Security Incidents mailing list archives

Re: Attack attempts from 195.86.128.45

From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Wed, 07 May 2003 03:44:54 +0000

Hi Christian,

Im sorry to say; and you will most likely hear it from others too; but don'texpect a fast respose from the ISP (your are lessthan likely to even getone).The next step would be to block that ip off on your firewalls, and updateyour machine if needed - this person obviously isnt just doing a C classsweep - they are looking hard for a way into either yours only, or a selectfew networks.What security mechanisms are you runnign currently? Perhaps now might be awise time to conduct an audit, to find any holes before whoever is lookingfor them outside of your organisation does...After that the best advice would be to stay alert, and monitor your gatewaylogs closely.



Kind regards,

Hamish Stanaway

Absolute Web Hosting / Koreworks Internet Security
Owner/Operator
Auckland
New Zealand
http://www.webhosting.net.nz/ ][ http://www.koreworks.com/

From: Christian Stigen Larsen To: incidents () securityfocus com Subject:Attack attempts from 195.86.128.45 Date: Tue, 6 May 2003 19:36:34 +0200MIME-Version: 1.0 Received: from outgoing3.securityfocus.com([205.206.231.27]) by mc5-f23.law1.hotmail.com with MicrosoftSMTPSVC(5.0.2195.5600); Tue, 6 May 2003 20:23:57 -0700 Received: fromlists.securityfocus.com (lists.securityfocus.com [205.206.231.19])byoutgoing3.securityfocus.com (Postfix) with QMQPid E4D5DA30E6; Tue, 6 May2003 21:15:27 -0600 (MDT) Received: (qmail 8386 invoked from network); 6May 2003 17:14:23 -0000 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidPMailing-List: contact incidents-help () securityfocus com; run by ezmlmPrecedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe:List-Subscribe: Delivered-To: mailing list incidents () securityfocus comDelivered-To: moderator for incidents () securityfocus com Message-ID:<20030506173634.GA19191 () sublevel3 org> User-Agent: Mutt/1.4.1i Return-Path:incidents-return-5513-koremeltdown=hotmail.com () securityfocus comX-OriginalArrivalTime: 07 May 2003 03:23:57.0967 (UTC)FILETIME=[189D51F0:01C31448]
Hi all,
we've gotten a lot of attempted attacks from 195.86.128.45, which maps tokes.wirehub.nl. I've already notified abuse () nl easynet net, but haveanybode else seen attacks from this ip ?
From our log:
05/06/2003 12:29:53.048 Sub Seven Attack Dropped 195.86.128.45, 4341, WAN195.119.0.181, 6776, DMZ 05/06/2003 12:35:54.624 Ripper Attack Dropped195.86.128.45, 3230, WAN 195.119.0.181, 2023, DMZ 05/06/2003 12:36:18.736Sub Seven Attack Dropped 195.86.128.45, 1780, WAN 195.119.0.181, 1243, DMZ05/06/2003 12:43:28.928 Sub Seven Attack Dropped 195.86.128.45, 1627, WAN195.119.0.181, 6711, DMZ 05/06/2003 12:52:30.176 Ini Killer Attack Dropped195.86.128.45, 4690, WAN 195.119.0.181, 9989, DMZ 05/06/2003 12:54:06.592Striker Attack Dropped 195.86.128.45, 1327, WAN 195.119.0.181, 2565, DMZ05/06/2003 12:59:22.640 Net Spy Attack Dropped 195.86.128.45, 2570, WAN195.119.0.181, 1024, DMZ 05/06/2003 13:25:08.352 Net Spy Attack Dropped195.86.128.45, 3754, WAN 195.119.0.181, 1024, DMZ 05/06/2003 13:32:18.144Striker Attack Dropped 195.86.128.45, 2661, WAN 195.119.0.181, 2565, DMZ05/06/2003 13:34:10.352 Ini Killer Attack Dropped 195.86.128.45, 2307, WAN195.119.0.181, 9989, DMZ 05/06/2003 13:42:59.320 Sub Seven Attack Dropped195.86.128.45, 2832, WAN 195.119.0.181, 6711, DMZ 05/06/2003 13:48:29.528Sub Seven Attack Dropped 195.86.128.45, 1863, WAN 195.119.0.181, 1243, DMZ05/06/2003 13:48:41.544 Ripper Attack Dropped 195.86.128.45, 4230, WAN195.119.0.181, 2023, DMZ 05/06/2003 13:52:18.416 Sub Seven Attack Dropped195.86.128.45, 3498, WAN 195.119.0.181, 6776, DMZ 05/06/2003 14:12:09.240NetBus Attack Dropped 195.86.128.45, 3677, WAN 195.119.0.181, 12345, DMZ05/06/2003 14:36:07.608 Priority Attack Dropped 195.86.128.45, 2045, WAN195.119.0.181, 16969, DMZ 05/06/2003 15:08:06.576 Priority Attack Dropped195.86.128.45, 3927, WAN 195.119.0.181, 16969, DMZ 05/06/2003 15:11:52.048NetBus Attack Dropped 195.86.128.45, 1756, WAN 195.119.0.181, 12345, DMZ05/06/2003 15:14:22.032 NetBus Attack Dropped 195.86.128.45, 3133, WAN195.119.0.181, 12345, DMZ 05/06/2003 15:17:39.560 Priority Attack Dropped195.86.128.45, 2129, WAN 195.119.0.181, 16969, DMZ 05/06/2003 15:47:12.224NetBus Attack Dropped 195.86.128.45, 3450, WAN 195.119.0.181, 20034, DMZ05/06/2003 15:51:43.192 NetBus Attack Dropped 195.86.128.45, 4064, WAN195.119.0.181, 20034, DMZ 05/06/2003 16:38:27.816 Back Orifice AttackDropped 195.86.128.45, 2249, WAN 195.119.0.181, 31337, DMZ [...]
Plus numerous portscans.

