Hi, Sorry to cross post, but is there anyone monitoring this list from Exodus with 1/2 a clue who might be able to help me? I called the NOC with an in-progress abuse and was told : 1) We don't know who owns that IP 2) We can't get into our own routers 3) We don't have a ticket system 4) The abuse people have a ticket system, but only if we can associate it to a customer (See #1) 5) We don't know how often the "abuse@" is checked 6) Email us the logs, and thanks for calling. AAAAAAAAARRRRRRRRRRGGGGGGGGGGGHHHHHHHHHHHHH!!!!!!!!!!!!!!! Tuc/TTSG
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second? Hello, filtering. Kevin
Sorry to cross post, but is there anyone monitoring this list from Exodus with 1/2 a clue who might be able to help me? I called the NOC with an in-progress abuse and was told :
1) We don't know who owns that IP 2) We can't get into our own routers 3) We don't have a ticket system 4) The abuse people have a ticket system, but only if we can associate it to a customer (See #1) 5) We don't know how often the "abuse@" is checked 6) Email us the logs, and thanks for calling.
AAAAAAAAARRRRRRRRRRGGGGGGGGGGGHHHHHHHHHHHHH!!!!!!!!!!!!!!!
Tuc/TTSG
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers. Dan -- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
Seeing it here, too. At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance that is inexpensive and easy to use if they choose to do that. -- Scott Adams
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
Since this is an attack on name servers, I found the following http://www.cert.org/summaries/CS-98.04.html it may or may not be relvent. But it mentions IMAP, named and that attacks come from name servers that have been comprimised. James At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
On Sun, 15 Nov 1998, William S. Duncanson wrote:
At 18:52 11/15/98 -0500, Daniel Senie wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second? I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see
sigma@pair.com wrote: them trying to access IMAP on my servers. Seeing it here, too.
Seeing it here, on multiple machines, literally thousands of attempts: Nov 15 14:05:50 server in.telnetd[4054]: connect from 209.67.50.254 Nov 15 14:05:50 server imapd[4055]: connect from 209.67.50.254 Nov 15 15:05:40 ns in.telnetd[26483]: refused connect from 209.67.50.254 Nov 15 15:05:40 ns in.telnetd[26484]: refused connect from 209.67.50.254 Nov 15 14:17:08 trap imapd[2330]: connect from 209.67.50.254 Nov 15 14:17:09 trap in.telnetd[2328]: refused connect from root@209.67.50.254 -Dan
We're seeing it here too. It appears to have started around 9:10 pm on one server, and around 9:20 pm on the other. -Steve On Sun, 15 Nov 1998, William S. Duncanson wrote:
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance that is inexpensive and easy to use if they choose to do that. -- Scott Adams
-- Steve Gibbard WWNet System Administration +1 734 513-7707 x 2009 http://www.wwnet.net
Btw, did anyone fixed the password they have trying? If did, send it to me and I'll compare it with my list of backdoored passwords used by russion hackers. May be, we'll identify this one exactly. On Sun, 15 Nov 1998, Steve Gibbard wrote:
Date: Sun, 15 Nov 1998 21:56:23 -0500 (EST) From: Steve Gibbard <scg@wwnet.net> To: nanog@merit.edu Subject: Re: Exodus / Clue problems
We're seeing it here too. It appears to have started around 9:10 pm on one server, and around 9:20 pm on the other.
-Steve
On Sun, 15 Nov 1998, William S. Duncanson wrote:
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance that is inexpensive and easy to use if they choose to do that. -- Scott Adams
-- Steve Gibbard WWNet System Administration +1 734 513-7707 x 2009 http://www.wwnet.net
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
Sombody musta got them, 'cause their gone now. At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
I have received a call from Exodus. The machine (209.67.50.254) has been removed from the network by request of the owner of the box. James At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:
Sombody musta got them, 'cause their gone now.
