over the past couple of days, at least two of our servers have been inundated with rather amateurish attempts to login as various priviledged users. We're talking at least hundreds of attempts, mostly from 62.104.92 and 62.104.82. I whois shows the /16 (which I finally null routed the whole thing) belongs to: role: Network Management address: freenet Cityline GmbH address: Network Managment Center address: Juri Gagarin Ring 88 address: 99084 Erfurt address: Germany phone: +49 361 594 2961 remarks: **************************************************** remarks: * please report spam/abuse mailto:abuse@pppool.de * remarks: * reports to other addresses will not be processed * remarks: **************************************************** I sent the abuse email 2 days ago and got no response. After 2 more days of this, I finally just tried to call that number, and it's bogus (or at least not working). Does anyone have a clue who this is and/or how to actually get ahold of someone there (preferably one who speaks or reads/writes English)? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On Wed, 24 Mar 2004 up@3.am wrote:
over the past couple of days, at least two of our servers have been inundated with rather amateurish attempts to login as various priviledged users.
I would check out the other roles referenced in the AS5430 object and failing that perhaps someone at Telia or Level3 can help. Regards, J. -- Jess Kitchen ^ burstfire.net[works] _25492$ | www.burstfire.net.uk
I sent the abuse email 2 days ago and got no response. After 2 more days of this, I finally just tried to call that number, and it's bogus (or at least not working). Does anyone have a clue who this is and/or how to actually get ahold of someone there (preferably one who speaks or reads/writes English)?
Try and reach them at peering@mcbone.net or try and contact their admin Jens Rosenboom at jens.rosenboom@freenet-ag.de I know it's not the regular channel, but and we peer with them at DE-CIX and had similar problems a while back with IP's from their range scanning and trying out SNMP communities on our boxes. They responded on an e-mail sent to their peering address and we haven't had any further scans since, although your complaint seems to disrepute them further. Cheers, -- Erik Haagsman Network Architect We Dare BV tel: +31(0)10-7507008 fax: +31(0)10-7507005 http://www.we-dare.nl
----- Original Message ----- From: "Erik Haagsman" <erik@we-dare.net> To: <up@3.am> Cc: <nanog@merit.edu> Sent: Wednesday, March 24, 2004 10:55 AM Subject: Re: Problems with .de abuse
I sent the abuse email 2 days ago and got no response. After 2 more
days
of this, I finally just tried to call that number, and it's bogus (or at least not working). Does anyone have a clue who this is and/or how to actually get ahold of someone there (preferably one who speaks or reads/writes English)?
Try and reach them at peering@mcbone.net or try and contact their admin Jens Rosenboom at jens.rosenboom@freenet-ag.de I know it's not the regular channel, but and we peer with them at DE-CIX and had similar problems a while back with IP's from their range scanning and trying out SNMP communities on our boxes. They responded on an e-mail sent to their peering address and we haven't had any further scans since, although your complaint seems to disrepute them further.
slightly OT, but it is a sad day when operators stop being responsible neighbours and start responding to abuse reports only when their {willy,peering} is on the line. paul
On Wed, 2004-03-24 at 16:57, Paul G wrote:
slightly OT, but it is a sad day when operators stop being responsible neighbours and start responding to abuse reports only when their {willy,peering} is on the line.
It is...and persistently trying a host of SNMP communitie strings on a neighbour's router interfaces doesn't make it any better :-) -- Erik Haagsman Network Architect We Dare BV tel: +31(0)10-7507008 fax: +31(0)10-7507005 http://www.we-dare.nl
On Wed, 24 Mar 2004 17:58:27 +0100, Erik Haagsman said:
It is...and persistently trying a host of SNMP communitie strings on a neighbour's router interfaces doesn't make it any better :-)
Trying once is one thing. Being persistent about it when it didn't work the first time deserves a smack with a clue-by-four. ;) "If at first you don't succeed, give up. There's no sense in making a fool of yourself" :)
On Wed, 24 Mar 2004 Valdis.Kletnieks@vt.edu wrote:
On Wed, 24 Mar 2004 17:58:27 +0100, Erik Haagsman said:
It is...and persistently trying a host of SNMP communitie strings on a neighbour's router interfaces doesn't make it any better :-)
Trying once is one thing. Being persistent about it when it didn't work the first time deserves a smack with a clue-by-four. ;)
sometimes this is OVW going on a discovery rampage, quite a few folks forget to set the scope before telling it to discover :(
On Mar 24, 2004, at 12:18 PM, Christopher L. Morrow wrote:
On Wed, 24 Mar 2004 Valdis.Kletnieks@vt.edu wrote:
On Wed, 24 Mar 2004 17:58:27 +0100, Erik Haagsman said:
It is...and persistently trying a host of SNMP communitie strings on a neighbour's router interfaces doesn't make it any better :-)
Trying once is one thing. Being persistent about it when it didn't work the first time deserves a smack with a clue-by-four. ;)
sometimes this is OVW going on a discovery rampage, quite a few folks forget to set the scope before telling it to discover :(
Seems that most OV installations would have on SNMP string. Alternatively, if you logs all these strings, look up the source IP, you now have a really good view into the routers for that AS. :) -- TTFN, patrick
participants (7)
-
Christopher L. Morrow -
Erik Haagsman -
Jess Kitchen -
Patrick W.Gilmore -
Paul G -
up@3.am -
Valdis.Kletnieks@vt.edu