Security Incidents mailing list archives

Re: pop2 scan and .jp contact question

From: 玉造光緒 <tamazoh () HOTMAIL COM>
Date: Wed, 16 Aug 2000 02:28:00 GMT

Hello, Eure.

Here is SUTNET's information.
I think it's enough information to contact.
(Probably kenji () cc noda sut ac jp is email address that you want.)


Network Information:
a. [Network Number]             133.31.0.0
b. [Network Name]               SUTNET
g. [Organization]               Science University of Tokyo
j. [Address]                    Kagurazaka 1-3, Shinjuku-ku, Tokyo 162,
Japan
m. [Administrative Contact]     MU003JP
                               ute () cc kagu sut ac jp

n. [Technical Contact]          TH829JP
                               hirano () cc kagu sut ac jp

n. [Technical Contact]          KK112JP
                               kenji () cc noda sut ac jp

n. [Technical Contact]          RN031JP
n. [Technical Contact]          TN2106JP
p. [Nameserver]                 sutns.sut.ac.jp
p. [Nameserver]                 sutnews.sut.ac.jp
p. [Nameserver]                 tiger.join.ad.jp
y. [Reply Mail]
[Assigned Date]
[Return Date]
[Last Update]                   1999/08/02 15:57:54 (JST)
                               sibayama () join ad jp


---
Mitsuo Tamatsukuri

From: Ian Eure <ieure () SICKFUCK ORG>
Reply-To: Ian Eure <ieure () SICKFUCK ORG>
To: INCIDENTS () SECURITYFOCUS COM
Subject: pop2 scan and .jp contact question
Date: Mon, 14 Aug 2000 15:25:03 -0700

just saw this:

(times are UTC -0700)
-- snip --
Aug 14 04:44:16 spindle kernel: Packet log: ltraf REJECT eth0 PROTO=6
their.ip.was.here:109 my.ip.was.here:109 L=40 S=0x00 I=39426 F=0x0000 T=21
SYN (#11)
Aug 14 04:44:16 spindle kernel: Packet log: ltraf REJECT eth0 PROTO=6
their.ip.was.here:109 my.ip.was.here:109 L=40 S=0x00 I=39426 F=0x0000 T=21
SYN (#11)
-- snip --
a quick grep in /etc/services shows port 109 as pop2. there was a
vulnerability for uw-imap's pop2d about a month ago... most likely a scan
for such.

some digging shows it as a  linux 2.0.xx box at the science university of
tokyo - SUTNET in whois.nic.ad.jp. after some more digging, it appears to
be a student system in noda. despite much digging with whois, i could not
find a contact for SUTNET.

so... how do i go about notifying the net admins that they have either a
malicious student, or a compromised student system? i
found www-admin () sut ac jp on www.sut.ac.jp, but that's about it.

--
 ______________________________________________
| "the whole scale of cosmic dimensions are falling from my mouth
| in the description of a kiss of the interimlovers"
|   - einsturzende neubaten, "interim"


________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

Current thread:

pop2 scan and .jp contact question Ian Eure (Aug 15)
- Re: pop2 scan and .jp contact question John Kristoff (Aug 18)
- Re: pop2 scan and .jp contact question Jan Meijer (Aug 18)
- <Possible follow-ups>
- Re: pop2 scan and .jp contact question Robert Bussey (Aug 18)
- Re: pop2 scan and .jp contact question 玉造光緒 (Aug 18)