Security Incidents mailing list archives
Re: Dumb ISP of the week
From: Scott Bishop <scott () walkerbolt com>
Date: Tue, 22 Aug 2000 09:25:37 CDT
On Mon, 21 Aug 2000, UnixGeek wrote:
Date: Mon, 21 Aug 2000 14:24:44 -0700 To: INCIDENTS () SECURITYFOCUS COM From: UnixGeek <ed () XWING CENTIGRAM COM> Reply-To: UnixGeek <ed () XWING CENTIGRAM COM> Subject: Re: Dumb ISP of the week Oh don't even get me started on Pac Bell. I've been getting massive telnet and imap scans from one of their IP's (63.203.107.5), which appears to be a Linux box(and probably a rooted one). Think Pac Bell/SBC has even looked at my email yet? [keeping in mind the fact that I get my 'enhanced' DSL from PB/SBC as well]
Actually, it's interesting that you note that... over the weekend, I got the same scan from the same host, and they e-mailed me back (my own IP address masked): Date: Mon, 21 Aug 2000 11:07:22 -0500 To: scott () walkerbolt com From: Dave Barger <dbarger () swbell net> Reply-to: dbarger () swbell net Subject: Re: Small scan from your network Hello, We have identified this intruder, and the offender is being delt with. Thank you for the information. Regards, -- Dave Barger Sr. Network Engineer IP Management SBC Internet Services dbarger () swbell net 214-495-2098 Scott Bishop wrote:
Hello there, Over this past weekend, two of our machines received two scans from the
IP
address 63.203.107.5, which whois.arin.net identifies as being under your control. They were looking for open telnet and imap2 ports. None of our employees use Procomm Paging, and have no reason to be accessing our systems from outside the office anyway. The log entries are as follows: Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4037 xxx.xxx.xxx.xxx::23 L=60 S=0x00 I=36225 F=0x4000 T=51
SYN
(#50) Aug 20 09:16:52 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4059 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=36305 F=0x4000 T=51
SYN
(#50) .. Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4154 xxx.xxx.xxx.xxx:23 L=60 S=0x00 I=37749 F=0x4000 T=51
SYN
(#50) Aug 21 05:25:53 firewall kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4170 xxx.xxx.xxx.xxx:143 L=60 S=0x00 I=37819 F=0x4000 T=51
SYN
(#50) Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4065 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=36341 F=0x4000 T=51
SYN
(#49) Aug 20 09:12:53 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4085 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=36422 F=0x4000 T=51
SYN
(#49) .. Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4155 yyy.yyy.yyy.yyy:23 L=60 S=0x00 I=37750 F=0x4000 T=51
SYN
(#49) Aug 21 05:21:58 klorel kernel: Packet log: input REJECT eth0 PROTO=6 63.203.107.5:4172 yyy.yyy.yyy.yyy:143 L=60 S=0x00 I=37823 F=0x4000 T=51
SYN
(#49) Again, no one from your company should be accessing our machines. The
only
reason I can think of for these connection attempts is an unauthorized access of our network. If these connections are in error, I understand. If not, please take steps to make sure these scans do not occur again. Thank you in advance. -- --Scott Bishop WALKER BOLT Manufacturing Co. (Notice: The opinions presented are not necessarily those of my employer, nor of any other sane individual for that matter.)
I guess it all depends on who you contact... in any event, it appears it's being taken care of now. -- --Scott Bishop WALKER BOLT Manufacturing Co. (Notice: The opinions presented are not necessarily those of my employer, nor of any other sane individual for that matter.)
Current thread:
- Dumb ISP of the week John Pettitt (Aug 21)
- Re: Dumb ISP of the week UnixGeek (Aug 21)
- Re: Dumb ISP of the week Wozz (Aug 22)
- Re: Dumb ISP of the week John Pettitt (Aug 22)
- Re: Dumb ISP of the week Wozz (Aug 22)
- Re: Dumb ISP of the week John Pettitt (Aug 22)
- <Possible follow-ups>
- Re: Dumb ISP of the week Scott Bishop (Aug 22)
- Re: Dumb ISP of the week Bryan Andersen (Aug 22)