nanog mailing list archives
Re: Exodus / Clue problems
From: "Alex P. Rudnev" <alex () Relcom EU net>
Date: Mon, 16 Nov 1998 15:10:56 +0300 (MSK)
Hi. You are discussing nothing. I have traced few different hackers last 2 weeks, and I suspect this was one of the boxes broken by them (or may be, not). If it was Linux box - I am sure it was broken. The problem is the fact not every owner answer ti the warning messages, and there is some well known hosts used by hackers withouth owners permission, and the owners do not answer and do not close this hosts. Keep in mind - there is _troyan toolkit_ for Linux and SunOS (there is for another systems too byt they have a lot of bugs) hidden hacker's activity totally (try this one for the Linux - excellent package replacing mnore than 20 different commands); there is troyaned SSH daemon (and hakers like to install it). If you saw the port scanning or BO scanning or port 139 scanning or any other kind of the scanning, you CAN write AT ONCE a warning to the box owner _the hacker broke your system and abuse it_, and your suspection will be correct more than 99% of this addresses. Do not write _please stop scanning_, but write _alarm. YOU are broken_. I have not ANY exception for more than 20 or 40 warning I have sent last week. The worst (for todays) are Canadian scientific networks - no answer, a lot of power servers abused for the cracking, smurfing etc. Other bad network is NASA -:). It's abused by the hackers and they can't stop this activity. I do not speak about the universities over the world -:). On Sun, 15 Nov 1998, Roeland M.J. Meyer wrote:
Date: Sun, 15 Nov 1998 20:37:20 -0800 From: Roeland M.J. Meyer <rmeyer () mhsc com> To: TTSG <ttsg () ttsg com> Cc: James McKenzie <mcs () 1ipnet net>, nanog () merit edu, asr () millburn net, ttsg () ttsg com Subject: Re: Exodus / Clue problems I was getting ready to do a SAINT run on the IP address to find out (I needed the practice) when the initial ping timed out. <sigh> At 10:54 PM 11/15/98 -0500, TTSG wrote:I have received a call from Exodus. The machine (209.67.50.254) has been removed from the network by request of the owner of the box.Great!, but.............. a) Did they end up obtaining access to another site and will begin there? b) WAS the origination actually the box as people have claimed, or was it spoofed? c) There was a report that it had stopped earlier (As seen below from Roeland), is anyone still seeing it? d) Was the box just YANKED, or did someone actually try to find out if there was someone/something on it and where its origin is? Tuc/TTSGJames At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:Sombody musta got them, 'cause their gone now. At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote:Seeing it here, too. At 18:52 11/15/98 -0500, Daniel Senie wrote:sigma () pair com wrote:Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers. Dan -- ----------------------------------------------------------------- Daniel Senie dts () senie com Amaranth Networks Inc. http://www.amaranthnetworks.comWilliam S. Duncanson caesar () starkreality com The driving force behind the NC is the belief that the companies whobrought usthings like Unix, relational databases, and Windows can make an appliancethatis inexpensive and easy to use if they choose to do that. -- ScottAdams___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer () mhsc com>rmeyer () mhsc com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn RandJames McKenzie mcs () 1ipnet net http://www.1ipnet.net___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer () mhsc com>rmeyer () mhsc com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Current thread:
- Re: Exodus / Clue problems, (continued)
- Re: Exodus / Clue problems TTSG (Nov 15)
- Re: Exodus / Clue problems James McKenzie (Nov 15)
- Re: Exodus / Clue problems TTSG (Nov 15)
- Re: Exodus / Clue problems Adam Rothschild (Nov 15)
- Re: Exodus / Clue problems Alex "Mr. Worf" Yuriev (Nov 16)
- Re: Exodus / Clue problems TTSG (Nov 16)
- Re: Exodus / Clue problems Christopher E. Brown (Nov 16)
- Re: Exodus / Clue problems just me. (Nov 16)
- Re: Exodus / Clue problems TTSG (Nov 16)
- Re: Exodus / Clue problems Roeland M.J. Meyer (Nov 15)
- Re: Exodus / Clue problems Alex P. Rudnev (Nov 16)
- Re: Exodus / Clue problems Jeff Carneal (Nov 16)
- Re: Exodus / Clue problems Dan Hollis (Nov 15)
- Re: Exodus / Clue problems Jon Lewis (Nov 15)
- Re: Exodus / Clue problems TTSG (Nov 15)
- Re: Exodus / Clue problems TTSG (Nov 15)
- Re: Exodus / Clue problems TTSG (Nov 15)