Security Incidents mailing list archives
Re: Positive response from provider re: incident report
From: Mark Challender <MarkC () MTBAKER WEDNET EDU>
Date: Fri, 9 Feb 2001 09:05:15 -0800
During this last summer, one of my NT machines was used for warez loading (nearly 2GB of storage) I tracked down about 40 users and reported them to their ISPs. In almost all cases I received the same type of notice that accounts had been closed. Report scans and intrusions. Lots of people like us do care about these things. Some may be asking what the problem was with my NT box....... incorrect permission on the FTP server from the builder with write left on for anonymous. I should have checked it, darn. After closing the hole, the attempts were fast and furious, so I denied FTP at the router.... and just dropped the packets right there. -----Original Message----- From: Sean Brown [mailto:srbrown () APPGEO COM] Sent: Thursday, February 08, 2001 1:20 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Positive response from provider re: incident report It's nice to occasionally get a response like the one below. After five months, I'm surprised they even bothered to get back to me. Let's hope this teaches them a lesson and they never do it again...yeah, right ;-) -- ~~~~~~~~~~~~~~~ Sean R. Brown - srbrown () appgeo com System Administrator Applied Geographics, Inc. Boston, MA
-------- Original Message -------- Subject: MailID: 1254775 RE: Netabuse / Network scan detect Date: Thu, 8 Feb 2001 14:22:43 -0700 (MST) From: "Bellsouth.Net ABUSE" <abuse () bellsouth net> To: srbrown () nyx net Thank you for taking your time to contact BellSouth Internet Service. We appreciate the opportunity to address your concerns because it is our goal to provide the highest quality Internet service available. In accordance with BellSouth Internet Service's Acceptable Use Policy,
this
customer's BellSouth Internet Service account is no longer active. Again, thank you for your time and for this opportunity to help you
resolve this
issue. Amie abuse () bellsouth net ----------Original Message---------- Greetings, On Oct 28 10:21:40 GMT-4 we detected a scan of TCP port 21 (FTP) in part of our network. This scan appears to have originated from 208.61.44.215 (adsl-61-44-215.mia.bellsouth.net). Log Entries: ============ Oct 28 10:21:40 zion snort[23136]: spp_portscan: PORTSCAN DETECTED from 208.61.44.215 (STEALTH) Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.100:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.101:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.102:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.104:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.103:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.106:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.105:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.107:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.110:21 Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.120:21 Oct 28 10:21:41 zion snort[23136]: IDS198 - SCAN-SYN FIN: 208.61.44.215:21 -> x.y.z.125:21 Oct 28 10:21:54 zion snort[23136]: spp_portscan: portscan status from 208.61.44.215: 11 connections across 11 hosts: TCP(11), UDP(0) STEALTH Oct 28 10:21:58 zion snort[23136]: spp_portscan: End of portscan from 208.61.44.215: TOTAL time(1s) hosts(11) TCP(11) UDP(0) STEALTH
Current thread:
- Positive response from provider re: incident report Sean Brown (Feb 10)
- <Possible follow-ups>
- Re: Positive response from provider re: incident report Mark Challender (Feb 10)
- Re: Positive response from provider re: incident report Dave Salovesh (Feb 12)