Security Incidents mailing list archives
Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167]
From: genex69 () HOTMAIL COM (Andy David)
Date: Mon, 10 Jan 2000 22:44:18 CST
If you do find any information I would like to know....looking back on my logs I have found two incidents from @home users. One cr360266-a.nvcr1.bc.wave.home.com [24.113.24.115], and the other cc287257-a.ebnsk1.nh.home.com [24.10.127.9] (at least renamed himself WOMEN.....i just want to know who to report to in the future.
From: "Maniac ." <m_a_n_i_a_c_ () HOTMAIL COM> Reply-To: "Maniac ." <m_a_n_i_a_c_ () HOTMAIL COM> To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Date: Fri, 7 Jan 2000 17:43:04 GMT MIME-Version: 1.0 X-Originating-IP: [207.229.4.67] Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id MHotMailBA43F4EA00B4D820F3A5CF7E7F44B3570; Mon Jan 10 19:56:27 2000 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid 3392B1EFD6; Mon, 10 Jan 2000 19:52:55 -0800 (PST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 2190365 for INCIDENTS () LISTS SECURITYFOCUS COM; Mon, 10 Jan 2000 19:52:52 -0800 Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by lists.securityfocus.com (Postfix) with SMTP id 8600E1FD4D for <incidents () lists securityfocus com>; Fri, 7 Jan 2000 09:43:31 -0800 (PST) Received: (qmail 11941 invoked by alias); 7 Jan 2000 17:43:31 -0000 Received: (qmail 11938 invoked from network); 7 Jan 2000 17:43:31 -0000 Received: from f71.law4.hotmail.com (HELO hotmail.com) (216.33.149.71) by securityfocus.com with SMTP; 7 Jan 2000 17:43:31 -0000 Received: (qmail 22998 invoked by uid 0); 7 Jan 2000 17:43:04 -0000 Received: from 207.229.4.67 by www.hotmail.com with HTTP; Fri, 07 Jan 2000 09:43:04 PST From owner-incidents () SECURITYFOCUS COM Mon Jan 10 20:05:06 2000 Approved-By: aleph1 () SECURITYFOCUS COM Delivered-To: incidents () lists securityfocus com Delivered-To: INCIDENTS () SECURITYFOCUS COM Message-ID: <20000107174304.22997.qmail () hotmail com> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM> X-To: truth () ICHAOS COM, INCIDENTS () SECURITYFOCUS COM The attacker seems to know only enough to be a danger and definately doesn't know enough not to use his @home connection. Have you contacted @home? Good luck if you have. In the past I have reported attacks from @home customers to @home (shaw cable where I am) and recieved no action of any sort. Does anyone have a good contact at @Home that we can report things like this to? This user is also using the cr595282-a that @home assigns to users when they do the install. Definately a lack of knowledge on the attackers part. Even if their IP address changes, the cr59# is uniqe and follows his workstation.The attacker from this IP address is using an RPC scanner to search for versions of amd that has a buffer overflow, and exploiting it. They are then using the exploited systems to scan other subnets and exploit those systems, etc. etc. etc.. My system was used as one of these launch points to get in to at least 2 other systems, one of which got destroyed.______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 06)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Jeffrey Papen (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- <Possible follow-ups>
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Cable modem hosts being exploited to spam. TCP ports 224, 253 Aaron Higbee (Jan 07)
- Probe from NS2.SOHONET.COM Jonathan S. Keim (Jan 08)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Missouri FreeNet Administration (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas Molina (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andrew Kunz (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andy David (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Al Huger - Mail Account (Jan 14)