|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: scan log and subsequent response from the host's ISP
From: Brooke, O'Neil (o'neil.brooke
LMCO.COM)Date: Thu Jul 06 2000 - 15:29:03 CDT
- Next message: Joe McAlerney: "Re: Snort SMTP expn-root"
- Previous message: Forrester, Mike: "Re: scan log and subsequent response from the host's ISP"
- Maybe in reply to: Bradley Woodward: "scan log and subsequent response from the host's ISP"
- Next in thread: Jason Storm: "Re: scan log and subsequent response from the host's ISP"
- Next in thread: David Jahne: "Re: scan log and subsequent response from the host's ISP"
- Maybe reply: Brooke, O'Neil: "Re: scan log and subsequent response from the host's ISP"
- Reply: Jason Storm: "Re: scan log and subsequent response from the host's ISP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello
This may be a silly question, but, if this provider does not do
anything to stop attacks targeting your machines, wouldn't you be
justified in retaliating? If these people are actively probing your
firewall, eventually they will find a weakness and get through.
"of the content of the messages and the eventual illegal actions from
them. " Either their english is broken and this is not what they meant
or they are resigned to the fact that people will use their network for
illegal purposes and have no intention of doing anything about it.
>-----Original Message-----
>From: Ejovi Nuwere [SMTP:ejoviEJOVI.NET]
>Sent: Thursday, July 06, 2000 11:08 AM
>To: INCIDENTSSECURITYFOCUS.COM
>Subject: Re: scan log and subsequent response from the host's ISP
>
>I've known clients who have been hacked by people coming from tin.it, this
>ISP seems to be a harbor for criminals.
>
>On Mon, 3 Jul 2000, Bradley Woodward wrote:
>
>> G'day peoples.
>>
>> These scans are so common, I wouldn't bother posting them, except for the
>> rather disappointing response from the ISP's support department. I've
>> included an edited log file and email response.
>>
>> Only my machine's IP is changed. Everything else is as reported by
>>IPCHAINS.
>>
>> Enjoy.
>>
>> <snip>
>>
>> Hello,
>> TIN.IT does not control the actions completed from its subscribers,
>> therefore is not responsible of the content of the messages and the
>>eventual
>> illegal actions from them. If you think you have been damaged by this fact
>> you can refer to the judicial authority.
>> Best regards
>>
>>
>> _/_/_/_/_/ _/ _/_/ _/ Abuse (D)
>> _/ _/ _/ _/ _/ TIN.IT S.p.a.
>> _/ _/ _/ _/ _/ Servizi Customer Care
>> _/ _/ _/ _/_/ http://www.tin.it
>> abusetin.it
>>
>> ----- Original Message -----
>> From: Bradley Woodward <bradwami.com.au>
>> To: <abusetin.it>
>> Sent: Friday, June 30, 2000 7:53 AM
>> Subject: ACTIVE SYSTEM ATTACK from your system
>>
>>
>> > Hello. I run a small network, and my logs indicate an active attack on
>>my
>> > system from your domain. I've included the logs here. The logs are
>> > generated by a program called Logcheck.
>> >
>> > I'd appreciate it if you could take any appropriate action, and let me
>> know
>> > the outcome.
>> >
>> > Thanks
>> >
>> > Bye!
