Re: [incident] IIS defacement through FTP, possible DoS

["Jean-Luc" <Jean-Luc () Cavey org>]

Récemment, Iain Craig a écrit  :
> There was a LOT of those, all very fast like a DoS attempt. Other
> usernames I was seeing in a similar DoS fashion from the same time
> and IP were Ogpuser () home com, Kgpuser () home com, and Lgpuser () home com
>
> Anyone know of a kiddie tool that uses these names?
>
> Incidentally, from the WHOIS on that IP:
>
> inetnum:      81.64.0.0 - 81.67.255.255
> netname:      FR-CYBERCABLE-20020103
> descr:        LYONNAISE COMMUNICATIONS
>       PROVIDER Local Registry
> country:      FR
> admin-c:      LC220-RIPE
> tech-c:       LC224-RIPE
> status:       ALLOCATED PA
> mnt-by:       RIPE-NCC-HM-MNT
> mnt-lower:    AS6678-MNT
> mnt-routes:   AS6678-MNT
> changed:      hostmaster () ripe net 20020103
> changed:      hostmaster () ripe net 20020108
> source:       RIPE
>
> That's not the only IP these DoS-ish requests came from; going
> through the others now. Wondering if I'm dealing with two seperate
> incidents here, the defacement and a seperate DoS or DDoS.
>
> Any advice or guidance appreciated.

I've the same provider.

I would suggest that you report the incident to him abuse () cybercable fr or
abuse () noos fr (actualy the same provider)

Jean-Luc Cavey
65, bd Brune
75014 Paris, France
+33 (0) 1 45 43 45 62
+33 (0) 6 15 93 77 96
E-Mail : Jean-Luc () Cavey org
ICQ/UIN : 122785712


================================
La presence de ce texte prouve que ce message
electronique a ete verifie par un logiciel anti-virus
à jour au moment de l'envoi.

The presence of this text proves that this e-mail
has been verified by an up-to-date anti-virus
software at the time of the sending.
================================



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com