Security Incidents mailing list archives
Re: Dumb ISP of the week
From: Bryan Andersen <bryan () visi com>
Date: Tue, 22 Aug 2000 18:46:33 -0500
I saw the same search signature from a USWest (QWest now) server on Aug 16th. Yes I notified then and received some responce. What is interesting is it looked to be one of the machines in their own labs. Aug 16 08:16:49 input PROTO=6 them:2873 me.16:23 L=60 S=0x00 I=6303 F=0x4000 T=50 Aug 16 08:16:49 input PROTO=6 them:2876 me.17:23 L=60 S=0x00 I=6324 F=0x4000 T=50 Aug 16 08:16:49 input PROTO=6 them:2878 me.19:23 L=60 S=0x00 I=6327 F=0x4000 T=50 Aug 16 08:16:49 input PROTO=6 them:2907 me.17:143 L=60 S=0x00 I=6425 F=0x4000 T=50 Aug 16 08:16:52 input PROTO=6 them:2873 me.16:23 L=60 S=0x00 I=12419 F=0x4000 T=50 Aug 16 08:16:52 input PROTO=6 them:2878 me.19:23 L=60 S=0x00 I=12432 F=0x4000 T=50 Aug 16 08:16:52 input PROTO=6 them:2907 me.17:143 L=60 S=0x00 I=12537 F=0x4000 T=50 Aug 16 08:16:54 input PROTO=6 them:2371 me.16:143 L=60 S=0x00 I=14739 F=0x4000 T=50 Aug 16 08:16:54 input PROTO=6 them:2382 me.19:143 L=60 S=0x00 I=14757 F=0x4000 T=50 Aug 16 08:16:54 input PROTO=6 them:2415 me.17:23 L=60 S=0x00 I=14846 F=0x4000 T=50 Aug 16 08:16:57 input PROTO=6 them:2371 me.16:143 L=60 S=0x00 I=18076 F=0x4000 T=50 Aug 16 08:16:57 input PROTO=6 them:2382 me.19:143 L=60 S=0x00 I=18095 F=0x4000 T=50 [snip]
Oh don't even get me started on Pac Bell. I've been getting massive telnet and imap scans from one of their IP's (63.203.107.5), which appears to be a Linux box(and probably a rooted one). Think Pac Bell/SBC has even looked at my email yet? [keeping in mind the fact that I get my 'enhanced' DSL from PB/SBC as well]Actually, it's interesting that you note that... over the weekend, I got the same scan from the same host, and they e-mailed me back (my own IP address masked):
[snip]
Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4037 xxx.xxx.xxx.xxx::23 L=60 S=0x00 I=36225 F=0x4000 T=51SYN(#50) Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4059 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=36305 F=0x4000 T=51SYN(#50) .. Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4154 xxx.xxx.xxx.xxx:23 L=60 S=0x00 I=37749 F=0x4000 T=51SYN(#50) Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4170 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=37819 F=0x4000 T=51SYN(#50) Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4065 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=36341 F=0x4000 T=51SYN(#49) Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4085 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=36422 F=0x4000 T=51SYN(#49) .. Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4155 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=37750 F=0x4000 T=51SYN(#49) Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4172 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=37823 F=0x4000 T=51SYN(#49)
[snip] -- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
Current thread:
- Dumb ISP of the week John Pettitt (Aug 21)
- Re: Dumb ISP of the week UnixGeek (Aug 21)
- Re: Dumb ISP of the week Wozz (Aug 22)
- Re: Dumb ISP of the week John Pettitt (Aug 22)
- Re: Dumb ISP of the week Wozz (Aug 22)
- Re: Dumb ISP of the week John Pettitt (Aug 22)
- <Possible follow-ups>
- Re: Dumb ISP of the week Scott Bishop (Aug 22)
- Re: Dumb ISP of the week Bryan Andersen (Aug 22)