>> >
>> >
>> >
>> > >Active System Attack Alerts
>> > >=-=-=-=-=-=-=-=-=-=-=-=-=-=
>> > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
>> > >[212.216.190.187]: expn root
>> > >
>> > >Security Violations
>> > >=-=-=-=-=-=-=-=-=-=
>> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:23 1.2.3.6:23 L=40 S=0x00 I=39426 F=0x0000 T=16
>> (#32)
>> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:23 1.2.3.4:23 L=40 S=0x00 I=39426 F=0x0000 T=16
>> (#32)
>> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:23 1.2.3.5:23 L=40 S=0x00 I=39426 F=0x0000 T=17
>> (#32)
>> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:25 1.2.3.4:25 L=40 S=0x00 I=39426 F=0x0000 T=16
>> (#32)
>> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:25 1.2.3.5:25 L=40 S=0x00 I=39426 F=0x0000 T=17
>> (#32)
>> > >Jun 30 13:22:02 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:143 1.2.3.6:143 L=40 S=0x00 I=39426 F=0x0000 T=16
>> (#32)
>> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:143 1.2.3.4:143 L=40 S=0x00 I=39426 F=0x0000 T=16
>> (#32)
>> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:143 1.2.3.5:143 L=40 S=0x00 I=39426 F=0x0000 T=17
>> (#32)
>> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:110 1.2.3.4:110 L=40 S=0x00 I=39426 F=0x0000 T=16
>> (#32)
>> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:110 1.2.3.5:110 L=40 S=0x00 I=39426 F=0x0000 T=17
>> (#32)
>> > >Jun 30 13:22:03 mycomp kernel: Packet log: forward DENY eth0 PROTO=6
>> > >212.216.190.187:80 1.2.3.4:80 L=40 S=0x00 I=39426 F=0x0000 T=15
>> (#3)
>> > >Jun 30 13:22:03 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:80 1.2.3.5:80 L=40 S=0x00 I=39426 F=0x0000 T=17
>> (#32)
>> > >Jun 30 13:22:08 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3307 1.2.3.6:23 L=60 S=0x00 I=63353 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:27:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=8754 F=0x4000 T=38 SYN
>> > >(#32)
>> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=11139 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=11140 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=11141 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:29:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=11143 F=0x4000 T=38
>> SYN
>> > >(#32)
>> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=12981 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=12982 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=12983 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:31:18 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=12985 F=0x4000 T=38
>> SYN
>> > >(#32)
>> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=14929 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=14930 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=14931 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:33:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=14933 F=0x4000 T=38
>> SYN
>> > >(#32)
>> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3308 1.2.3.6:143 L=60 S=0x00 I=17991 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3311 1.2.3.6:111 L=60 S=0x00 I=17992 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3312 1.2.3.6:53 L=60 S=0x00 I=17993 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:3319 1.2.3.6:1 L=60 S=0x00 I=17995 F=0x4000 T=38
>> SYN
>> > >(#32)
>> > >Jun 30 13:35:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18000 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:35:20 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:4861 1.2.3.6:23 L=60 S=0x00 I=18085 F=0x4000 T=38
>> > >SYN (#32)
>> > >(#32)
>> > >Jun 30 13:36:14 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20452 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:36:17 mycomp kernel: Packet log: input DENY ppp0 PROTO=6
>> > >212.216.190.187:1734 1.2.3.6:143 L=60 S=0x00 I=20660 F=0x4000 T=38
>> > >SYN (#32)
>> > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
>> > >[212.216.190.187]: expn root
>> > >Jun 30 13:22:13 mycomp in.ftpd[17833]: connect from a-pe8-60.tin.it
>> > >Jun 30 13:35:17 mycomp sendmail[17832]: NOQUEUE: Null connection from
>> > >a-pe8-60.tin.it [212.216.190.187]
>> > >Jun 30 13:35:34 mycomp sendmail[17865]: NOQUEUE: a-pe8-60.tin.it
>> > >[212.216.190.187]: expn root
>> >
>>
- Next message: Joe McAlerney: "Re: Snort SMTP expn-root"
- Previous message: Forrester, Mike: "Re: scan log and subsequent response from the host's ISP"
- Maybe in reply to: Bradley Woodward: "scan log and subsequent response from the host's ISP"
- Next in thread: Jason Storm: "Re: scan log and subsequent response from the host's ISP"
- Next in thread: David Jahne: "Re: scan log and subsequent response from the host's ISP"
- Maybe reply: Brooke, O'Neil: "Re: scan log and subsequent response from the host's ISP"
- Reply: Jason Storm: "Re: scan log and subsequent response from the host's ISP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]