Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167]

[genex69 () HOTMAIL COM (Andy David)]

If you do find any information I would like to know....looking back on my
logs I have found two incidents from @home users.  One
cr360266-a.nvcr1.bc.wave.home.com [24.113.24.115], and the other
cc287257-a.ebnsk1.nh.home.com [24.10.127.9] (at least renamed himself
WOMEN.....i just want to know who to report to in the future.

> From: "Maniac ." <m_a_n_i_a_c_ () HOTMAIL COM>
> Reply-To: "Maniac ." <m_a_n_i_a_c_ () HOTMAIL COM>
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167]
> Date: Fri, 7 Jan 2000 17:43:04 GMT
> MIME-Version: 1.0
> X-Originating-IP: [207.229.4.67]
> Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id
> MHotMailBA43F4EA00B4D820F3A5CF7E7F44B3570; Mon Jan 10 19:56:27 2000
> Received: from lists.securityfocus.com (lists.securityfocus.com
> [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid
> 3392B1EFD6; Mon, 10 Jan 2000 19:52:55 -0800 (PST)
> Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
> (LISTSERV-TCP/IP release 1.8d) with spool id 2190365 for
> INCIDENTS () LISTS SECURITYFOCUS COM; Mon, 10 Jan 2000 19:52:52 -0800
> Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by
>       lists.securityfocus.com (Postfix) with SMTP id 8600E1FD4D for
>   <incidents () lists securityfocus com>; Fri,  7 Jan 2000 09:43:31 -0800
>      (PST)
> Received: (qmail 11941 invoked by alias); 7 Jan 2000 17:43:31 -0000
> Received: (qmail 11938 invoked from network); 7 Jan 2000 17:43:31 -0000
> Received: from f71.law4.hotmail.com (HELO hotmail.com) (216.33.149.71) by
>        securityfocus.com with SMTP; 7 Jan 2000 17:43:31 -0000
> Received: (qmail 22998 invoked by uid 0); 7 Jan 2000 17:43:04 -0000
> Received: from 207.229.4.67 by www.hotmail.com with HTTP;  Fri, 07 Jan 2000
>          09:43:04 PST
> From owner-incidents () SECURITYFOCUS COM Mon Jan 10 20:05:06 2000
> Approved-By: aleph1 () SECURITYFOCUS COM
> Delivered-To: incidents () lists securityfocus com
> Delivered-To: INCIDENTS () SECURITYFOCUS COM
> Message-ID:  <20000107174304.22997.qmail () hotmail com>
> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
> X-To:         truth () ICHAOS COM, INCIDENTS () SECURITYFOCUS COM
>
> The attacker seems to know only enough to be a danger and definately
> doesn't
> know enough not to use his @home connection.  Have you contacted @home?
> Good luck if you have.  In the past I have reported attacks from @home
> customers to @home (shaw cable where I am) and recieved no action of any
> sort.
>
> Does anyone have a good contact at @Home that we can report things like
> this
> to?  This user is also using the cr595282-a that @home assigns to users
> when
> they do the install. Definately a lack of knowledge on the attackers part.
> Even if their IP address changes, the cr59# is uniqe and follows his
> workstation.
>
> > The attacker from this IP address is using an RPC scanner to search for
> > versions of amd that has a buffer overflow, and exploiting it. They are
> > then using the exploited systems to scan other subnets and exploit those
> > systems, etc. etc. etc..
> >
> > My system was used as one of these launch points to get in to at least 2
> > other systems, one of which got destroyed.
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com