Fw: Information from an FTP violation this weekend.
Good luck, guys. We had left an incoming open on our FTP server for our Unix guys to upload code on. BTW, this occurred over the Thanks Giving Holiday. Anyway a guy from .ru uploaded the latest version of (sp)Tumbarator 5 which had just been released in Europe, that morning & Mummy. Then the bum put our IP address on all the warez sites and we had so may people hitting our server that we had no bandwidth left back to the Internet and no more ports on our FTP Unix server. It got so bad that we had to deny all of Europe just to take some of the load off us. Then for the next 60 days we handled the US group. Needless to say we logged everything and contacted the software groups involved and made them available. But it was a nightmare for a long time at our office. So I can sympathize with your problems. Respectfully, Morris Allen VidcomNet, Inc. ----- Original Message ----- From: "Stephen J. Wilcox" <steve@opaltelecom.co.uk> To: "Smith, Rick" <rsmith@atsworld.com> Cc: <nanog@merit.edu> Sent: Monday, April 23, 2001 11:19 AM Subject: Re: Information from an FTP violation this weekend.
And I thought the Internet was such a friendly, welcoming environment.. maybe I should remove all my telnet guest logins from my servers and remove my credit card number from my homepage..
Steve
On Mon, 23 Apr 2001, Smith, Rick wrote:
Nanog; fyi.
APNIC / Excite / Home.net -
We have an ftp site running on 209.123.52.40 that is made writable at certain periods of time for anonymous users. Some of our customer's
are programmed to send in bug reports, problem programs, etc at these times. One of these periods of time was this past Friday (4/20/01) from 6pm EST to Saturday afternoon at Noon. In that time period, a couple of hundred megs of movies / warez / crap was dropped onto the ftp site, and then the
systems people
that were (I presume) loading up the site got cut off.
Not only did the violator from 203.164.51.0/24 store illegal information on our ftp site, they also deleted everything that existed. Not anyone's fault there but our own, and no problem since there were backups, but just fyi that this stuff is happening out there from the reported networks.
Here's some information I collected from a .htaccess file in one of the directories that these <insert explative here> left.
<Limit GET> order allow,deny deny from 141.201.222. deny from 24.141.20. deny from 24.141.36. deny from 65.1.50. . . Bunch of Denies . allow from 203.164.51. deny from 203.164.3. deny from 62.30.0. . . Bunch of Denies . allow from all </Limit>
I run Portsentry on my FreeBSD firewall, which caught and denied this: 987814775 - 04/20/2001 20:59:35 Host: www.uov.net/209.37.153.6 Port: 515 TCP Blocked
The swip info for the one allow statement in that htaccess file:
[root]# whois -h whois.arin.net 203.164.51.0
Asia Pacific Network Information Center (APNIC2) These addresses have been further assigned to Asia-Pacific users. Contact info can be found in the APNIC database, at WHOIS.APNIC.NET or http://www.apnic.net/ Please do not send spam complaints to APNIC. AU
Netname: APNIC-CIDR-BLK Netblock: 202.0.0.0 - 203.255.255.255 Maintainer: AP
Gee - go figure - a cable modem ween
[root]# whois -h whois.apnic.net 203.164.51.0
% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
inetnum: 203.164.48.0 - 203.164.51.255 netname: ATHOME-AU-RIVRW-1 descr: Infrastructure country: AU admin-c: HH85-AP tech-c: AI13-AP mnt-by: MAINT-AU-ATHOME changed: ipmgmt@excitehome.net 20000911 source: APNIC
person: Hostmaster Home Network Australia address: 100 Harris Street address: Pyrmont address: NSW 2009 phone: +61 2 9005 1000 fax-no: +61 2 9005 1076 country: AU e-mail: hostmaster@homenetwork.com.au nic-hdl: HH85-AP mnt-by: MAINT-AU-ATHOME changed: judithh@corp.home.net 20000830 source: APNIC
person: ATHome-AU IP Mgmt address: 450 Broadway Street address: Redwood City, CA 94063 address: US phone: +1-800-872-3595 country: AU e-mail: ipmgmt@excitehome.neet nic-hdl: AI13-AP mnt-by: MAINT-AU-ATHOME changed: judithh@corp.home.net 20000830 source: APNIC
Thanks, Rick Smith Director of Technical Services Applied Tactical Systems (A division of Vertex Interactive, Inc.) <http://www.atsworld.com> --- <http://www.vertexinteractive.com> (973) 808 - 1750 x382
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
Just enjoy it! You can grow up any collection of warez on your site simply allowing READ access for the files in _incoming_ directory. Of course, you should loot after your collection - drop warez which are not for you asnd feed those you want to have. -:) ----- Original Message ----- From: "Moe Allen" <moe@vidnet.net> To: "Nanog" <nanog@merit.edu> Sent: Monday, April 23, 2001 11:39 AM Subject: Fw: Information from an FTP violation this weekend.
Good luck, guys. We had left an incoming open on our FTP server for our Unix guys to upload code on. BTW, this occurred over the Thanks Giving Holiday. Anyway a guy from .ru uploaded the latest version of (sp)Tumbarator 5 which had just been released in Europe, that morning & Mummy. Then the bum put our IP address on all the warez sites and we had so may people hitting our server that we had no bandwidth left back to the Internet and no more ports on our FTP Unix server.
participants (2)
-
Alexei Roudnev -
Moe Allen