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
I have received a call from Exodus. The machine (209.67.50.254) has been removed from the network by request of the owner of the box.
Great!, but.............. a) Did they end up obtaining access to another site and will begin there? b) WAS the origination actually the box as people have claimed, or was it spoofed? c) There was a report that it had stopped earlier (As seen below from Roeland), is anyone still seeing it? d) Was the box just YANKED, or did someone actually try to find out if there was someone/something on it and where its origin is? Tuc/TTSG
James
At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:
Sombody musta got them, 'cause their gone now.
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
The owner did not allow any further action to the box except to have it removed from the network . So until the owner sends someone in to clean up we won't know anything more. James At 10:54 PM 11/15/98 -0500, TTSG wrote:
I have received a call from Exodus. The machine (209.67.50.254) has been removed from the network by request of the owner of the box.
Great!, but..............
a) Did they end up obtaining access to another site and will begin there?
b) WAS the origination actually the box as people have claimed, or was it spoofed?
c) There was a report that it had stopped earlier (As seen below from Roeland), is anyone still seeing it?
d) Was the box just YANKED, or did someone actually try to find out if there was someone/something on it and where its origin is?
Tuc/TTSG
James
At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:
Sombody musta got them, 'cause their gone now.
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
The owner did not allow any further action to the box except to have it removed from the network . So until the owner sends someone in to clean up we won't know anything more.
8-( Did Exodus atleast try to do some sniffing of traffic or captures at the router or SOMETHING? Or will we never know anything more about this? Tuc/TTSG
James
At 10:54 PM 11/15/98 -0500, TTSG wrote:
I have received a call from Exodus. The machine (209.67.50.254) has been removed from the network by request of the owner of the box.
Great!, but..............
a) Did they end up obtaining access to another site and will begin there?
b) WAS the origination actually the box as people have claimed, or was it spoofed?
c) There was a report that it had stopped earlier (As seen below from Roeland), is anyone still seeing it?
d) Was the box just YANKED, or did someone actually try to find out if there was someone/something on it and where its origin is?
Tuc/TTSG
James
At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:
Sombody musta got them, 'cause their gone now.
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote: > > Let me guess - the IP is 209.67.50.254, and they're trying to login to > nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
On Sun, 15 Nov 1998, TTSG wrote:
8-( Did Exodus atleast try to do some sniffing of traffic or captures at the router or SOMETHING? Or will we never know anything more about this?
Was this issue escalated to their senior security people in CA? (If not, I would venture to say no. If so, please consult your magic 8 ball for the answer. 8-)
The owner did not allow any further action to the box except to have it removed from the network . So until the owner sends someone in to clean up we won't know anything more.
8-( Did Exodus atleast try to do some sniffing of traffic or captures at the router or SOMETHING? Or will we never know anything more about this?
The way to deal with owners like this is to have a good contact with FBI folks that investigate this stuff. Believe it or not, FBI is quite efficient in obtaining evidence ;) Alex
The owner did not allow any further action to the box except to have it removed from the network . So until the owner sends someone in to clean up we won't know anything more.
8-( Did Exodus atleast try to do some sniffing of traffic or captures at the router or SOMETHING? Or will we never know anything more about this?
The way to deal with owners like this is to have a good contact with FBI folks that investigate this stuff. Believe it or not, FBI is quite efficient in obtaining evidence ;)
My big carrot stick (I'm a veggie, so I don't eat beef) is that if the person was connected to the box (And it wasn't just a script running) we could have done more tracing. If they weren't, we could atleast try to find out how/what they were doing and see if there is a new advisory that should be published. Now we have to deal with AFTER the fact, instead of IN-PROGRESS. Tuc/TTSG
On Mon, 16 Nov 1998, TTSG wrote:
My big carrot stick (I'm a veggie, so I don't eat beef) is that if the person was connected to the box (And it wasn't just a script running) we could have done more tracing.
