Security Incidents mailing list archives

Re: scan log and subsequent response from the host's ISP


From: pauel () BALAKOVO RU (Pauel Loshkin)
Date: Thu, 6 Jul 2000 07:07:24 +0400


In my opinion,this provider should included in all blacklist,and all access from
him must be denied by firewall rules (like as do it RSS)

Bradley Woodward wrote:

G'day peoples.

These scans are so common, I wouldn't bother posting them, except for the
rather disappointing response from the ISP's support department.  I've
included an edited log file and email response.

Only my machine's IP is changed.  Everything else is as reported by IPCHAINS.

Enjoy.

<snip>

Hello,
TIN.IT does not control the actions completed from its subscribers,
therefore is not responsible of the content of the messages and the eventual
illegal actions from them. If you think you have been damaged by this fact
you can refer to the judicial authority.
Best regards

      _/_/_/_/_/  _/   _/_/   _/       Abuse (D)
         _/      _/   _/ _/  _/        TIN.IT S.p.a.
        _/      _/   _/  _/ _/         Servizi Customer Care
       _/      _/   _/   _/_/          http://www.tin.it
                                       abuse () tin it

----- Original Message -----
From: Bradley Woodward <bradw () ami com au>
To: <abuse () tin it>
Sent: Friday, June 30, 2000 7:53 AM
Subject: ACTIVE SYSTEM ATTACK from your system

  > Hello.  I run a small network, and my logs indicate an active attack on my
  > system from your domain.  I've included the logs here.  The logs are
  > generated by a program called Logcheck.
  >
  > I'd appreciate it if you could take any appropriate action, and let me
know
  > the outcome.
  >
  > Thanks
  >
  > Bye!
  >
  >
  >
  > >Active System Attack Alerts
  > >=-=-=-=-=-=-=-=-=-=-=-=-=-=
  > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
  > >[212.216.190.187]: expn root
  > >
  > >Security Violations
  > >=-=-=-=-=-=-=-=-=-=
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:23 1.2.3.6:23 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:23 1.2.3.4:23 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:23 1.2.3.5:23 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:25 1.2.3.4:25 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:25 1.2.3.5:25 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:143 1.2.3.6:143 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:143 1.2.3.4:143 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:143 1.2.3.5:143 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:110 1.2.3.4:110 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:110 1.2.3.5:110 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: forward DENY eth0 PROTO=6
  > >212.216.190.187:80 1.2.3.4:80 L=40 S=0x00 I=39426 F=0x0000 T=15
(#3)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:80 1.2.3.5:80 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:08 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3307 1.2.3.6:23 L=60 S=0x00 I=63353 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:27:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=8754 F=0x4000 T=38 SYN
  > >(#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=11139 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=11140 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=11141 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=11143 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=12981 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=12982 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=12983 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=12985 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=14929 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=14930 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=14931 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=14933 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=17991 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=17992 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=17993 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=17995 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18000 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:20 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18085 F=0x4000 T=38
  > >SYN (#32)
  > >(#32)
  > >Jun 30 13:36:14 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20452 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:36:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20660 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
  > >[212.216.190.187]: expn root
  > >Jun 30 13:22:13 mycomp in.ftpd[17833]: connect from a-pe8-60.tin.it
  > >Jun 30 13:35:17 mycomp sendmail[17832]: NOQUEUE: Null connection from
  > >a-pe8-60.tin.it [212.216.190.187]
  > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
  > >[212.216.190.187]: expn root
  >

--
** The hedgehog is a proud bird, he does not fly without kick **

Pauel
System administrator
ICQ UIN 39596913 8990192
Phone (7-84570)-52525
      (7-84570)-40658

Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.



Current thread: