Security Incidents mailing list archives
Re: large scale distributed scan from Israel
From: Pavel Lozhkin <pauel () BALAKOVO RU>
Date: Wed, 2 Aug 2000 20:31:14 +0400
It is not about Israel,but please look at this: === Cut here === Your message To: staff () iunet it; ccson () teleglobe com; yuriy () teleglobe net; ipasha () teleglobe net; abuse () teleglobe net; abuse () iol it; abuse () libero it Subject: !! SECOND MAIL.ABUSE from iol.it and libero.it NOT ANSWERED TO ME ONCE,BUT ATTACKS CONTINUE !! Sent: Wed, 21 Jun 2000 06:35:15 +0200 was not read == End cut here == It is ordinary reaction from .it admins,as i know, to the any complains Here considered this point at least two-three weeks ago...... Perhaps i in vain told it about ALL of .it admins,but these incidents is repeating often mixter () 2XS CO IL wrote:
Have you tried contacting the admin of that address block directly before notifying your local CERT? IMHO, that's the best general practice, and you have the best chances of a fast reply... Contact for Israel addresses can best gotten from the ripe.net database 212.179.0.0/17 is listed as ISDN Net Ltd. and is a large dialup pool, if I'm not mistaken. Probably someone is trying to get away with scanning/intruding by hopping to a new dynamic address frequently 62.0.55.* should be a small business hosted by Netvision, a large ISP. On Tue, 1 Aug 2000, Russell Fulton wrote:HI, This is a slightly edited (and truncated -- I've deleted most of the logs) report I have just sent off to AusCERT about this incident. AusCERT are trying to contact people in Israel... Summary of my analysis to date: Duration: 24th Jul 2000 at 19:11 (UTC) to present. Frequency: 50 - 100 probes an hour from several different IP addresses. The two addresses in 62.0.55\16 seem to be active intermittently over at least 4 days -- my slow scan detector picked this up. The other source address are active for quite short periods. Either these people have *a lot* (hundreds) of systems at their disposal or possibly they have compromised one system at which can 'see' traffic for a large chunk of Israel's IP traffic and they are scanning using IP addresses that they know are not active and snooping the responses. Either scenario is cause for concern. Typically each source IP seems to be 'active' for about half an hour and probes a dozen or so addresses in our /16 network (130.216) with the same last octet. e.g. pulling 212.179.30.13 from the log we get: 31 Jul 00 15:52:10 s tcp 212.179.30.13.23226 -> 130.216.4.18.110 5 0 0 0 s 31 Jul 00 15:54:47 tcp 212.179.30.13.20184 <| 130.216.196.18.143 1 1 0 0 sR 31 Jul 00 15:58:28 s tcp 212.179.30.13.20600 -> 130.216.20.18.143 5 0 0 0 s 31 Jul 00 15:59:37 s tcp 212.179.30.13.20728 -> 130.216.148.18.110 5 0 0 0 s 31 Jul 00 16:01:36 s tcp 212.179.30.13.20950 -> 130.216.52.18.110 5 0 0 0 s 31 Jul 00 16:02:57 s tcp 212.179.30.13.21101 -> 130.216.116.18.110 5 0 0 0 s 31 Jul 00 16:04:09 s tcp 212.179.30.13.21234 -> 130.216.12.18.143 5 0 0 0 s 31 Jul 00 16:09:52 s tcp 212.179.30.13.21864 -> 130.216.28.18.143 5 0 0 0 s 31 Jul 00 16:12:24 s tcp 212.179.30.13.22140 -> 130.216.60.18.143 5 0 0 0 s 31 Jul 00 16:13:48 s tcp 212.179.30.13.22294 -> 130.216.124.18.143 5 0 0 0 s 31 Jul 00 16:19:33 tcp 212.179.30.13.22917 <| 130.216.162.18.143 1 1 0 0 sR 31 Jul 00 16:18:30 s tcp 212.179.30.13.22804 -> 130.216.34.18.143 2 0 0 0 s There seem to be two scans running probing different third octets. Cheers, Russell. Russell Fulton, The Univesity of Auckland, New Zealand------------------------------------------------- Personally expressed opinions do not neccessarily represent the opinions of 2XS Limited. ------------------------------------------------- Mixter 2xs LTD. Tel: 972-9-9519980 Fax: 972-9-9519982 Mail: mixter () 2xs co il Web: http://www.2xs.co.il -------------------------------------------------
-- ** The hedgehog is a proud bird, he does not fly without kick ** Pauel System administrator ICQ UIN 39596913 8990192 Phone (7-84570)-52525 (7-84570)-40658 Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- large scale distributed scan from Israel Russell Fulton (Aug 01)
- Re: large scale distributed scan from Israel mixter (Aug 02)
- Re: large scale distributed scan from Israel Pavel Lozhkin (Aug 03)
- Re: large scale distributed scan from Israel mixter (Aug 02)