Security Incidents mailing list archives

Re: scan log and subsequent response from the host's ISP

From: ejovi () EJOVI NET (Ejovi Nuwere)
Date: Thu, 6 Jul 2000 11:07:40 -0400


I've known clients who have been hacked by people coming from tin.it, this
ISP seems to be a harbor for criminals.

On Mon, 3 Jul 2000, Bradley Woodward wrote:

G'day peoples.

These scans are so common, I wouldn't bother posting them, except for the
rather disappointing response from the ISP's support department.  I've
included an edited log file and email response.

Only my machine's IP is changed.  Everything else is as reported by IPCHAINS.

Enjoy.

<snip>

Hello,
TIN.IT does not control the actions completed from its subscribers,
therefore is not responsible of the content of the messages and the eventual
illegal actions from them. If you think you have been damaged by this fact
you can refer to the judicial authority.
Best regards


      _/_/_/_/_/  _/   _/_/   _/       Abuse (D)
         _/      _/   _/ _/  _/        TIN.IT S.p.a.
        _/      _/   _/  _/ _/         Servizi Customer Care
       _/      _/   _/   _/_/          http://www.tin.it
                                       abuse () tin it

----- Original Message -----
From: Bradley Woodward <bradw () ami com au>
To: <abuse () tin it>
Sent: Friday, June 30, 2000 7:53 AM
Subject: ACTIVE SYSTEM ATTACK from your system


  > Hello.  I run a small network, and my logs indicate an active attack on my
  > system from your domain.  I've included the logs here.  The logs are
  > generated by a program called Logcheck.
  >
  > I'd appreciate it if you could take any appropriate action, and let me
know
  > the outcome.
  >
  > Thanks
  >
  > Bye!
  >
  >
  >
  > >Active System Attack Alerts
  > >=-=-=-=-=-=-=-=-=-=-=-=-=-=
  > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
  > >[212.216.190.187]: expn root
  > >
  > >Security Violations
  > >=-=-=-=-=-=-=-=-=-=
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:23 1.2.3.6:23 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:23 1.2.3.4:23 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:23 1.2.3.5:23 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:25 1.2.3.4:25 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:25 1.2.3.5:25 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:143 1.2.3.6:143 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:143 1.2.3.4:143 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:143 1.2.3.5:143 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:110 1.2.3.4:110 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:110 1.2.3.5:110 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: forward DENY eth0 PROTO=6
  > >212.216.190.187:80 1.2.3.4:80 L=40 S=0x00 I=39426 F=0x0000 T=15
(#3)
  > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:80 1.2.3.5:80 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
  > >Jun 30 13:22:08 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3307 1.2.3.6:23 L=60 S=0x00 I=63353 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:27:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=8754 F=0x4000 T=38 SYN
  > >(#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=11139 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=11140 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=11141 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=11143 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=12981 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=12982 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=12983 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=12985 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=14929 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=14930 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=14931 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=14933 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=17991 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=17992 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=17993 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=17995 F=0x4000 T=38
SYN
  > >(#32)
  > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18000 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:20 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18085 F=0x4000 T=38
  > >SYN (#32)
  > >(#32)
  > >Jun 30 13:36:14 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20452 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:36:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
  > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20660 F=0x4000 T=38
  > >SYN (#32)
  > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
  > >[212.216.190.187]: expn root
  > >Jun 30 13:22:13 mycomp in.ftpd[17833]: connect from a-pe8-60.tin.it
  > >Jun 30 13:35:17 mycomp sendmail[17832]: NOQUEUE: Null connection from
  > >a-pe8-60.tin.it [212.216.190.187]
  > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
  > >[212.216.190.187]: expn root
  >

Current thread:

how to close security holes from nessus vulnerability scan report ?, (continued)
- how to close security holes from nessus vulnerability scan report ? Chew Poh Chang (CAPL) (Jul 06)
- Snort SMTP expn-root Oxenreider, Jeff (Jul 06)
  - Re: Snort SMTP expn-root Joe McAlerney (Jul 06)
  - Re: Snort SMTP expn-root Bill Pennington (Jul 06)
  - Re: Snort SMTP expn-root dyer (Jul 06)
  - Simultaneous Attacks Harlan S. Barney, Jr. (Jul 06)
    - Re: Simultaneous Attacks Valdis Kletnieks (Jul 07)
    - Re: Simultaneous Attacks Ryan Russell (Jul 07)
    - Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
    - Re: Simultaneous Attacks Richard Bejtlich (Jul 11)
- Re: scan log and subsequent response from the host's ISP Ejovi Nuwere (Jul 06)
- Re: scan log and subsequent response from the host's ISP Brooke, O'Neil (Jul 06)
  - Re: scan log and subsequent response from the host's ISP Jason Storm (Jul 07)
  - 6200/tcp Werner Iknaroff-Zhikovsky (Jul 09)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
  - Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Osvaldo Janeri Filho (Jul 10)
    - Intrusion, WuFTP exploit? David Knaack (Jul 07)
    - Re: scan log and subsequent response from the host's ISP Philipp Buehler (Jul 11)
  - Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 07)

(Thread continues...)