|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: scan log and subsequent response from the host's ISP
From: Ejovi Nuwere (ejovi
EJOVI.NET)Date: Thu Jul 06 2000 - 10:07:40 CDT
- Next message: Chew Poh Chang (CAPL): "how to close security holes from nessus vulnerability scan report ?"
- Previous message: WebFusion System Administrator: "Re: blind forwards"
- In reply to: Bradley Woodward: "scan log and subsequent response from the host's ISP"
- Next in thread: Pauel Loshkin: "Re: scan log and subsequent response from the host's ISP"
- Reply: Ejovi Nuwere: "Re: scan log and subsequent response from the host's ISP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've known clients who have been hacked by people coming from tin.it, this
ISP seems to be a harbor for criminals.
On Mon, 3 Jul 2000, Bradley Woodward wrote:
> G'day peoples.
>
> These scans are so common, I wouldn't bother posting them, except for the
> rather disappointing response from the ISP's support department. I've
> included an edited log file and email response.
>
> Only my machine's IP is changed. Everything else is as reported by IPCHAINS.
>
> Enjoy.
>
> <snip>
>
> Hello,
> TIN.IT does not control the actions completed from its subscribers,
> therefore is not responsible of the content of the messages and the eventual
> illegal actions from them. If you think you have been damaged by this fact
> you can refer to the judicial authority.
> Best regards
>
>
> _/_/_/_/_/ _/ _/_/ _/ Abuse (D)
> _/ _/ _/ _/ _/ TIN.IT S.p.a.
> _/ _/ _/ _/ _/ Servizi Customer Care
> _/ _/ _/ _/_/ http://www.tin.it
> abusetin.it
>
> ----- Original Message -----
> From: Bradley Woodward <bradwami.com.au>
> To: <abusetin.it>
> Sent: Friday, June 30, 2000 7:53 AM
> Subject: ACTIVE SYSTEM ATTACK from your system
>
>
> > Hello. I run a small network, and my logs indicate an active attack on my
> > system from your domain. I've included the logs here. The logs are
> > generated by a program called Logcheck.
> >
> > I'd appreciate it if you could take any appropriate action, and let me
> know
> > the outcome.
> >
> > Thanks
> >
> > Bye!
> >
> >
> >
> > >Active System Attack Alerts
> > >=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
> > >[212.216.190.187]: expn root
> > >
> > >Security Violations
> > >=-=-=-=-=-=-=-=-=-=
> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:23 1.2.3.6:23 L=40 S=0x00 I=39426 F=0x0000 T=16
> (#32)
> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:23 1.2.3.4:23 L=40 S=0x00 I=39426 F=0x0000 T=16
> (#32)
> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:23 1.2.3.5:23 L=40 S=0x00 I=39426 F=0x0000 T=17
> (#32)
> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:25 1.2.3.4:25 L=40 S=0x00 I=39426 F=0x0000 T=16
> (#32)
> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:25 1.2.3.5:25 L=40 S=0x00 I=39426 F=0x0000 T=17
> (#32)
> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:143 1.2.3.6:143 L=40 S=0x00 I=39426 F=0x0000 T=16
> (#32)
> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:143 1.2.3.4:143 L=40 S=0x00 I=39426 F=0x0000 T=16
> (#32)
> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:143 1.2.3.5:143 L=40 S=0x00 I=39426 F=0x0000 T=17
> (#32)
> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:110 1.2.3.4:110 L=40 S=0x00 I=39426 F=0x0000 T=16
> (#32)
> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:110 1.2.3.5:110 L=40 S=0x00 I=39426 F=0x0000 T=17
> (#32)
> > >Jun 30 13:22:03 mycomp kernel: Packet log: forward DENY eth0 PROTO=6
> > >212.216.190.187:80 1.2.3.4:80 L=40 S=0x00 I=39426 F=0x0000 T=15
> (#3)
> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:80 1.2.3.5:80 L=40 S=0x00 I=39426 F=0x0000 T=17
> (#32)
> > >Jun 30 13:22:08 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3307 1.2.3.6:23 L=60 S=0x00 I=63353 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:27:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=8754 F=0x4000 T=38 SYN
> > >(#32)
> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=11139 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=11140 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=11141 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=11143 F=0x4000 T=38
> SYN
> > >(#32)
> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=12981 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=12982 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=12983 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=12985 F=0x4000 T=38
> SYN
> > >(#32)
> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=14929 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=14930 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=14931 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=14933 F=0x4000 T=38
> SYN
> > >(#32)
> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=17991 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=17992 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=17993 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=17995 F=0x4000 T=38
> SYN
> > >(#32)
> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18000 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:35:20 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18085 F=0x4000 T=38
> > >SYN (#32)
> > >(#32)
> > >Jun 30 13:36:14 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20452 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:36:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
> > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20660 F=0x4000 T=38
> > >SYN (#32)
> > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
> > >[212.216.190.187]: expn root
> > >Jun 30 13:22:13 mycomp in.ftpd[17833]: connect from a-pe8-60.tin.it
> > >Jun 30 13:35:17 mycomp sendmail[17832]: NOQUEUE: Null connection from
> > >a-pe8-60.tin.it [212.216.190.187]
> > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
> > >[212.216.190.187]: expn root
> >
>
- Next message: Chew Poh Chang (CAPL): "how to close security holes from nessus vulnerability scan report ?"
- Previous message: WebFusion System Administrator: "Re: blind forwards"
- In reply to: Bradley Woodward: "scan log and subsequent response from the host's ISP"
- Next in thread: Pauel Loshkin: "Re: scan log and subsequent response from the host's ISP"
- Reply: Ejovi Nuwere: "Re: scan log and subsequent response from the host's ISP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]