Security Incidents mailing list archives
Re: Scanning from a "intruder.rs88.net"?
From: "Matthew Jonkman" <jonkman () jonkmans com>
Date: Sun, 27 May 2001 12:53:29 -0500
I've got the identical alerts coming for nearly 2 weeks now sequentially through my subnets. My abuse reports have been ignored equally. Matt ----- Original Message ----- From: "Simos Xenitellis" <simos () pc96 ma rhbnc ac uk> To: <INCIDENTS () securityfocus com> Sent: Saturday, May 26, 2001 5:46 PM Subject: Scanning from a "intruder.rs88.net"?
Dear All, Checking my logfiles, I noticed that the IP 208.50.149.200 (intruder.rs88.net) came up several times. To be precise: (time is in GMT+0000) May 20 11:51:26 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=3981 PROTO=UDP SPT=137 DPT=137 LEN=58 May 20 11:51:28 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=10381 PROTO=UDP SPT=137 DPT=137 LEN=58 May 21 12:39:24 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=38375 PROTO=UDP SPT=137 DPT=137 LEN=58 May 21 12:39:26 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=45287 PROTO=UDP SPT=137 DPT=137 LEN=58 May 22 13:40:34 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=11946 PROTO=UDP SPT=137 DPT=137 LEN=58 May 25 19:29:13 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=30730 PROTO=UDP SPT=137 DPT=137 LEN=58 May 15 04:54:06 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=15511 PROTO=UDP SPT=137 DPT=137 LEN=58 May 15 04:54:09 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=38039 PROTO=UDP SPT=137 DPT=137 LEN=58 May 16 06:32:21 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=65464 PROTO=UDP SPT=137 DPT=137 LEN=58 May 16 06:32:24 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=16057 PROTO=UDP SPT=137 DPT=137 LEN=58 May 19 10:22:44 myhost kernel: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200 DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=56924 PROTO=UDP SPT=137 DPT=137 LEN=58 I would not be worried about it if www.rs88.net did not have the text of "permission-based marketing on the Internet, sending personalized messages from companies to their customers". I sent them an e-mail to their "abuse" e-mail account but did not receive an explanation (over a week ago). simos
Current thread:
- Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 26)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 27)
- RE: Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 28)
- RE: Scanning from a "intruder.rs88.net"? James Friesen (May 28)
- Re: Scanning from a "intruder.rs88.net"? Jonathan Bloomquist (May 28)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 28)
- RE: Scanning from a "intruder.rs88.net"? Simos Xenitellis (May 28)
- RE: Scanning from a "intruder.rs88.net"? Jason Lewis (May 27)