Security Incidents mailing list archives
Re: Interesting reply
From: Aj Effin ReznoR <aj () REZNOR COM>
Date: Mon, 23 Oct 2000 13:36:50 -0700
This discussion was containing a lot of matter regarding scanning coming from ISPs, was the scanning host hacked or not, how do you know if it was a hacked machine, cable modems, etc. However, analyzing the logs that Jason was kind enough to attach, I see a few IPs, each under a differeing /16 or /19, all owned by the same company, an Above.net IP and an .edu in Australia (most likely hacked. Why? Almost all connections to Jason's machine were from Sweden, Switzerland, Netherlands. The Australia box and the Above.net IP are the only anomolies here).
From what is briefly obvious on their site, Mirrorimage is a connectivity
provider for companies seeking to distribute (streaming) content. This does not seem to be an ISP, and as 3 of the connecting IPs appear to be from mirror-image.com in the US, and one from mirror-image in Stockholm, Sweden, I think we can safely say that either someone has rooted a good portion of their network, or someone internal to them is using their machines to connect to Jason's. None of the machines in their Swedish netblock responded, so at this time I cannot tell if they are an ISP or a similar extention of the US Company (or vice-versa). The remaining 4 IPs may be ISPs, or may be simple vhosts which are owned and are being used as jumppoints for these connections. The theorizing about what to believe from what customers say is good and healthy, because after all, if someone is running a default Redhat box and isn't aware of how to secure it, do you really think they'll know they've been cracked when you call them? I'd say that's rather unlikely, and the ones saying "sorry, it wasn't me, I was cracked" are probably actually the ones running the scripts. Everything below this point is just name lookups on the IPs in the logfile, for reference's sake. -aj. "Turpin, Jason" wrote:
Attached is the Log Files (Minus my IP's) showing all of the IP's from the last couple of days hitting port 1024.
Name: bud.cc.swin.edu.au Address: 136.186.1.113 - 64.14.200.154 is owned by mirror-image.com 64.37.200.46 is also owned by mirror-image.com 216.35.167.58 is also owned by mirror-image.com These are all housed under Exodus. mirror-image.com is: Swedentrade (MIRROR-IMAGE-DOM) 49 Dragon Court Woburn, MA 01880 US and also appears to be associated with mirrorimage.net, using same address as above, and same technical contacts. 62.26.119.34 is Mirror-Image Internet AB, Stockholm, Sweden. Odd. Interesting tie in from a US company with apparent Swedish connections, and connections to your box from machines owned by the same company, yet coming from two different countries (or so it would appear). - 194.205.125.26 is Internet Services, Ltd (Great Britain) - 194.213.64.150 is Telenordia AB (Sweden) - 209.249.97.40 is owned by Above.net - 212.78.160.237 is COLT Internet (Netherlands) - 212.23.225.98 is COLT Internet CH networks (Switzerland) - The exception to these attempts most notably is the .au (Australia) box and the Above.net entry. Otherwise, this could be a fairly concerted effort by a single individual, or a small group. Either way, I don't see any
Current thread:
- Re: Interesting reply, (continued)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply Mikael Gripenstedt (Oct 13)
- Re: Interesting reply Gary Flynn (Oct 12)
- Re: Interesting reply H Carvey (Oct 13)
- Re: Interesting reply Keith Pachulski (Oct 16)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Aj Effin ReznoR (Oct 24)
- Re: Interesting reply Rick Ballard (Oct 16)
- Re: Interesting reply Forrester, Mike (Oct 19)
- Re: Interesting reply Narins, Joshua (Oct 19)
- Re: Interesting reply Forrester, Mike (Oct 20)
- Re: Interesting reply Turpin, Jason (Oct 25)
- Re: Interesting reply Aj Effin ReznoR (Oct 25)
- Re: TCP connections to port 1024 - DDoS? Neil Long (Oct 26)
- Re: TCP connections to port 1024 - DDoS? Arrigo Triulzi (Oct 27)