"We"? If they were aware that illegal activity was taking place on that machine and left it on the network for any reason, they would have been prosecutable as accessories for any attacks or violations that took place while an 'analysis' was being done. Yes, it would have been interesting to take a look. But it would have been business suicide for them to do so. --matt@snark.net---------------------------------------------<darwin>< Matt Ghali MG406/GM023JP Currently somewhere between Asia and the US "Sub-optimal is a state of mind." -Dave Rand, <dlr@bungi.com>
On Mon, 16 Nov 1998, TTSG wrote:
My big carrot stick (I'm a veggie, so I don't eat beef) is that if the person was connected to the box (And it wasn't just a script running) we could have done more tracing.
"We"?
Royal "we"...........
If they were aware that illegal activity was taking place on that machine and left it on the network for any reason, they would have been prosecutable as accessories for any attacks or violations that took place while an 'analysis' was being done.
Yes, thats a tough call during any attack. First inclination is always to dump them, disconnect, and re-format the machine from scratch. Totally losing any trails or ideas how to prevent or find the original person.
Yes, it would have been interesting to take a look. But it would have been business suicide for them to do so.
PLEASE, I don't want to get into a fight about this............(In other words, I'm saying something that might be construed as starting it..) but in the time it took them to identify that it was occuring, and to find the contact there are 1/2 a dozen things that could have been done. Tuc/TTSG
On Mon, 16 Nov 1998, TTSG wrote:
My big carrot stick (I'm a veggie, so I don't eat beef) is that if the person was connected to the box (And it wasn't just a script running) we could have done more tracing.
If they weren't, we could atleast try to find out how/what they were doing and see if there is a new advisory that should be published.
Now we have to deal with AFTER the fact, instead of IN-PROGRESS.
Tuc/TTSG
Who knows if they actually maintained a connection to the box, but from my view it would have had to have been an totally automated (or nearly so) setup. Given the volume of the attempts and the number of sites hit. Domains selected for the hit would appear to be automated as well, perhaps on somthing like domains with a user on this list. This is about the only quality my systems share with most of those in here. (Small Alaskan ISP with fewer customers than some of you have employees, and even my primary DNS got hit (though not MX))
On Sun, 15 Nov 1998, TTSG wrote:
removed from the network by request of the owner of the box.
b) WAS the origination actually the box as people have claimed, or was it spoofed?
I seriously doubt it was spoofed as mentioned before because the attacker was going after _TCP_ ports on a wide spectrum of machine types. Unless he recently found a bug in every OS that allows IP blind spoofing (ISN generation bugs?), it just about had to be the real address. -- Jeff Carneal - Sys Admin - Apex Internet jeff@apex.net http://www.apex.net (502) 442-5363 The opinions expressed above aren't really mine. They belong to someone else who also refuses to take responsibility for them.
I was getting ready to do a SAINT run on the IP address to find out (I needed the practice) when the initial ping timed out. <sigh> At 10:54 PM 11/15/98 -0500, TTSG wrote:
I have received a call from Exodus. The machine (209.67.50.254) has been removed from the network by request of the owner of the box.
Great!, but..............
a) Did they end up obtaining access to another site and will begin there?
b) WAS the origination actually the box as people have claimed, or was it spoofed?
c) There was a report that it had stopped earlier (As seen below from Roeland), is anyone still seeing it?
d) Was the box just YANKED, or did someone actually try to find out if there was someone/something on it and where its origin is?
Tuc/TTSG
James
At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:
Sombody musta got them, 'cause their gone now.
