Security Incidents mailing list archives
Scanning from a "intruder.rs88.net"?
From: Simos Xenitellis <simos () pc96 ma rhbnc ac uk>
Date: Sat, 26 May 2001 23:46:57 +0100 (BST)
Dear All,
Checking my logfiles, I noticed that the IP
208.50.149.200 (intruder.rs88.net) came up several times.
To be precise:
(time is in GMT+0000)
May 20 11:51:26 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=3981 PROTO=UDP SPT=137
DPT=137 LEN=58
May 20 11:51:28 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=10381 PROTO=UDP SPT=137
DPT=137 LEN=58
May 21 12:39:24 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=38375 PROTO=UDP SPT=137
DPT=137 LEN=58
May 21 12:39:26 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=45287 PROTO=UDP SPT=137
DPT=137 LEN=58
May 22 13:40:34 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=11946 PROTO=UDP SPT=137
DPT=137 LEN=58
May 25 19:29:13 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=30730 PROTO=UDP SPT=137
DPT=137 LEN=58
May 15 04:54:06 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=15511 PROTO=UDP SPT=137
DPT=137 LEN=58
May 15 04:54:09 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=38039 PROTO=UDP SPT=137
DPT=137 LEN=58
May 16 06:32:21 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=65464 PROTO=UDP SPT=137
DPT=137 LEN=58
May 16 06:32:24 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=16057 PROTO=UDP SPT=137
DPT=137 LEN=58
May 19 10:22:44 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=56924 PROTO=UDP SPT=137
DPT=137 LEN=58
I would not be worried about it if www.rs88.net did not have the text of
"permission-based marketing on the Internet, sending personalized messages
from companies to their customers".
I sent them an e-mail to their "abuse" e-mail account but did not receive
an explanation (over a week ago).
simos
Current thread:
- Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 26)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 27)
- RE: Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 28)
- RE: Scanning from a "intruder.rs88.net"? James Friesen (May 28)
- Re: Scanning from a "intruder.rs88.net"? Jonathan Bloomquist (May 28)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 28)
- RE: Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 28)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 27)