Let me guess - the IP is 209.67.50.254, and they're trying to login to
nameservers as "root", sometimes a dozen times per second?
Hello, filtering.
Kevin
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to
nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't
know if it's as root, since my filters are blocking them). I also see
them trying to access IMAP on my servers.
Dan
Hrrrm. SWIP/RWHOIS would help, too. 
Seeing it here, too.
On Sun, Nov 15, 1998 at 06:24:13PM -0500, sigma@pair.com put this into my mailbox:
Let me guess - the IP is 209.67.50.254, and they're trying to login to
nameservers as "root", sometimes a dozen times per second?Hello, filtering.
Kevin
> Sorry to cross post, but is there anyone monitoring this list
> from Exodus with 1/2 a clue who might be able to help me? I called the
> NOC with an in-progress abuse and was told :
>
> 1) We don't know who owns that IP
> 2) We can't get into our own routers
> 3) We don't have a ticket system
> 4) The abuse people have a ticket system, but only if we
> can associate it to a customer (See #1)
> 5) We don't know how often the "abuse@" is checked
> 6) Email us the logs, and thanks for calling.
Careful. Exodus' lawyers might take offense and try to sue your ass for
libel.
This seems pretty par for most ISPs these days, though. They're either
"duh, what's abuse?", and take hours of handholding and e-mails to explain
why 'when one of your customers commits felonies by flooding my machine it's
a BAD thing' - whereupon by the time they realize it's a bad thing the user
is long gone or the attack is untraceable, or their radius logs (if they
keep any) have rotated, or they act like the idiots in Malaysia and Mexico*
and just ignore any abuse reports altogether.
(*) Certain clueless people have taken this to mean that I think all
Malaysians and Mexicans are stupid. I don't. I simply happen to think
that all the ISPs there are seriously lacking in clue department, because
I've spent the better part of the last six months dealing with quite a
number of them attempting to get them off of their sorry behinds and
to actually delete users who do things like spam, flood, hack, &etc,
without results.
-dalvenjah
Since this is an attack on name servers, I found the following
http://www.cert.org/summaries/CS-98.04.html it may or may not be relvent.
But it mentions IMAP, named and that attacks come from name servers that
have been comprimised.
James
Seeing it here, too.
Let me guess - the IP is 209.67.50.254, and they're trying to login to
nameservers as "root", sometimes a dozen times per second?I'm seeing that IP address trying to telnet into my name servers (don't
know if it's as root, since my filters are blocking them). I also see
them trying to access IMAP on my servers.Dan
--
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranthnetworks.comWilliam S. Duncanson caesar@starkreality.com
The driving force behind the NC is the belief that the companies who
brought us
things like Unix, relational databases, and Windows can make an appliance
that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
James McKenzie
mcs@1ipnet.net
http://www.1ipnet.net
Seeing it here, on multiple machines, literally thousands of attempts:
Nov 15 14:05:50 server in.telnetd[4054]: connect from 209.67.50.254
Nov 15 14:05:50 server imapd[4055]: connect from 209.67.50.254
Nov 15 15:05:40 ns in.telnetd[26483]: refused connect from 209.67.50.254
Nov 15 15:05:40 ns in.telnetd[26484]: refused connect from 209.67.50.254
Nov 15 14:17:08 trap imapd[2330]: connect from 209.67.50.254
Nov 15 14:17:09 trap in.telnetd[2328]: refused connect from root@209.67.50.254
-Dan
Not seeing that rate, but yep:
Nov 15 18:10:25 mailhost.cmc.net ipmon[117]: 18:10:24.956040 le0 @35 b
209.67.50.254,1608 -> mailhost.cmc.net,telnet PR tcp len 20 44 -S
That's funny...
[chuck@ws chuck]$ ping dns4.register.com
PING dns4.register.com (209.67.50.254): 56 data bytes
64 bytes from 209.67.50.254: icmp_seq=0 ttl=47 time=130.2 ms
64 bytes from 209.67.50.254: icmp_seq=1 ttl=47 time=132.8 ms
64 bytes from 209.67.50.254: icmp_seq=2 ttl=47 time=133.6 ms
--- dns4.register.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 130.2/132.2/133.6 ms
and it's Linux 5.1!