What should I do next, besides wait for a reply?

--
Christian Stigen Larsen -- http://sublevel3.org/~csl/ -- mob: +47 98 22 0215
----------------------------------------------------------------------------Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, theworld's premier event for IT and network security experts. The two-dayTraining features 6 hand-on courses on May 12-13 taught by professionals.The two-day Briefings on May 14-15 features 24 top speakers with no vendorsales pitches. Deadline for the best rates is April 25. Register today toensure your place. http://www.securityfocus.com/BlackHat-incidents----------------------------------------------------------------------------


_________________________________________________________________

Protect your PC - get McAfee.com VirusScan Onlinehttp://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



----------------------------------------------------------------------------

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, theworld's premier event for IT and network security experts. The two-dayTraining features 6 hand-on courses on May 12-13 taught by professionals.The two-day Briefings on May 14-15 features 24 top speakers with no vendorsales pitches. Deadline for the best rates is April 25. Register today toensure your place. http://www.securityfocus.com/BlackHat-incidents----------------------------------------------------------------------------

Current thread:

Attack attempts from 195.86.128.45 Christian Stigen Larsen (May 06)
- <Possible follow-ups>
- Re: Attack attempts from 195.86.128.45 KoRe MeLtDoWn (May 06)
  - Re: Attack attempts from 195.86.128.45 Jacco Tunnissen (May 07)
    - Re: Attack attempts from 195.86.128.45 abuse (May 07)
    - Re: Attack attempts from 195.86.128.45 Rune Kristian Viken (May 13)
    - Re: Attack attempts from 195.86.128.45 Fred van Engen (May 13)
- RE: Attack attempts from 195.86.128.45 C.W.L. Hoogenboezem (May 07)
- RE: Attack attempts from 195.86.128.45 NESTING, DAVID M (SBCSI) (May 07)
- Re: Attack attempts from 195.86.128.45 Neil Dickey (May 07)
  - Re: Attack attempts from 195.86.128.45 Valdis . Kletnieks (May 08)
- RE: Re: Attack attempts from 195.86.128.45 Levinson, Karl (May 07)
  - Re: Re: Attack attempts from 195.86.128.45 Benjamin Krueger (May 08)

(Thread continues...)