Re: Interesting reply

[Aj Effin ReznoR <aj () REZNOR COM>]

This discussion was containing a lot of matter regarding scanning coming from
ISPs, was the scanning host hacked or not, how do you know if it was a hacked
machine, cable modems, etc.

However, analyzing the logs that Jason was kind enough to attach, I see a few
IPs, each under a differeing /16 or /19, all owned by the same company, an
Above.net IP and an .edu in Australia (most likely hacked.  Why?  Almost all
connections to Jason's machine were from Sweden, Switzerland, Netherlands.
The Australia box and the Above.net IP are the only anomolies here).

> From what is briefly obvious on their site, Mirrorimage is a connectivity
provider for companies seeking to distribute (streaming) content.  This does
not seem to be an ISP, and as 3 of the connecting IPs appear to be from
mirror-image.com in the US, and one from mirror-image in Stockholm, Sweden, I
think we can safely say that either someone has rooted a good portion of their
network, or someone internal to them is using their machines to connect to
Jason's.  None of the machines in their Swedish netblock responded, so at this
time I cannot tell if they are an ISP or a similar extention of the US Company
(or vice-versa).

The remaining 4 IPs may be ISPs, or may be simple vhosts which are owned and
are being used as jumppoints for these connections.

The theorizing about what to believe from what customers say is good and
healthy, because after all, if someone is running a default Redhat box and
isn't aware of how to secure it, do you really think they'll know they've been
cracked when you call them?  I'd say that's rather unlikely, and the ones
saying "sorry, it wasn't me, I was cracked" are probably actually the ones
running the scripts.

Everything below this point is just name lookups on the IPs in the logfile,
for reference's sake.

-aj.



"Turpin, Jason" wrote:
> Attached is the Log Files (Minus my IP's) showing all of the IP's from the
> last couple of days hitting port 1024.


Name:    bud.cc.swin.edu.au
Address:  136.186.1.113
-
64.14.200.154 is owned by mirror-image.com
64.37.200.46 is also owned by mirror-image.com
216.35.167.58 is also owned by mirror-image.com

These are all housed under Exodus.

mirror-image.com is:
  Swedentrade (MIRROR-IMAGE-DOM)
     49 Dragon Court
     Woburn, MA 01880
     US

and also appears to be associated with mirrorimage.net, using same address as
above, and same technical contacts.

62.26.119.34 is Mirror-Image Internet AB, Stockholm, Sweden.

Odd.  Interesting tie in from a US company with apparent Swedish connections,
and connections to your box from machines owned by the same company, yet
coming from two different countries (or so it would appear).
-
194.205.125.26 is Internet Services, Ltd (Great Britain)
-
194.213.64.150 is Telenordia AB (Sweden)
-
209.249.97.40 is owned by Above.net
-
212.78.160.237 is COLT Internet (Netherlands)
-
212.23.225.98 is COLT Internet CH networks (Switzerland)
-

The exception to these attempts most notably is the .au (Australia) box and
the Above.net entry.  Otherwise, this could be a fairly concerted effort by a
single individual, or a small group.  Either way, I don't see any