Re: DOS attack from AS

From: Yong Huang <yong321_at_yahoo.com>
Date: Sun, 1 Jun 2008 06:49:45 -0700 (PDT)
Message-ID: <825764.19757.qm@web80608.mail.mud.yahoo.com>

Hi, Louis,

I thought of another idea in case you can't reach the PC before the "DOS" attack is over. As soon as the PC is identified, call the user to not do anything, not even click a file in Windows explorer. You log onto it. Assume the attack is over. You find files with access time within the last 10 or so minutes. Windows explorer or dir command can do that, but in Windows Explorer don't highlight any file (or access time will be updated). I like find.exe from http://unxutils.sourceforge.net. Like this:

E:\temp\test>e:\systools\find . -atime -1 -type f -exec ls -lut {} ;

E:\temp\test>head -1 q.pl
#!perl -w

E:\temp\test>e:\systools\find . -atime -1 -type f -exec ls -lut {} ; -rw-rw-rw- 1 user group 493 Jun 1 08:41 .\q.pl

(The ls.exe is needed and also bundled.) The find command can't go below one day so you have to visually check for files accessed within 10 minutes. If needed, you can limit the find to -name "*.exe" or that plus *.dll, *.msc, *.vbs.

Yong Huang

Yong Huang <yong321_at_yahoo.com> wrote:

> Louis,
>
> I'm guessing you were always too late to catch the DOS. If that's not the
> case,
> we can easily find out who and what is doing it. A simple netstat -an or tail
> -f Apache access log is all you need on the server side. Then go to the
> client.
> This may be harder than expected. Knowing the IP doesn't necessarily mean
> where
> to go. nbtstat -A <IP> may reveal more info, sometimes users logged onto the
> client Windows box. Search for the IP or its hostname in Intranet site may
> help
> too. On the client, netstat -ano to find the process connecting to your
> server.
> Find the full path of the process with Process Explorer or tlist.
>
> Yong Huang
>
> > Date: Thu, 29 May 2008 10:36:21 -0400
> > From: Louis BROUILLETTE <Louis.Brouillette_at_uqtr.ca>
> > Subject: DOS attack from AS
> >
> > Once in a while (maybe once a month), our intranet is a victim of
> > what I would call a DOS. Our application server (AS 10.1.2.2)
> > receives hundreds of requests (all the same request with the same
> > parameters) from the a user in a few minutes for a modplsql
> > application. It's impossible for a person to send so much requests
> > in that period of time. It floods the db (10.2.0.3) and everyone hangs.
> >
> > Each time, it's a different user. Our PC experts scanned the PCs
> > with a variety of antivirus and anti-spyware but found nothing
> > suspicious. Anyone else have experienced something like that ?
> >
> > Louis Brouillette
> > Analyste en informatique (DBA)
> > Universite du Quebec a Trois-Rivieres
> > Tel: (819) 376-5011 ext. 2435
> > Email: brouille_at_uqtr.ca

--
http://www.freelists.org/webpage/oracle-l

Received on Sun Jun 01 2008 - 08:49:45 CDT

This message: [ Message body ]
Next message: Asif Momen: "Re: DataGuard Standby Database usage"
Previous message: Niall Litchfield: "Re: Oracle Backup On Window"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message