[chuck@server chuck]$ whois register-dom
[rs.internic.net]
Registrant:
Forman Interactive Corp (REGISTER-DOM)
201 Water St.
Brooklyn, NY 11201
USA
Domain Name: REGISTER.COM
Administrative Contact, Technical Contact, Zone Contact:
Forman, Internic (PF61) internic@FORMAN.COM
212-627-4988 (FAX) 212-627-6477
Billing Contact:
Forman, Internic (PF61) internic@FORMAN.COM
212-627-4988 (FAX) 212-627-6477
Record last updated on 25-Aug-98.
Record created on 01-Nov-94.
Database last updated on 15-Nov-98 04:46:26 EST.
Domain servers in listed order:
DNS1.REGISTER.COM 209.67.50.220
DNS2.REGISTER.COM 209.67.50.241
So... either they're bad folks or they got hacked and the bad folks
are using their machine. If they got hacked I'd say that's plenty
interesting...
209.67.50.254 22 ssh Secure Shell - RSA encrypted rsh
-> SSH-1.5-1.2.26\n
Cheers!
We're seeing it here too. It appears to have started around 9:10 pm on
one server, and around 9:20 pm on the other.
-Steve
Sombody musta got them, 'cause their gone now.
Seeing it here, too.
Let me guess - the IP is 209.67.50.254, and they're trying to login to
nameservers as "root", sometimes a dozen times per second?I'm seeing that IP address trying to telnet into my name servers (don't
know if it's as root, since my filters are blocking them). I also see
them trying to access IMAP on my servers.Dan
--
-----------------------------------------------------------------
Daniel Senie dts@senie.com
Amaranth Networks Inc. http://www.amaranthnetworks.comWilliam S. Duncanson caesar@starkreality.com
The driving force behind the NC is the belief that the companies who
brought us
things like Unix, relational databases, and Windows can make an appliance
that
I have received a call from Exodus. The machine (209.67.50.254) has been
removed from the network by request of the owner of the box.
James
Same here...on multiple servers from 21:10 to 21:58 EST.
----don't waste your cpu, crack rc5...www.distributed.net team enzo---
Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or
Network Administrator | nestea'd...whatever it takes
Florida Digital Turnpike | to get the job done.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key________
Btw, did anyone fixed the password they have trying? If did, send it to
me and I'll compare it with my list of backdoored passwords used by
russion hackers. May be, we'll identify this one exactly.
Could be brute-force?
Let me guess - the IP is 209.67.50.254, and they're trying to login to
nameservers as "root", sometimes a dozen times per second?
> Sorry to cross post, but is there anyone monitoring this list
> from Exodus with 1/2 a clue who might be able to help me? I called the
> NOC with an in-progress abuse and was told :
>
> 1) We don't know who owns that IP
> 2) We can't get into our own routers
>
> Tuc/TTSG
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Atheism is a non-prophet organization. I route, therefore I am.
Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member
Father of the Network and Head Bottle-Washer
Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834
Don't choose a spineless ISP; we have more backbone! http://www.nac.net
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
It's interesting that the people who normally post here from Exodus have
not said a word or offered any help at all.
Naw.. letting the Conspiracy Theory run rampant is more fun.
I would be hard pressed to think that anyone really thought that Exodus was
not doing anything. Just because they arn't posting to NANOG does not mean
that work was/is not being done on the issue. Once Exodus spent the time
assembling and presenting the information to the customer, their job was done.
It is now up to the customer to speak (or not speak) about the issue.
But anyways ..
Anyone have any information about the other 33842 sites that are being
used to do this? Maybe we can turn this into a operational speak like
"How ISP's deal with complaints about their Customers attacking other sites"
And find out exactly how successful or not successful people were with getting
these other sites secured and the problem stopped.
I'm not saying Exodus wasn't working on it. I would have just like to hear
some confirmation. A one-line message would have been cool.
And yes, I think a discussion of how ISP's deal with problems like this
is a good idea.