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
Hi. You are discussing nothing. I have traced few different hackers last 2 weeks, and I suspect this was one of the boxes broken by them (or may be, not). If it was Linux box - I am sure it was broken. The problem is the fact not every owner answer ti the warning messages, and there is some well known hosts used by hackers withouth owners permission, and the owners do not answer and do not close this hosts. Keep in mind - there is _troyan toolkit_ for Linux and SunOS (there is for another systems too byt they have a lot of bugs) hidden hacker's activity totally (try this one for the Linux - excellent package replacing mnore than 20 different commands); there is troyaned SSH daemon (and hakers like to install it). If you saw the port scanning or BO scanning or port 139 scanning or any other kind of the scanning, you CAN write AT ONCE a warning to the box owner _the hacker broke your system and abuse it_, and your suspection will be correct more than 99% of this addresses. Do not write _please stop scanning_, but write _alarm. YOU are broken_. I have not ANY exception for more than 20 or 40 warning I have sent last week. The worst (for todays) are Canadian scientific networks - no answer, a lot of power servers abused for the cracking, smurfing etc. Other bad network is NASA -:). It's abused by the hackers and they can't stop this activity. I do not speak about the universities over the world -:). On Sun, 15 Nov 1998, Roeland M.J. Meyer wrote:
Date: Sun, 15 Nov 1998 20:37:20 -0800 From: Roeland M.J. Meyer <rmeyer@mhsc.com> To: TTSG <ttsg@ttsg.com> Cc: James McKenzie <mcs@1ipnet.net>, nanog@merit.edu, asr@millburn.net, ttsg@ttsg.com Subject: Re: Exodus / Clue problems
I was getting ready to do a SAINT run on the IP address to find out (I needed the practice) when the initial ping timed out. <sigh>
At 10:54 PM 11/15/98 -0500, TTSG wrote:
I have received a call from Exodus. The machine (209.67.50.254) has been removed from the network by request of the owner of the box.
Great!, but..............
a) Did they end up obtaining access to another site and will begin there?
b) WAS the origination actually the box as people have claimed, or was it spoofed?
c) There was a report that it had stopped earlier (As seen below from Roeland), is anyone still seeing it?
d) Was the box just YANKED, or did someone actually try to find out if there was someone/something on it and where its origin is?
Tuc/TTSG
James
At 07:22 PM 11/15/98 -0800, Roeland M.J. Meyer wrote:
Sombody musta got them, 'cause their gone now.
Seeing it here, too.
At 18:52 11/15/98 -0500, Daniel Senie wrote:
sigma@pair.com wrote: > > Let me guess - the IP is 209.67.50.254, and they're trying to login to > nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Dan
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranthnetworks.com
William S. Duncanson caesar@starkreality.com The driving force behind the NC is the belief that the companies who brought us things like Unix, relational databases, and Windows can make an appliance
At 06:25 PM 11/15/98 -0600, William S. Duncanson wrote: that
is inexpensive and easy to use if they choose to do that. -- Scott Adams
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
James McKenzie mcs@1ipnet.net http://www.1ipnet.net
___________________________________________________ Roeland M.J. Meyer, ISOC (InterNIC RM993) e-mail: <mailto:rmeyer@mhsc.com>rmeyer@mhsc.com Internet phone: hawk.mhsc.com Personal web pages: <http://www.mhsc.com/~rmeyer>www.mhsc.com/~rmeyer Company web-site: <http://www.mhsc.com/>www.mhsc.com/ ___________________________________________ Who is John Galt? "Atlas Shrugged" - Ayn Rand
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
On Sun, 15 Nov 1998, Daniel Senie wrote:
sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
I'm seeing that IP address trying to telnet into my name servers (don't know if it's as root, since my filters are blocking them). I also see them trying to access IMAP on my servers.
Same here...on multiple servers from 21:10 to 21:58 EST. ----don't waste your cpu, crack rc5...www.distributed.net team enzo--- Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or Network Administrator | nestea'd...whatever it takes Florida Digital Turnpike | to get the job done. ______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key________
Hi all, No reply from the page out....... Not sure if I'm sending the right number. Sometimes my cell doesn't call pagers properly. (I know SKYTEL can't) Did anyone see attempts from d121097.ppp121.cyberway.com.sg earlier today? (While we are at it........) Tuc/TTSG
On Sun, Nov 15, 1998 at 06:24:13PM -0500, sigma@pair.com put this into my mailbox:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
Hello, filtering.
