Security Incidents mailing list archives
Re: scan log and subsequent response from the host's ISP
From: pauel () BALAKOVO RU (Pauel Loshkin)
Date: Thu, 6 Jul 2000 07:07:24 +0400
In my opinion,this provider should included in all blacklist,and all access from him must be denied by firewall rules (like as do it RSS) Bradley Woodward wrote:
G'day peoples. These scans are so common, I wouldn't bother posting them, except for the rather disappointing response from the ISP's support department. I've included an edited log file and email response. Only my machine's IP is changed. Everything else is as reported by IPCHAINS. Enjoy. <snip> Hello, TIN.IT does not control the actions completed from its subscribers, therefore is not responsible of the content of the messages and the eventual illegal actions from them. If you think you have been damaged by this fact you can refer to the judicial authority. Best regards _/_/_/_/_/ _/ _/_/ _/ Abuse (D) _/ _/ _/ _/ _/ TIN.IT S.p.a. _/ _/ _/ _/ _/ Servizi Customer Care _/ _/ _/ _/_/ http://www.tin.it abuse () tin it ----- Original Message ----- From: Bradley Woodward <bradw () ami com au> To: <abuse () tin it> Sent: Friday, June 30, 2000 7:53 AM Subject: ACTIVE SYSTEM ATTACK from your system > Hello. I run a small network, and my logs indicate an active attack on my > system from your domain. I've included the logs here. The logs are > generated by a program called Logcheck. > > I'd appreciate it if you could take any appropriate action, and let me know > the outcome. > > Thanks > > Bye! > > > > >Active System Attack Alerts > >=-=-=-=-=-=-=-=-=-=-=-=-=-= > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it > >[212.216.190.187]: expn root > > > >Security Violations > >=-=-=-=-=-=-=-=-=-= > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:23 1.2.3.6:23 L=40 S=0x00 I=39426 F=0x0000 T=16 (#32) > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:23 1.2.3.4:23 L=40 S=0x00 I=39426 F=0x0000 T=16 (#32) > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:23 1.2.3.5:23 L=40 S=0x00 I=39426 F=0x0000 T=17 (#32) > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:25 1.2.3.4:25 L=40 S=0x00 I=39426 F=0x0000 T=16 (#32) > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:25 1.2.3.5:25 L=40 S=0x00 I=39426 F=0x0000 T=17 (#32) > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:143 1.2.3.6:143 L=40 S=0x00 I=39426 F=0x0000 T=16 (#32) > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:143 1.2.3.4:143 L=40 S=0x00 I=39426 F=0x0000 T=16 (#32) > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:143 1.2.3.5:143 L=40 S=0x00 I=39426 F=0x0000 T=17 (#32) > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:110 1.2.3.4:110 L=40 S=0x00 I=39426 F=0x0000 T=16 (#32) > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:110 1.2.3.5:110 L=40 S=0x00 I=39426 F=0x0000 T=17 (#32) > >Jun 30 13:22:03 mycomp kernel: Packet log: forward DENY eth0 PROTO=6 > >212.216.190.187:80 1.2.3.4:80 L=40 S=0x00 I=39426 F=0x0000 T=15 (#3) > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:80 1.2.3.5:80 L=40 S=0x00 I=39426 F=0x0000 T=17 (#32) > >Jun 30 13:22:08 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3307 1.2.3.6:23 L=60 S=0x00 I=63353 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:27:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=8754 F=0x4000 T=38 SYN > >(#32) > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=11139 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=11140 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=11141 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=11143 F=0x4000 T=38 SYN > >(#32) > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=12981 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=12982 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=12983 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=12985 F=0x4000 T=38 SYN > >(#32) > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=14929 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=14930 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=14931 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=14933 F=0x4000 T=38 SYN > >(#32) > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=17991 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=17992 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=17993 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=17995 F=0x4000 T=38 SYN > >(#32) > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18000 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:35:20 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18085 F=0x4000 T=38 > >SYN (#32) > >(#32) > >Jun 30 13:36:14 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20452 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:36:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6 > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20660 F=0x4000 T=38 > >SYN (#32) > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it > >[212.216.190.187]: expn root > >Jun 30 13:22:13 mycomp in.ftpd[17833]: connect from a-pe8-60.tin.it > >Jun 30 13:35:17 mycomp sendmail[17832]: NOQUEUE: Null connection from > >a-pe8-60.tin.it [212.216.190.187] > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it > >[212.216.190.187]: expn root >
-- ** The hedgehog is a proud bird, he does not fly without kick ** Pauel System administrator ICQ UIN 39596913 8990192 Phone (7-84570)-52525 (7-84570)-40658 Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
Current thread:
- scan log and subsequent response from the host's ISP Bradley Woodward (Jul 02)
- Fwd: [Fw: Ive been broken into ] JEFF WATSON (Jul 05)
- version.bind from zen.isi.edu Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
- Re: scan log and subsequent response from the host's ISP Talisker (Jul 10)
- Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 05)
- how to close security holes from nessus vulnerability scan report ? Chew Poh Chang (CAPL) (Jul 06)
- Snort SMTP expn-root Oxenreider, Jeff (Jul 06)
- Re: Snort SMTP expn-root Joe McAlerney (Jul 06)
- Re: Snort SMTP expn-root Bill Pennington (Jul 06)
- Re: Snort SMTP expn-root dyer (Jul 06)
- Simultaneous Attacks Harlan S. Barney, Jr. (Jul 06)
- Re: Simultaneous Attacks Valdis Kletnieks (Jul 07)
- Re: Simultaneous Attacks Ryan Russell (Jul 07)
- Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
- Re: Simultaneous Attacks Richard Bejtlich (Jul 11)