[30577] in North American Network Operators' Group
Re: Rise in intrusion attempts from *.jp
daemon@ATHENA.MIT.EDU (Jeremy T. Bouse)
Tue Aug 15 00:31:14 2000
Date: Tue, 15 Aug 2000 00:29:10 -0400
From: "Jeremy T. Bouse" <undrgrid@toons.UnderGrid.net>
To: nanog@merit.edu
Message-ID: <20000815002910.A26933@UnderGrid.net>
Mail-Followup-To: nanog@merit.edu
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu"
In-Reply-To: <Pine.LNX.4.10.10008142043310.13996-100000@mailer.salon.com>; from allspaw@mailer.salon.com on Mon, Aug 14, 2000 at 08:50:02PM -0700
Errors-To: owner-nanog-outgoing@merit.edu
--WIyZ46R2i8wDzkSu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
John Allspaw was said to been seen saying:
>=20
> yes, i have seen a large number of port scans on both work networks and
> home network space. nothing more crazy then your standard sequential port
> scan for open 53, 1, 8, etc.
>=20
What I'm talking about are not so obvious as a sequential port scan,
but rather attempts directed at ports with known exploits against either a
IP range or directed at a particular host. Also those hosts being directly
targeted are not servers publically known (ie - Domain name servers, mail
servers, etc) but those behind the scenes machines that help keep things
flowing. Also the fact that even if the ports were open the sites making
the attempts would have had no reason to make the connections in the first
place.
Granted the hardest part is getting any action taken. The times I do
find action is taken it seems 9 out of 10 times it's a server which was
inappropriately configured and thus compromised and used as a staging area =
for
further attacks. Some of my more enjoyable attempts have been with UUnet wh=
om
I'd get a live body on the phone while it's occurring or shortly thereafter
and I'm told to send the email with the logs. I send the logs get their lov=
ely
automated message then 48 hours later a message stating "we couldn't see an=
yone
on that IP at that time, please check your servers for accurate time". Whic=
h I
find humorous at the steps I take to ensure my logs are acurate and untampe=
red.
To give this more operational purpose. Has anyone found or aware of
any good sites with accurate Abuse/Security contact info? I've found a lot =
of
the companies still have telephone numbers listed with the various NICs that
are answered by a fax machine or email addresses that bounce. IIRC abuse.net
had one for spam contacts but I realize some organizations have two seperate
departments to handle spam and network threats.
Respectfully,
Jeremy T. Bouse
UnderGrid Network Services, LLC
--=20
,--------------------------------------------------------------------------=
---,
| Jeremy T. Bouse - UnderGrid Network Services, LLC - www.UnderGrid.ne=
t |
| All messages from this address should be atleast PGP/GPG signed =
|
| Public PGP/GPG fingerprint and location in headers of message =
|
| If received unsigned (without requesting as such) DO NOT trust it! =
|
| undrgrid@UnderGrid.net - NIC Whois: JB5713 - Jeremy.Bouse@UnderGrid.n=
et |
`--------------------------------------------------------------------------=
---'
--WIyZ46R2i8wDzkSu
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQCVAwUBOZjHFdJBoZ3O7iClAQGeMAP9FeyUCiwsrYmgT9N8i7rYVefokHAoIGLa
Mb4wFy41XQ244EJmsm7koFEQfi7ykb9ibQkMn5eJkM6hmSTAhdJC+EoNTofMOVYc
kjS4WFvPR9x+6mUyCP1uP4uUzDJryCprz7gY6jr/M2Acez5bGM1wmY6+zKDRsFRd
QUFjEnNbegQ=
=TmBv
-----END PGP SIGNATURE-----
--WIyZ46R2i8wDzkSu--