Kevin
Sorry to cross post, but is there anyone monitoring this list from Exodus with 1/2 a clue who might be able to help me? I called the NOC with an in-progress abuse and was told :
1) We don't know who owns that IP 2) We can't get into our own routers 3) We don't have a ticket system 4) The abuse people have a ticket system, but only if we can associate it to a customer (See #1) 5) We don't know how often the "abuse@" is checked 6) Email us the logs, and thanks for calling.
Careful. Exodus' lawyers might take offense and try to sue your ass for libel. This seems pretty par for most ISPs these days, though. They're either "duh, what's abuse?", and take hours of handholding and e-mails to explain why 'when one of your customers commits felonies by flooding my machine it's a BAD thing' - whereupon by the time they realize it's a bad thing the user is long gone or the attack is untraceable, or their radius logs (if they keep any) have rotated, or they act like the idiots in Malaysia and Mexico* and just ignore any abuse reports altogether. (*) Certain clueless people have taken this to mean that I think all Malaysians and Mexicans are stupid. I don't. I simply happen to think that all the ISPs there are seriously lacking in clue department, because I've spent the better part of the last six months dealing with quite a number of them attempting to get them off of their sorry behinds and to actually delete users who do things like spam, flood, hack, &etc, without results. -dalvenjah -- Dalvenjah FoxFire (aka Sven Nielsen) "If her breath were as terrible as her Founder, the DALnet IRC Network terminations, there were no living near her; she would infect to the North Star!" e-mail: dalvenjah@dal.net WWW: http://www.dal.net/~dalvenjah/ whois: SN90 Try DALnet! http://www.dal.net/
On Sun, Nov 15, 1998 at 06:24:13PM -0500, sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
Not seeing that rate, but yep: Nov 15 18:10:25 mailhost.cmc.net ipmon[117]: 18:10:24.956040 le0 @35 b 209.67.50.254,1608 -> mailhost.cmc.net,telnet PR tcp len 20 44 -S -- Brian Moore | "The Zen nature of a spammer resembles Sysadmin, C/Perl Hacker | a cockroach, except that the cockroach Usenet Vandal | is higher up on the evolutionary chain." Netscum, Bane of Elves. Peter Olson, Delphi Postmaster
On Sun, Nov 15, 1998 at 06:24:13PM -0500, sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
Not seeing that rate, but yep: Nov 15 18:10:25 mailhost.cmc.net ipmon[117]: 18:10:24.956040 le0 @35 b 209.67.50.254,1608 -> mailhost.cmc.net,telnet PR tcp len 20 44 -S
Possible to do some TCPDUMPs????? Can you decode the packets and see if there is any source routing or something funny occurring? Tuc/TTSG
On Sun, 15 Nov 1998 sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
Hello, filtering.
