Security Incidents mailing list archives
dos's from simflex.com
From: Jason Storm <sec () ORGONE NEGATION NET>
Date: Wed, 25 Oct 2000 20:09:40 -0700
Last night we had our primary nameserver dropped by a user on a simflex.com ip. No valid phone number at ARIN, so we emailed the contact. Our complaint was responded to today with a "we dont know who was on that ip but please tell us if it happens again" response. Well, it happened again, from the exact same ip: 20:00:57.613366 208.33.12.203 > 206.16.67.10: (frag 38760:552@5520+) 20:00:57.620674 208.33.12.203 > 206.16.67.10: (frag 38760:552@6072+) 20:00:57.627898 208.33.12.203 > 206.16.67.10: ip-proto-254 552 (frag 39016:552@0+) 20:00:57.635366 208.33.12.203 > 206.16.67.10: (frag 39016:552@552+) 20:00:57.642603 208.33.12.203 > 206.16.67.10: (frag 39016:552@1104+) 20:00:57.649813 208.33.12.203 > 206.16.67.10: (frag 39016:552@1656+) 20:00:57.684226 208.33.12.203 > 206.16.67.10: (frag 39272:552@552+) About 40 minutes worth of this. Has anyone else seen trouble from this subnet? If the upstream cant figure out who owns a static ip, I feel fairly sure that the person whose box sits on it has been hitting other sites. The cats away as it were, and the mouse is definately up to no good. Jason Storm Negation Industries
Current thread:
- Announce: rkscan, a kernel-based rootkit scanner. Stephane Aubert (Oct 26)
- dos's from simflex.com Jason Storm (Oct 27)
- <Possible follow-ups>
- Announce: rkscan, a kernel-based rootkit scanner. Stephane Aubert (Oct 27)