The owner did not allow any further action to the box except to have it
removed from the network . So until the owner sends someone in to clean up
we won't know anything more.
James
I have received a call from Exodus. The machine (209.67.50.254) has been
removed from the network by request of the owner of the box.
Great!, but..............
a) Did they end up obtaining access to another site and will begin
there?
b) WAS the origination actually the box as people have claimed, or
was it spoofed?
c) There was a report that it had stopped earlier (As seen below
from Roeland), is anyone still seeing it?
d) Was the box just YANKED, or did someone actually try to find
out if there was someone/something on it and where its
origin is?
Tuc/TTSG
James
>Sombody musta got them, 'cause their gone now.
>
>>Seeing it here, too.
>>
>>>>
>>>> Let me guess - the IP is 209.67.50.254, and they're trying to login to
>>>> nameservers as "root", sometimes a dozen times per second?
>>>
>>>I'm seeing that IP address trying to telnet into my name servers (don't
>>>know if it's as root, since my filters are blocking them). I also see
>>>them trying to access IMAP on my servers.
>>>
>>>Dan
>>>
>>>--
>>>-----------------------------------------------------------------
>>>Daniel Senie dts@senie.com
>>>Amaranth Networks Inc. http://www.amaranthnetworks.com
>>
>>
>>William S. Duncanson caesar@starkreality.com
>>The driving force behind the NC is the belief that the companies who
>brought us
>>things like Unix, relational databases, and Windows can make an appliance
>that
>>is inexpensive and easy to use if they choose to do that. -- Scott
Adams
>>
>
>___________________________________________________
>Roeland M.J. Meyer, ISOC (InterNIC RM993)
>e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com
>Internet phone: hawk.mhsc.com
>Personal web pages: <http://www.mhsc.com/~rmeyer>www\.mhsc\.com/\~rmeyer
>Company web-site: <http://www.mhsc.com/>www\.mhsc\.com/
>___________________________________________
> Who is John Galt?
> "Atlas Shrugged" - Ayn Rand
>
>
I seriously doubt it was spoofed as mentioned before because the attacker
was going after _TCP_ ports on a wide spectrum of machine types. Unless
he recently found a bug in every OS that allows IP blind spoofing (ISN
generation bugs?), it just about had to be the real address.
I was getting ready to do a SAINT run on the IP address to find out (I
needed the practice) when the initial ping timed out. <sigh>
I have received a call from Exodus. The machine (209.67.50.254) has been
removed from the network by request of the owner of the box.
Great!, but..............
a) Did they end up obtaining access to another site and will begin
there?
b) WAS the origination actually the box as people have claimed, or
was it spoofed?
c) There was a report that it had stopped earlier (As seen below
from Roeland), is anyone still seeing it?
d) Was the box just YANKED, or did someone actually try to find
out if there was someone/something on it and where its
origin is?
Tuc/TTSG
James
>Sombody musta got them, 'cause their gone now.
>
>>Seeing it here, too.
>>
>>>>
>>>> Let me guess - the IP is 209.67.50.254, and they're trying to login to
>>>> nameservers as "root", sometimes a dozen times per second?
>>>
>>>I'm seeing that IP address trying to telnet into my name servers (don't
>>>know if it's as root, since my filters are blocking them). I also see
>>>them trying to access IMAP on my servers.
>>>
>>>Dan
>>>
>>>--
>>>-----------------------------------------------------------------
>>>Daniel Senie dts@senie.com
>>>Amaranth Networks Inc. http://www.amaranthnetworks.com
>>
>>
>>William S. Duncanson caesar@starkreality.com
>>The driving force behind the NC is the belief that the companies who
>brought us
>>things like Unix, relational databases, and Windows can make an appliance
>that
>>is inexpensive and easy to use if they choose to do that. -- Scott
You are discussing nothing. I have traced few different hackers last 2
weeks, and I suspect this was one of the boxes broken by them (or may be,
not). If it was Linux box - I am sure it was broken.
The problem is the fact not every owner answer ti the warning messages,
and there is some well known hosts used by hackers withouth owners
permission, and the owners do not answer and do not close this hosts.
Keep in mind - there is _troyan toolkit_ for Linux and SunOS (there is
for another systems too byt they have a lot of bugs) hidden hacker's
activity totally (try this one for the Linux - excellent package
replacing mnore than 20 different commands); there is troyaned SSH daemon
(and hakers like to install it).
If you saw the port scanning or BO scanning or port 139 scanning or any
other kind of the scanning, you CAN write AT ONCE a warning to the box
owner _the hacker broke your system and abuse it_, and your suspection
will be correct more than 99% of this addresses. Do not write _please
stop scanning_, but write _alarm. YOU are broken_. I have not ANY
exception for more than 20 or 40 warning I have sent last week.
The worst (for todays) are Canadian scientific networks - no answer, a
lot of power servers abused for the cracking, smurfing etc. Other bad
network is NASA -:). It's abused by the hackers and they can't stop this
activity.
I do not speak about the universities over the world -:).