Kevin
Sorry to cross post, but is there anyone monitoring this list from Exodus with 1/2 a clue who might be able to help me? I called the NOC with an in-progress abuse and was told :
1) We don't know who owns that IP
That's funny... [chuck@ws chuck]$ ping dns4.register.com PING dns4.register.com (209.67.50.254): 56 data bytes 64 bytes from 209.67.50.254: icmp_seq=0 ttl=47 time=130.2 ms 64 bytes from 209.67.50.254: icmp_seq=1 ttl=47 time=132.8 ms 64 bytes from 209.67.50.254: icmp_seq=2 ttl=47 time=133.6 ms --- dns4.register.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 130.2/132.2/133.6 ms and it's Linux 5.1! [chuck@server chuck]$ whois register-dom [rs.internic.net] Registrant: Forman Interactive Corp (REGISTER-DOM) 201 Water St. Brooklyn, NY 11201 USA Domain Name: REGISTER.COM Administrative Contact, Technical Contact, Zone Contact: Forman, Internic (PF61) internic@FORMAN.COM 212-627-4988 (FAX) 212-627-6477 Billing Contact: Forman, Internic (PF61) internic@FORMAN.COM 212-627-4988 (FAX) 212-627-6477 Record last updated on 25-Aug-98. Record created on 01-Nov-94. Database last updated on 15-Nov-98 04:46:26 EST. Domain servers in listed order: DNS1.REGISTER.COM 209.67.50.220 DNS2.REGISTER.COM 209.67.50.241 So... either they're bad folks or they got hacked and the bad folks are using their machine. If they got hacked I'd say that's plenty interesting... 209.67.50.254 22 ssh Secure Shell - RSA encrypted rsh -> SSH-1.5-1.2.26\n Cheers! -- Chuck Mead, CEO - Moongroup Consulting, Inc. <chuck@moongroup.com> http://www.moongroup.com/ http://www.moongroup.com/unix/ There's no such thing as a free lunch. -- Milton Friendman
Could be brute-force? On Sun, 15 Nov 1998 sigma@pair.com wrote:
Let me guess - the IP is 209.67.50.254, and they're trying to login to nameservers as "root", sometimes a dozen times per second?
Sorry to cross post, but is there anyone monitoring this list from Exodus with 1/2 a clue who might be able to help me? I called the NOC with an in-progress abuse and was told :
1) We don't know who owns that IP 2) We can't get into our own routers
Tuc/TTSG
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Atheism is a non-prophet organization. I route, therefore I am. Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member Father of the Network and Head Bottle-Washer Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834 Don't choose a spineless ISP; we have more backbone! http://www.nac.net -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
On Mon, Nov 16, 1998 at 07:55:05AM -0500, alex@nac.net wrote:
Could be brute-force?
On Sun, 15 Nov 1998 sigma@pair.com wrote:
Sorry to cross post, but is there anyone monitoring this list from Exodus with 1/2 a clue who might be able to help me? I called the NOC with an in-progress abuse and was told :
1) We don't know who owns that IP 2) We can't get into our own routers
It's interesting that the people who normally post here from Exodus have not said a word or offered any help at all. -- Steve Sobol [sjsobol@nacs.net] Part-time Support Droid [support@nacs.net] NACS Spaminator [abuse@nacs.net] Spotted on a bumper sticker: "Possum. The other white meat."
On Sun, 15 Nov 1998, TTSG wrote:
Sorry to cross post, but is there anyone monitoring this list from Exodus with 1/2 a clue who might be able to help me? I called the
If you find such a person, could you please let me know? I could use one myself. 8-) The best advice I have for you is to escalate your problem till you're blue in the face. Then, stop, and escalate it some more. (Adam reaches for the PalmPilot...) Which NOC (or, was it an "NCC") did you deal with? If New Yorsey, you may want to speak with Carmen Nicholosi (212-220-5472). If DC, give Doug Anderson <danderson@exodus.net> a call at 703-926-1282. If elsewhere, ask for their Data Center Manager or NCC Supervisor... You may also want to voice your concerns to Bert Dollahite (head Quality dude), Robert Sanford (head Operations dude), or Louis Muggeo (head Customer Support and Services dude). If I can be any further assistance, feel free to contact me off-list. Thanks, -asr
participants (20)
-
Adam Rothschild
-
Alex "Mr. Worf" Yuriev
-
Alex P. Rudnev
-
alex@nac.net
-
brian moore
-
Christopher E. Brown
-
Chuck Mead
-
Dalvenjah FoxFire
-
Dan Hollis
-
Daniel Senie
-
James McKenzie
-
Jeff Carneal
-
Jon Lewis
-
just me.
-
Roeland M.J. Meyer
-
sigma@pair.com
-
Steve Gibbard
-
Steven J. Sobol
-
TTSG
-
William S. Duncanson