Re: Exodus / Clue problems

["Alex P. Rudnev" <alex () Relcom EU net>]

Hi.

You are discussing nothing. I have traced few different hackers last 2 
weeks, and I suspect this was one of the boxes broken by them (or may be, 
not). If it was Linux box - I am sure it was broken.

The problem is the fact not every owner answer ti the warning messages, 
and there is some well known hosts used by hackers withouth owners 
permission, and the owners do not answer and do not close this hosts. 

Keep in mind - there is _troyan toolkit_ for Linux and SunOS (there is 
for another systems too byt they have a lot of bugs) hidden hacker's 
activity totally (try this one for the Linux - excellent package 
replacing mnore than 20 different commands); there is troyaned SSH daemon 
(and hakers like to install it). 

If you saw the port scanning or BO scanning or port 139 scanning or any 
other kind of the scanning, you CAN write AT ONCE a warning to the box 
owner _the hacker broke your system and abuse it_, and your suspection 
will be correct more than 99% of this addresses. Do not write _please 
stop scanning_, but write _alarm. YOU are broken_. I have not ANY 
exception for more than 20 or 40 warning I have sent last week.

The worst (for todays) are Canadian scientific networks - no answer, a 
lot of power servers abused for the cracking, smurfing etc. Other bad 
network is NASA -:). It's abused by the hackers and they can't stop this 
activity.

I do not speak about the universities over the world -:).

On Sun, 15 Nov 1998, Roeland M.J. Meyer wrote:

> Date: Sun, 15 Nov 1998 20:37:20 -0800
> From: Roeland M.J. Meyer <rmeyer () mhsc com>
> To: TTSG <ttsg () ttsg com>
> Cc: James McKenzie <mcs () 1ipnet net>, nanog () merit edu, asr () millburn net,
>     ttsg () ttsg com
> Subject: Re: Exodus / Clue problems
>
> I was getting ready to do a SAINT run on the IP address to find out (I
> needed the practice) when the initial ping timed out. <sigh> 
>
>
> At 10:54 PM 11/15/98 -0500, TTSG wrote:
> > >  I have received a call from Exodus.  The machine (209.67.50.254) has been
> > > removed from the network by request of the owner of the box.
> >     Great!, but..............
> >
> >     a) Did they end up obtaining access to another site and will begin
> >             there?
> >
> >     b) WAS the origination actually the box as people have claimed, or
> >             was it spoofed?
> >
> >     c) There was a report that it had stopped earlier (As seen below
> >             from Roeland), is anyone still seeing it?
> >
> >     d) Was the box just YANKED, or did someone actually try to find 
> >             out if there was someone/something on it and where its
> >             origin is?
> >
> >                     Tuc/TTSG 
> > >    James
> > >
> > > At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:
> > > > Sombody musta got them, 'cause their gone now.
> > > >
> > > > At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote:
> > > > > Seeing it here, too.
> > > > >
> > > > > At 18:52 11/15/98 -0500, Daniel Senie wrote:
> > > > > > sigma () pair com wrote:
> > > > > > > Let me guess - the IP is 209.67.50.254, and they're trying to login to
> > > > > > > nameservers as "root", sometimes a dozen times per second?
> > > > > >
> > > > > > I'm seeing that IP address trying to telnet into my name servers (don't
> > > > > > know if it's as root, since my filters are blocking them). I also see
> > > > > > them trying to access IMAP on my servers.
> > > > > >
> > > > > > Dan
> > > > > >
> > > > > > -- 
> > > > > > -----------------------------------------------------------------
> > > > > > Daniel Senie                                        dts () senie com
> > > > > > Amaranth Networks Inc.            http://www.amaranthnetworks.com
> > > > >
> > > > >
> > > > > William S. Duncanson                      caesar () starkreality com
> > > > > The driving force behind the NC is the belief that the companies who
> > > > brought us
> > > > > things like Unix, relational databases, and Windows can make an appliance
> > > > that
> > > > > is inexpensive and easy to use if they choose to do that.  -- Scott
> Adams 
> > > > >
> > > >
> > > > ___________________________________________________ 
> > > > Roeland M.J. Meyer, ISOC (InterNIC RM993) 
> > > > e-mail: <mailto:rmeyer () mhsc com>rmeyer () mhsc com
> > > > Internet phone: hawk.mhsc.com
> > > > Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer
> > > > Company web-site: <http://www.mhsc.com/>www.mhsc.com/
> > > > ___________________________________________ 
> > > > Who is John Galt?
> > > > "Atlas Shrugged" - Ayn Rand
> > >
> > >  James McKenzie
> > >  mcs () 1ipnet net
> > >  http://www.1ipnet.net
>
> ___________________________________________________ 
> Roeland M.J. Meyer, ISOC (InterNIC RM993) 
> e-mail: <mailto:rmeyer () mhsc com>rmeyer () mhsc com
> Internet phone: hawk.mhsc.com
> Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer
> Company web-site: <http://www.mhsc.com/>www.mhsc.com/
> ___________________________________________ 
>  Who is John Galt?
>  "Atlas Shrugged" - Ayn Rand

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)