Security Incidents mailing list archives
Re: Probe from UK Provider ?
From: downlink () WITTYS COM (Jason Witty)
Date: Thu, 20 Jan 2000 21:33:43 -0600
I have also seen an extremely large number of probes from demon.co.uk, demon.net, and several of the smaller U.K. ISPs which use them as their backbone. So far, there's been lots of Queso scanning, a few instances of CGI scanning, and TONS of UDP Bombs. I also got the "we had a router which was mangling packets" excuse when talking with their abuse department! Unbelievable....... At 11:31 AM 1/20/00 +1100, you wrote:
Today some guy over here downloaded something from ftp.fishnet.co.uk , and we started to get these entries in our firewall: Jan 18 15:48:36 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1161 <my_ip_addr>:80 L=562 S=0x00 I=58886 F=0x4000 T=109i see similar problems with most sites hosted by demon.co.uk. we send a http/smtp request to a site hosted somewhere in their network & we see traffic like: tcp 212.240.52.130(2154) -> fw_ip(80) tcp 194.217.242.92(1569) -> fw_ip(80) tcp 194.217.242.92(2754) -> fw_ip(80) tcp 194.217.242.92(48129) -> fw_ip(48129) tcp 194.217.242.41(57777) -> fw_ip(80) tcp 194.217.242.41(1952) -> fw_ip(80) tcp 194.217.242.41(769) -> fw_ip(46939) tcp 194.217.242.41(1633) -> fw_ip(80) tcp 194.217.242.41(1777) -> fw_ip(80) tcp 194.217.242.41(3572) -> fw_ip(80) tcp 194.217.242.41(1067) -> fw_ip(80) tcp 194.217.242.41(1247) -> fw_ip(80) tcp 194.217.242.41(51550) -> fw_ip(80) tcp 194.217.242.41(1083) -> fw_ip(80) tcp 194.217.242.41(1093) -> fw_ip(80) tcp 194.217.242.41(3146) -> fw_ip(21) i sent an email to abuse () demon co uk last year in october with little success. they mumbled something about problems with hardware mangling packets. sigh... the fw in question doesn't listen in on port 80 or 21. i'd be curious to know if other sites see similar problems. we're just blocking the traffic & putting up with the noise in the logs for now. cheers, pauline
Current thread:
- Re: IRC-bots: what are they for ?, (continued)
- Re: IRC-bots: what are they for ? The Undernet Bonk (Jan 12)
- Re: IRC-bots: what are they for ? Filip M. Gieszczykiewicz (Jan 12)
- Strange behaviour Belgarion of Riva (Jan 13)
- Re: Strange behaviour Richard Bejtlich (Jan 15)
- UDP probing [ trojan? ] mabrown () SECUREPIPE COM (Jan 17)
- Re: UDP probing [ trojan? ] Jose Nazario (Jan 18)
- Probe from UK Provider ? Duarte Cordeiro (Jan 18)
- Re: Probe from UK Provider ? Pauline van Winsen (Jan 19)
- Re: Probe from UK Provider ? Arrigo Triulzi (Jan 20)
- Re: Probe from UK Provider ? Gene Harris (Jan 20)
- Re: Probe from UK Provider ? Jason Witty (Jan 20)
- Solaris BSM Audit Logs Wozz (Jan 17)
- Re: Strange behaviour John Turner (Jan 17)
- SMTP bombing Kaupo Palo (Jan 18)
- Log tools? Chad Day (Jan 17)
- Re: Log tools? James Phillips (Jan 17)
- Re: Log tools? Gene Harris (Jan 18)
- Re: Log tools? Richard Trott (Jan 17)
- Re: Log tools? Pauline van Winsen (Jan 18)
- AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)
- Re: AMD/Port 100099 and portmap CyberPsychotic (Jan 18)