Security Incidents mailing list archives
An ISP takes action
From: Charles Clancy <mgrtcc () CS ROSE-HULMAN EDU>
Date: Wed, 16 Aug 2000 16:33:57 -0500
...and you guys were complaining about people not responding to exploit scanning notifications. Check out this response when I complained that an .ru address was doing some basic scanning of our web server: ---------- Forwarded message ---------- Date: Wed, 16 Aug 2000 17:28:33 +0400 (MSD) From: Lubov Vidanova <luba () relcom ru> Thanks for your message. User deleted. Sincerely, Lubov Vidanova ############### On Tue, 15 Aug 2000, Charles Clancy wrote:
Greetings, Exploit scanning (RPC mountd, NFS showmounts, NMAP-based pings, FTP attempts) was detected from host d48.z194-58-100.relcom.ru of the EUnet/RELCOM network between 1:45 PM and 2:43 PM EST (GMT-0500) on August 15 directed at our web server. This type of network activity is not appreciated, and we would prefer its discontinuance. Please forward this notification to the responsible party. Thank you, Charles Clancy, mgrtcc () cs rose-hulman edu Senior UNIX Systems Administrator Rose-Hulman Computer Science Department -----> SNORT Logs, all timestamps are Eastern Standard Time (GMT-0500) [**] IDS13 - RPC - portmap-request-mountd [**] 08/15-13:45:12.368636 194.58.100.48:632 -> 137.X.X.X:111 UDP TTL:49 TOS:0x0 ID:13524 Len: 64 [**] IDS13 - RPC - portmap-request-mountd [**] 08/15-13:45:12.733266 194.58.100.48:633 -> 137.X.X.X:111 UDP TTL:49 TOS:0x0 ID:13540 Len: 64 [**] IDS26 - NFS Showmount [**] 08/15-13:45:15.427321 194.58.100.48:633 -> 137.X.X.X:64113 TCP TTL:49 TOS:0x0 ID:13660 DF *****PA* Seq: 0x286B1D17 Ack: 0x2C07F222 Win: 0x7D78 [**] IDS26 - NFS Showmount [**] 08/15-13:45:15.431477 194.58.100.48:634 -> 137.X.X.X:64113 TCP TTL:49 TOS:0x0 ID:13663 DF *****PA* Seq: 0xA8E2CE90 Ack: 0x2C07FE7C Win: 0x7D78 [**] IDS162 - PING Nmap2.36BETA [**] 08/15-14:43:20.523915 194.58.100.48 -> 137.X.X.X ICMP TTL:26 TOS:0x0 ID:26836 ID:12843 Seq:0 ECHO [**] IDS162 - PING Nmap2.36BETA [**] 08/15-14:43:23.419807 194.58.100.48 -> 137.X.X.X ICMP TTL:39 TOS:0x0 ID:44667 ID:2338 Seq:0 ECHO ----->
? ?????????, ?????? ???????? ########################################
Current thread:
- An ISP takes action Charles Clancy (Aug 18)