institutes
[mailto:[log in to unmask]] On Behalf Of Coles, J (Jeremy)
Sent: 04 August 2008 14:28
To: [log in to unmask]
Subject: Re: SE probing/scanning incident
Hi Greig/All
Please could some sites mail Mingchao or myself some specific log
information that can be provided to the ISP if they wish to follow up on it?
The guide for information required is:
" ... please ensure to provide the relevant portion of the logs where the
problem exists. Be sure this information includes the Source and Destination
IP Address and ports, as well as the timestamp and timezone (with relation
to GMT)."
Many thanks,
Jeremy
-----Original Message-----
From: Testbed Support for GridPP member institutes
[mailto:[log in to unmask]] On Behalf Of Greig A. Cowan
Sent: 04 August 2008 14:17
To: [log in to unmask]
Subject: Re: SE probing/scanning incident
Hi Mingchao,
I've been in contact with a guy I know in Poland and he can confirm that
all Polish sites have seen this same behvaiour from theplanet.
He also notes that the scanning frequency has recently changed from ~2
hours to 8 hours.
Cheers,
Greig
On 31/07/08 14:58, Ma, M (Mingchao) wrote:
> Hi Greig,
>
> I am following it up and request sites to check their system log,
firewall
> log apart from SE log. It is very common that external face hosts are
> constantly being scanned (hostile scanning). It would be helpful that
sites
> can correlate different logs to better understand the attacking
pattern. SRM
> has web interface (soap over https at port: 8443), normally web
application
> is a easier target so I am not surprised of the scanning/probing. We
need to
> understand more before I can report it to OSCT.
>
> BTW. Jeremy has sent an email to the ISP.
>
> Cheers,
>
> Mingchao
>
>
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Greig A. Cowan
> Sent: 31 July 2008 14:46
> To: [log in to unmask]
> Subject: SE probing/scanning incident
>
> Hi all,
>
> I sent an email to the dpm-user-forum to report what we have been
seegin in
> relation to the SE probing/scanning incident that was raised
yesterday. So
> far, 4 non-UK sites have replied to confirm that they are seeing
similar
> entries in their DPM logs as we have in the UK.
>
> Mingchao: Can this issue be raised with the LCG security group?
>
> Cheers,
> Greig
>
> --
> The University of Edinburgh is a charitable body, registered in
Scotland,
> with registration number SC005336.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
|