Re: Dumb ISP of the week

[Bryan Andersen <bryan () visi com>]

I saw the same search signature from a USWest (QWest now) server
on Aug 16th.  Yes I notified then and received some responce.
What is interesting is it looked to be one of the machines in
their own labs.

Aug 16 08:16:49 input PROTO=6 them:2873 me.16:23 L=60 S=0x00 I=6303
F=0x4000 T=50
Aug 16 08:16:49 input PROTO=6 them:2876 me.17:23 L=60 S=0x00 I=6324
F=0x4000 T=50
Aug 16 08:16:49 input PROTO=6 them:2878 me.19:23 L=60 S=0x00 I=6327
F=0x4000 T=50
Aug 16 08:16:49 input PROTO=6 them:2907 me.17:143 L=60 S=0x00 I=6425
F=0x4000 T=50
Aug 16 08:16:52 input PROTO=6 them:2873 me.16:23 L=60 S=0x00 I=12419
F=0x4000 T=50
Aug 16 08:16:52 input PROTO=6 them:2878 me.19:23 L=60 S=0x00 I=12432
F=0x4000 T=50
Aug 16 08:16:52 input PROTO=6 them:2907 me.17:143 L=60 S=0x00 I=12537
F=0x4000 T=50
Aug 16 08:16:54 input PROTO=6 them:2371 me.16:143 L=60 S=0x00 I=14739
F=0x4000 T=50
Aug 16 08:16:54 input PROTO=6 them:2382 me.19:143 L=60 S=0x00 I=14757
F=0x4000 T=50
Aug 16 08:16:54 input PROTO=6 them:2415 me.17:23 L=60 S=0x00 I=14846
F=0x4000 T=50
Aug 16 08:16:57 input PROTO=6 them:2371 me.16:143 L=60 S=0x00 I=18076
F=0x4000 T=50
Aug 16 08:16:57 input PROTO=6 them:2382 me.19:143 L=60 S=0x00 I=18095
F=0x4000 T=50


[snip]
> > Oh don't even get me started on Pac Bell.  I've been getting massive
> > telnet and imap scans from one of their IP's (63.203.107.5), which
> > appears
> > to be a Linux box(and probably a rooted one).  Think Pac Bell/SBC has
> > even
> > looked at my email yet?  [keeping in mind the fact that I get my
> > 'enhanced' DSL from PB/SBC as well]
>
> Actually, it's interesting that you note that... over the weekend, I got
> the same scan from the same host, and they e-mailed me back (my own IP
> address masked):
[snip]
> > Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4037 xxx.xxx.xxx.xxx::23 L=60 S=0x00 I=36225 F=0x4000 T=51
> SYN
> > (#50)
> > Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4059 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=36305 F=0x4000 T=51
> SYN
> > (#50)
> > ..
> > Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4154 xxx.xxx.xxx.xxx:23 L=60 S=0x00 I=37749 F=0x4000 T=51
> SYN
> > (#50)
> > Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4170 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=37819 F=0x4000 T=51
> SYN
> > (#50)
> >
> > Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4065 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=36341 F=0x4000 T=51
> SYN
> > (#49)
> > Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4085 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=36422 F=0x4000 T=51
> SYN
> > (#49)
> > ..
> > Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4155 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=37750 F=0x4000 T=51
> SYN
> > (#49)
> > Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> > 63.203.107.5:4172 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=37823 F=0x4000 T=51
> SYN
> > (#49)
[snip]

--
|  Bryan Andersen   |   bryan () visi com   |   http://softail.visi.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|   -Bryan Andersen                                                    |