RE: Scans Observed by Officer Friendly

[Bill_Royds () pch gc ca]

You should send a message to the ISP that hosts this address. Do a whois on IP
number at whois.arin.net


%whois -h whois.arin.net =216.75.8.81

Trying 216.75.8 at ARIN
Web America Networks (NETBLK-WANS-BLK1)
   17250 Dallas Parkway
   Dallas, TX 75248
   US

   Netname: WANS-BLK1
   Netblock: 216.75.0.0 - 216.75.63.255
   Maintainer: WANS

   Coordinator:
      Hostmaster  (HO-ORG-ARIN)  hostmaster () WANS NET
      972-738-6000

   Domain System inverse mapping provided by:

   NS1.WANS.NET   216.75.0.4
   NS2.WANS.NET   216.75.0.3
   NS3.WANS.NET   216.75.0.1
   NS4.WANS.NET   216.75.0.2

   ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

   Record last updated on 03-Dec-98.
   Database last updated on 21-May-99 16:15:32 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and nic.mil for NIPRNET Information.




It indicates that it from Texas as well, perhaps Austin again.





"Jason Ostrom" <jason_ostrom () ins com> on 05/22/99 01:39:22 AM

Please respond to "Jason Ostrom" <jason_ostrom () ins com>

To:   "R. DuFresne" <dufresne () sysinfo com>, "Aaron Lewter"
      <aaron () pcwizards-fl com>
cc:   owner-firewall-wizards () nfr net (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  RE: Scans Observed by Officer Friendly




Yes, I observed a back orifice scan as well, which my Officer Friendly
reported.  I have pasted below the port scan.  Any recommendations on course
of action to take?

Fri May 21 22:17:47    BO PING sweep attempted by 216.75.8.81
Fri May 21 22:17:48    BO PING sweep attempted by 216.75.8.81
Fri May 21 22:18:15    BO PING sweep attempted by 216.75.8.81
Fri May 21 22:19:10    BO PING sweep attempted by 216.75.8.81
Fri May 21 22:19:19    BO TYPE_SYSLISTPASSWORDS attempted by 216.75.8.81

Thanks in advance
-jason

> -----Original Message-----
> From: owner-firewall-wizards () nfr net
> [mailto:owner-firewall-wizards () nfr net]On Behalf Of R. DuFresne
> Sent: Thursday, May 20, 1999 8:54 AM
> To: Aaron Lewter
> Cc: owner-firewall-wizards () nfr net
> Subject: RE: Scans Observed by Officer Friendly
>
>
>
> It's a shame things have gotten to be the way they are now.  I suspect
> that if you had something on your system to log all the trash that was
> tossed your way that you would have seen that far more ports were being
> probed and prodded, at least until they found the ones you have open for
> fake replies.  Of course, I tend to feel that by running something like
> 'Officer Friendly', one is inviting more then mere probes and encouraging
> folks to 'stick around' longer.  Kinda like leaving the garage door open
> with tons of neat stuff inside to 'fiddle' with, if there was nothing
> there, most move on to probe someplace else.  Though it;s hard to find the
> info, I've found what hits home fastest is when a raw newbie probes and I
> get an e-mail address, that I not only e-mail the abuse@ folks, but also
> include their e-mail address in the complaint.  Damned little runts start
> to crap bricks, and I've logged all sorts of apologies and 'mistakes' <as
> they have claimed>.  As I've said in the past, it;s discouraging.  I one
> time a short while ago succeeded in getting 7 accounts and a website taken
> down, the admins in question were great in letting me know what was up,
> and who was responsible for damages.  We let the damages slide though,
> perhaps a BIG mistake, for less then a month later all accounts had moved
> to new sites and the web site is back up again also.  Not to mention that
> the client I was connected with at the same time canceled our arrangement
> cause they felt they had been 'exposed' by the complaints lodged on both
> our behalf.
>
> Thanks,
>
> Ron DuFresne
>
>
> On Wed, 19 May 1999, Aaron Lewter wrote:
>
> > It is not just Austin, I was hit from 24.93.78.181 which resolves to
> > clt78-181.carolina.rr.com. Some PFY tried to open my hard drive for his
> > amusement.
> >
> > Im just glad I have BOF to do the fake replies for me and log
> it, Or else I
> > might have been in for a long strange trip.
> >
> > So I guess my question is, are we supposed to stand for this
> and report them
> > to whoevercares () domain com or welcome the new playmate?
> >
> > Aaron Lewter
> > Director of Technical Services
> > MS Computers Inc.
> > 954-424-8004
> >
> > -----Original Message-----
> > From: owner-firewall-wizards () nfr net
[mailto:owner-firewall-wizards () nfr net]
> On Behalf Of R. DuFresne
> Sent:   Tuesday, May 18, 1999 9:11 AM
> To:     Darren Reed
> Cc:     rgrimsha () mailbox syr edu; firewall-wizards () nfr net
> Subject:     Re: Scans Observed by Officer Friendly
>
> On Tue, 18 May 1999, Darren Reed wrote:
>
> > In some email I received from Randy Grimshaw, sie wrote:
> > > Where would the address 24.93.46.49 be comming from?
> >
> > 24.* are typically cable-internet blocks of IP addresses.
>
> Name:    cs9346-49.austin.rr.com
> Address:  24.93.46.49
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior consultant:  darkstar.sysinfo.com
>                   http://darkstar.sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

Attachment: att1.eml
Description: