Full Disclosure mailing list archives
Re: Brain dead SSH scans from Italy
From: Vania Martino Toma <b4yt1c0l () alice it>
Date: Fri, 28 Oct 2005 23:42:19 +0200
Etaoin Shrdlu wrote:
Well, I'm stumped. I mean, really stumped. I've had a host scanning my network for the past three days, and it initially looked like one of the automated scans we've all become so familiar with (unfortunately). Naturally, the automatic defense was engaged, and I thought that would be the end of it. Nope. It continues to send SYN packets, and although it's dropped off in attacks to the other machines, it still pounds at the doors of two of them. Those two machines have a couple of things in common: they are both running BIND 9, and are both OpenBSD {mumble}. I've sent email off to the RIPE contacts for the IP (195.250.227.226), and to the WHOIS contacts for the domain (ocem.com), and to abuse () ocem com as well. Nothing. If I take off the null routing on either of those machines, it immediately starts hammering at them, with no signs of cessation. I have considered just letting it finish, but I'm more concerned that there's a new variant on this moronic scan that doesn't know when to quit. I suspect that the continuation is because they are DNS servers, since I took the blocking off of one of the other machines also running OpenBSD, and the scanning did not resume (although I had expected it to). I'm at a loss. If anyone knows Italian (I don't), and can contact one of: fabiom () uni net ennio.scheda () ocem com lucamarino () cassiopea it or anyone at ocem.com, please, let them know that the machine is compromised, and that they need to take it off line, and clean it up. TIA and all that. -- There are two ways, my friend, that you can be rich in life. One is to make a lot of money and the other is to have few needs. William Sloane Coffin, "Letters to a Young Doubter" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
I'm italian, if you want, send to me the text of the email for: fabiom () uni net ennio.scheda () ocem com lucamarino () cassiopea it and I will take care myself of the translation. Regards Vania _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Brain dead SSH scans from Italy Etaoin Shrdlu (Oct 28)
- Re: Brain dead SSH scans from Italy Jeff MacDonald (Oct 28)
- Re: Brain dead SSH scans from Italy Etaoin Shrdlu (Oct 28)
- Re: Brain dead SSH scans from Italy Valdis . Kletnieks (Oct 28)
- Re: Brain dead SSH scans from Italy Nick FitzGerald (Oct 28)
- Re: Brain dead SSH scans from Italy Vania Martino Toma (Oct 28)