NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-07

Subject: scan log and subsequent response from the host's ISP
From: Bradley Woodward (bradwAMI.COM.AU)
Date: Sun Jul 02 2000 - 21:18:15 CDT

Next message: Melissa Lovett: "Need help."
Previous message: Dan Hollis: "tcp/240?"
Next in thread: Ejovi Nuwere: "Re: scan log and subsequent response from the host's ISP"
Reply: Ejovi Nuwere: "Re: scan log and subsequent response from the host's ISP"
Reply: Pauel Loshkin: "Re: scan log and subsequent response from the host's ISP"
Reply: Dan Hollis: "Re: scan log and subsequent response from the host's ISP"
Reply: Dan Hollis: "Re: scan log and subsequent response from the host's ISP"
Reply: Patrick Oonk: "Re: scan log and subsequent response from the host's ISP"
Reply: Michal Nazarewicz: "Re: scan log and subsequent response from the host's ISP"
Reply: Forrester, Mike: "Re: scan log and subsequent response from the host's ISP"
Reply: Brooke, O'Neil: "Re: scan log and subsequent response from the host's ISP"
Reply: David Jahne: "Re: scan log and subsequent response from the host's ISP"
Reply: Narins, Joshua: "Re: scan log and subsequent response from the host's ISP"
Reply: Michal.NazarewiczSAYDK.CO.UK: "Re: scan log and subsequent response from the host's ISP"
Reply: sigippWELLA.COM.BR: "Re: scan log and subsequent response from the host's ISP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

G'day peoples.

These scans are so common, I wouldn't bother posting them, except for the
rather disappointing response from the ISP's support department. I've
included an edited log file and email response.

Only my machine's IP is changed. Everything else is as reported by IPCHAINS.

Enjoy.

<snip>

Hello,
TIN.IT does not control the actions completed from its subscribers,
therefore is not responsible of the content of the messages and the eventual
illegal actions from them. If you think you have been damaged by this fact
you can refer to the judicial authority.
Best regards

      _/_/_/_/_/ _/ _/_/ _/ Abuse (D)
         _/ _/ _/ _/ _/ TIN.IT S.p.a.
        _/ _/ _/ _/ _/ Servizi Customer Care
       _/ _/ _/ _/_/ http://www.tin.it
                                       abusetin.it

----- Original Message -----
From: Bradley Woodward <bradwami.com.au>
To: <abusetin.it>
Sent: Friday, June 30, 2000 7:53 AM
Subject: ACTIVE SYSTEM ATTACK from your system

> Hello. I run a small network, and my logs indicate an active attack on my
> system from your domain. I've included the logs here. The logs are
> generated by a program called Logcheck.
>
> I'd appreciate it if you could take any appropriate action, and let me
know
> the outcome.
>
> Thanks
>
> Bye!
>
>
>
> >Active System Attack Alerts
> >=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
> >[212.216.190.187]: expn root
> >
> >Security Violations
> >=-=-=-=-=-=-=-=-=-=
> >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:23 1.2.3.6:23 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
> >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:23 1.2.3.4:23 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
> >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:23 1.2.3.5:23 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
> >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:25 1.2.3.4:25 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
> >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:25 1.2.3.5:25 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
> >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:143 1.2.3.6:143 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
> >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:143 1.2.3.4:143 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
> >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:143 1.2.3.5:143 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
> >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:110 1.2.3.4:110 L=40 S=0x00 I=39426 F=0x0000 T=16
(#32)
> >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:110 1.2.3.5:110 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
> >Jun 30 13:22:03 mycomp kernel: Packet log: forward DENY eth0 PROTO=6
> >212.216.190.187:80 1.2.3.4:80 L=40 S=0x00 I=39426 F=0x0000 T=15
(#3)
> >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:80 1.2.3.5:80 L=40 S=0x00 I=39426 F=0x0000 T=17
(#32)
> >Jun 30 13:22:08 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3307 1.2.3.6:23 L=60 S=0x00 I=63353 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:27:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=8754 F=0x4000 T=38 SYN
> >(#32)
> >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=11139 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=11140 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=11141 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=11143 F=0x4000 T=38
SYN
> >(#32)
> >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=12981 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=12982 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=12983 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=12985 F=0x4000 T=38
SYN
> >(#32)
> >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=14929 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=14930 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=14931 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=14933 F=0x4000 T=38
SYN
> >(#32)
> >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=17991 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=17992 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=17993 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=17995 F=0x4000 T=38
SYN
> >(#32)
> >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18000 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:35:20 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18085 F=0x4000 T=38
> >SYN (#32)
> >(#32)
> >Jun 30 13:36:14 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20452 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:36:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20660 F=0x4000 T=38
> >SYN (#32)
> >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
> >[212.216.190.187]: expn root
> >Jun 30 13:22:13 mycomp in.ftpd[17833]: connect from a-pe8-60.tin.it
> >Jun 30 13:35:17 mycomp sendmail[17832]: NOQUEUE: Null connection from
> >a-pe8-60.tin.it [212.216.190.187]
> >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
> >[212.216.190.187]: expn root
>

Next message: Melissa Lovett: "Need help."
Previous message: Dan Hollis: "tcp/240?"
Next in thread: Ejovi Nuwere: "Re: scan log and subsequent response from the host's ISP"
Reply: Ejovi Nuwere: "Re: scan log and subsequent response from the host's ISP"
Reply: Pauel Loshkin: "Re: scan log and subsequent response from the host's ISP"
Reply: Dan Hollis: "Re: scan log and subsequent response from the host's ISP"
Reply: Dan Hollis: "Re: scan log and subsequent response from the host's ISP"
Reply: Patrick Oonk: "Re: scan log and subsequent response from the host's ISP"
Reply: Michal Nazarewicz: "Re: scan log and subsequent response from the host's ISP"
Reply: Forrester, Mike: "Re: scan log and subsequent response from the host's ISP"
Reply: Brooke, O'Neil: "Re: scan log and subsequent response from the host's ISP"
Reply: David Jahne: "Re: scan log and subsequent response from the host's ISP"
Reply: Narins, Joshua: "Re: scan log and subsequent response from the host's ISP"
Reply: Michal.NazarewiczSAYDK.CO.UK: "Re: scan log and subsequent response from the host's ISP"
Reply: sigippWELLA.COM.BR: "Re: scan log and subsequent response from the host's ISP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]