This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ATTACK-RESPONSES 403 Forbidden

Periodically I get batches of 3 intrusion alerts. They always come from the same same PC and the packets are dropped, so no harm is done. But I'd love to know what's causing them. The destination address varies but is always the same in each batch of 3 attempts. Details:

Message........: ATTACK-RESPONSES 403 Forbidden
Details........: http://www.snort.org/pub-bin/sigs.cgi?sid=1201
Time...........: 2007:04:09-21:39:55
Packet dropped.: yes
Priority.......: 2 (medium)
Classification.: Attempted Information Leak IP protocol....: 6 (TCP)

Source IP address: internal PC

Destination IP address: 218.150.110.140
- http://www.dnsstuff.com/tools/ptr.ch?ip=218.150.110.140
- http://www.ripe.net/perl/whois?query=218.150.110.140
- http://ws.arin.net/cgi-bin/whois.pl?queryinput=218.150.110.140
- http://cgi.apnic.net/apnic-bin/whois.pl?search=218.150.110.140
Destination port: 3472 (jaugsremotec-1)

Can anyone enlighten me?[:S]

This thread was automatically locked due to age.

Parents

0 BarryG over 18 years ago

Something is trying to access restricted pages on your webserver (218.150.110.140).
The webserver is replying with a 403 Forbidden response.
The IDS/IPS is logging it as it has a rule to match that.

For more info, you'll need to look at the HTTP logs on your webserver.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 rktatschner over 18 years ago in reply to BarryG

Hi Barry,

The destination address is not one of ours and the source address is our server, which is unattended. So our server is trying to contact another in batches of 3 attempts. It has the feel of ad/spy ware but all the scans are coming up clean.

Any ideas?

Richard
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 18 years ago in reply to rktatschner

That's normal, the server would be sending the 403 response back to the (possible) attacker.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 rktatschner over 18 years ago in reply to BarryG

Hi Barry,

I understand all that. What I don't understand is how an unattended server could be trying to contact these sites and hitting forbidden pages. The sending machine has no screen, no keyboard, no mouse, and yet it is soliciting these attempts.

What piece of software have we got onboard that is trying all this?

It is a clean protected SBS 2003 server.

Richard
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 18 years ago in reply to rktatschner

I believe someone is contacting your server, not the other way around.

Sorry, I quoted the dest IP earlier, not your server's IP.

Are you allowing external traffic to that server?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 rktatschner over 18 years ago in reply to BarryG

So we are generating the 403 message!

Hm....

Running webmail (exchange) & Sharepoint. The astaro wall allows traffic through to the server. Passwords are high secure (mixed case & special characters).

What application generates the 403 message?

Richard
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 18 years ago in reply to rktatschner

Review your IIS Logs on the server... they will tell you what you need to know.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BrucekConvergent over 18 years ago in reply to rktatschner

Review your IIS Logs on the server... they will tell you what you need to know.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rktatschner over 18 years ago in reply to BrucekConvergent

Thanks for the pointer. Having spent a happy day going through the server logs I find the corresponding entries to these events in the http logs. All the events are reported with the error "Timer_MinBytesPerSecond", which, for those following this thread means:

"The connection expired because the client was not receiving a response at a reasonable speed. The response send rate was slower than the default of 240 bytes/sec."

Hm.... I think I'm going to have to get an expert to look at this because the server should not be trying to contact any of these sites and none of the sites should be trying to connect to our server, either way I have a security issue to deal with. Joy.

Many thanks for the help, Bruce.

Richard
Cancel
Vote Up 0 Vote Down

Cancel