Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Scanning from a "intruder.rs88.net"?

From: "Jason Lewis" <jlewis () jasonlewis net>
Date: Sun, 27 May 2001 02:54:16 -0400
What is running on the machine these logs came from?  Web, DNS, FTP?

Microsoft boxes attempt to connect via NetBIOS or do WINS lookups on servers
they are trying to use services on.  A windows box will try to connect on
port 137 if it is trying to access your web server.  I dump all that traffic
at my border router.

That name is a poor choice for any box in any case.

Jason Lewis
http://www.packetnexus.com
http://www.packetnexus.com/kb/greyarts/
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.



-----Original Message-----
From: Simos Xenitellis [mailto:simos () pc96 ma rhbnc ac uk]
Sent: Saturday, May 26, 2001 6:47 PM
To: INCIDENTS () securityfocus com
Subject: Scanning from a "intruder.rs88.net"?



Dear All,
        Checking my logfiles, I noticed that the IP
208.50.149.200 (intruder.rs88.net) came up several times.
To be precise:
(time is in GMT+0000)

May 20 11:51:26 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=3981 PROTO=UDP SPT=137
DPT=137 LEN=58
May 20 11:51:28 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=10381 PROTO=UDP SPT=137
DPT=137 LEN=58
May 21 12:39:24 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=38375 PROTO=UDP SPT=137
DPT=137 LEN=58
May 21 12:39:26 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=45287 PROTO=UDP SPT=137
DPT=137 LEN=58
May 22 13:40:34 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=11946 PROTO=UDP SPT=137
DPT=137 LEN=58
May 25 19:29:13 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=30730 PROTO=UDP SPT=137
DPT=137 LEN=58
May 15 04:54:06 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=15511 PROTO=UDP SPT=137
DPT=137 LEN=58
May 15 04:54:09 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=110 ID=38039 PROTO=UDP SPT=137
DPT=137 LEN=58
May 16 06:32:21 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=65464 PROTO=UDP SPT=137
DPT=137 LEN=58
May 16 06:32:24 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=16057 PROTO=UDP SPT=137
DPT=137 LEN=58
May 19 10:22:44 myhost kernel: IN=eth0 OUT=
MAC=xx:xx:xx:xx:xx:xx:00:20:da:ec:c6:b9:08:00 SRC=208.50.149.200
DST=x.x.x.x LEN=78 TOS=0x00 PREC=0x00 TTL=109 ID=56924 PROTO=UDP SPT=137
DPT=137 LEN=58

I would not be worried about it if www.rs88.net did not have the text of
"permission-based marketing on the Internet, sending personalized messages
from companies to their customers".

I sent them an e-mail to their "abuse" e-mail account but did not receive
an explanation (over a week ago).

simos
Previous By Date Next
Previous By Thread Next

Current thread: