Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

An ISP takes action

From: Charles Clancy <mgrtcc () CS ROSE-HULMAN EDU>
Date: Wed, 16 Aug 2000 16:33:57 -0500
...and you guys were complaining about people not responding to exploit
scanning notifications.  Check out this response when I complained that an
.ru address was doing some basic scanning of our web server:

---------- Forwarded message ----------
Date: Wed, 16 Aug 2000 17:28:33 +0400 (MSD)
From: Lubov Vidanova <luba () relcom ru>

Thanks for your message. 
User deleted.

Sincerely,
Lubov Vidanova
###############

On Tue, 15 Aug 2000, Charles Clancy wrote:


Greetings,

Exploit scanning (RPC mountd, NFS showmounts, NMAP-based pings, FTP
attempts) was detected from host d48.z194-58-100.relcom.ru of the
EUnet/RELCOM network between 1:45 PM and 2:43 PM EST (GMT-0500) on
August 15 directed at our web server. This type of network activity is
not appreciated, and we would prefer its discontinuance.  Please
forward this notification to the responsible party.

Thank you,

Charles Clancy, mgrtcc () cs rose-hulman edu
Senior UNIX Systems Administrator
Rose-Hulman Computer Science Department

----->

SNORT Logs, all timestamps are Eastern Standard Time (GMT-0500)

[**] IDS13 - RPC - portmap-request-mountd [**]
08/15-13:45:12.368636 194.58.100.48:632 -> 137.X.X.X:111
UDP TTL:49 TOS:0x0 ID:13524
Len: 64

[**] IDS13 - RPC - portmap-request-mountd [**]
08/15-13:45:12.733266 194.58.100.48:633 -> 137.X.X.X:111
UDP TTL:49 TOS:0x0 ID:13540
Len: 64

[**] IDS26 - NFS Showmount [**]
08/15-13:45:15.427321 194.58.100.48:633 -> 137.X.X.X:64113
TCP TTL:49 TOS:0x0 ID:13660  DF
*****PA* Seq: 0x286B1D17   Ack: 0x2C07F222   Win: 0x7D78

[**] IDS26 - NFS Showmount [**]
08/15-13:45:15.431477 194.58.100.48:634 -> 137.X.X.X:64113
TCP TTL:49 TOS:0x0 ID:13663  DF
*****PA* Seq: 0xA8E2CE90   Ack: 0x2C07FE7C   Win: 0x7D78

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-14:43:20.523915 194.58.100.48 -> 137.X.X.X
ICMP TTL:26 TOS:0x0 ID:26836
ID:12843   Seq:0  ECHO

[**] IDS162 - PING Nmap2.36BETA [**]
08/15-14:43:23.419807 194.58.100.48 -> 137.X.X.X
ICMP TTL:39 TOS:0x0 ID:44667
ID:2338   Seq:0  ECHO 

----->





? ?????????,
?????? ???????? 
########################################
Previous By Date Next
Previous By Thread Next

Current thread: