Re: Dumb ISP of the week

[Scott Bishop <scott () walkerbolt com>]

On Mon, 21 Aug 2000, UnixGeek wrote:
> Date:         Mon, 21 Aug 2000 14:24:44 -0700
> To: INCIDENTS () SECURITYFOCUS COM
> From: UnixGeek <ed () XWING CENTIGRAM COM>
> Reply-To: UnixGeek <ed () XWING CENTIGRAM COM>
> Subject:      Re: Dumb ISP of the week
>
> Oh don't even get me started on Pac Bell.  I've been getting massive
> telnet and imap scans from one of their IP's (63.203.107.5), which
> appears
> to be a Linux box(and probably a rooted one).  Think Pac Bell/SBC has
> even
> looked at my email yet?  [keeping in mind the fact that I get my
> 'enhanced' DSL from PB/SBC as well]

Actually, it's interesting that you note that... over the weekend, I got
the same scan from the same host, and they e-mailed me back (my own IP
address masked):

Date: Mon, 21 Aug 2000 11:07:22 -0500
To: scott () walkerbolt com
From: Dave Barger <dbarger () swbell net>
Reply-to: dbarger () swbell net
Subject: Re: Small scan from your network

Hello,

We have identified this intruder, and the offender is being delt with.
Thank you for the information.

Regards,

--
Dave Barger
Sr. Network Engineer
IP Management
SBC Internet Services
dbarger () swbell net
214-495-2098

Scott Bishop wrote:
> Hello there,
>
> Over this past weekend, two of our machines received two scans from the
IP
> address 63.203.107.5, which whois.arin.net identifies as being under your
> control.  They were looking for open telnet and imap2 ports.  None of our
> employees use Procomm Paging, and have no reason to be accessing our
> systems from outside the office anyway.  The log entries are as follows:
>
> Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4037 xxx.xxx.xxx.xxx::23 L=60 S=0x00 I=36225 F=0x4000 T=51
SYN
> (#50)
> Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4059 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=36305 F=0x4000 T=51
SYN
> (#50)
> ..
> Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4154 xxx.xxx.xxx.xxx:23 L=60 S=0x00 I=37749 F=0x4000 T=51
SYN
> (#50)
> Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4170 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=37819 F=0x4000 T=51
SYN
> (#50)
>
> Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4065 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=36341 F=0x4000 T=51
SYN
> (#49)
> Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4085 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=36422 F=0x4000 T=51
SYN
> (#49)
> ..
> Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4155 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=37750 F=0x4000 T=51
SYN
> (#49)
> Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6
> 63.203.107.5:4172 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=37823 F=0x4000 T=51
SYN
> (#49)
>
> Again, no one from your company should be accessing our machines.  The
only
> reason I can think of for these connection attempts is an unauthorized
> access of our network.  If these connections are in error, I understand.
> If not, please take steps to make sure these scans do not occur again.
> Thank you in advance.
>
> --
> --Scott Bishop
> WALKER BOLT Manufacturing Co.
> (Notice: The opinions presented are not necessarily those of my employer,
> nor of any other sane individual for that matter.)

I guess it all depends on who you contact... in any event, it appears it's
being taken care of now.

--
--Scott Bishop
WALKER BOLT Manufacturing Co.
(Notice: The opinions presented are not necessarily those of my employer,
nor of any other sane individual for that matter.)