It looks worse Jared, This appears to be a concerted effort. This type of attack is propogating to new origin IP's by the hour. There seems to be a pattern forming.... DNS server is compromised. (Bind ? Autohack ?) local programs set up to crack local passwords. (Dumps results to FTP directory) local program set up to port probe/asttack other DNS's. (Dumps results to FTP directory) Someone said Linux servers appear to be primary targets.. I suggest maybe Linux servers were more likely to have a vulnerable configuration... Probers running locally,( that I saw), did not *seem* to discriminate. (Conjecture Based on output of parasitic programs) I hate to profer alt.net.conspiracy...... But... the above data was collected both by myself, as well as another NANOG member who may want to remain anonymous... (He didn't post it to the group) CERT does have an alert posted, but I am not sure they know how pervasive this is..... Jared Mauch wrote:
On Mon, Nov 16, 1998 at 06:51:53PM -0500, Adam Rothschild wrote:
Am I forgetting anything?
Yeah.
Calling the providers where the attack is originating from.
Calling your local law enforcement agencies and alerting them to the problem at hand
Calling your local fbi agent and telling them what is going on.
Calling CERT and opening up a case
I'm sure if you get CERT+FBI+Local law agencies calling *ANY* noc, someone is going to notice.
And for fun, call CNN, or some other news agency, and say "xxx hasn't dealt with this after many phone calls, etc..".
If none of those paths provides you with the desired response, unplug your ethernet cable.
- jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net | http://puck.nether.net/~jared/