Security Incidents mailing list archives

Re: Positive response from provider re: incident report

From: Mark Challender <MarkC () MTBAKER WEDNET EDU>
Date: Fri, 9 Feb 2001 09:05:15 -0800

During this last summer, one of my NT machines was used for warez loading
(nearly 2GB of storage)

I tracked down about 40 users and reported them to their ISPs.  In almost
all cases I received the same type of notice that accounts had been closed.

Report scans and intrusions.  Lots of people like us do care about these
things.

Some may be asking what the problem was with my NT box....... incorrect
permission on the FTP server from the builder with write left on for
anonymous.  I should have checked it, darn.

After closing the hole, the attempts were fast and furious, so I denied FTP
at the router.... and just dropped the packets right there.

-----Original Message-----
From: Sean Brown [mailto:srbrown () APPGEO COM]
Sent: Thursday, February 08, 2001 1:20 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Positive response from provider re: incident report


It's nice to occasionally get a response like the one below.  After five
months, I'm surprised they even bothered to get back to me.  Let's hope
this teaches them a lesson and they never do it again...yeah, right ;-)

--
~~~~~~~~~~~~~~~
Sean R. Brown - srbrown () appgeo com
System Administrator   Applied Geographics, Inc.   Boston, MA

-------- Original Message --------
Subject: MailID: 1254775 RE: Netabuse / Network scan detect
Date: Thu, 8 Feb 2001 14:22:43 -0700 (MST)
From: "Bellsouth.Net ABUSE" <abuse () bellsouth net>
To: srbrown () nyx net

Thank you for taking your time to contact BellSouth Internet Service.  We
appreciate the opportunity to address your concerns because it is our goal
to provide the highest quality Internet service available.

In accordance with BellSouth Internet Service's Acceptable Use Policy,

this

customer's BellSouth Internet Service account is no longer active.

Again, thank you for your time and for this opportunity to help you

resolve this

issue.

Amie
abuse () bellsouth net

----------Original Message----------

Greetings,
On Oct 28 10:21:40 GMT-4 we detected a scan of TCP port 21 (FTP)
in part of our network.  This scan appears to have originated from
208.61.44.215 (adsl-61-44-215.mia.bellsouth.net).

Log Entries:
============
Oct 28 10:21:40 zion snort[23136]: spp_portscan: PORTSCAN DETECTED from
208.61.44.215 (STEALTH)
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.100:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.101:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.102:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.104:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.103:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.106:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.105:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.107:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.110:21
Oct 28 10:21:40 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.120:21
Oct 28 10:21:41 zion snort[23136]: IDS198 - SCAN-SYN FIN:
208.61.44.215:21 -> x.y.z.125:21
Oct 28 10:21:54 zion snort[23136]: spp_portscan: portscan status from
208.61.44.215: 11 connections across 11 hosts: TCP(11), UDP(0) STEALTH
Oct 28 10:21:58 zion snort[23136]: spp_portscan: End of portscan from
208.61.44.215: TOTAL time(1s) hosts(11) TCP(11) UDP(0)
STEALTH

Current thread:

Positive response from provider re: incident report Sean Brown (Feb 10)
- <Possible follow-ups>
- Re: Positive response from provider re: incident report Mark Challender (Feb 10)
- Re: Positive response from provider re: incident report Dave Salovesh (Feb 12)