[36874] in North American Network Operators' Group
Re: Information from an FTP violation this weekend.
daemon@ATHENA.MIT.EDU (Stephen J. Wilcox)
Mon Apr 23 12:22:18 2001
Date: Mon, 23 Apr 2001 17:19:24 +0100 (BST)
From: "Stephen J. Wilcox" <steve@opaltelecom.co.uk>
To: "Smith, Rick" <rsmith@atsworld.com>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
In-Reply-To: <88786160BFD1D211B10800A0C9EC744EAB7CA0@CORP>
Message-ID: <Pine.LNX.4.21.0104231718040.7509-100000@staff.opaltelecom.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
And I thought the Internet was such a friendly, welcoming
environment.. maybe I should remove all my telnet guest logins from my
servers and remove my credit card number from my homepage..
Steve
On Mon, 23 Apr 2001, Smith, Rick wrote:
>
>
> Nanog; fyi.
>
> APNIC / Excite / Home.net -
>
> We have an ftp site running on 209.123.52.40 that is made writable at
> certain periods of time for anonymous users. Some of our customer's systems
> are programmed to send in bug reports, problem programs, etc at these times.
> One of these periods of time was this past Friday (4/20/01) from 6pm EST to
> Saturday afternoon at Noon. In that time period, a couple of hundred megs
> of movies / warez / crap was dropped onto the ftp site, and then the people
> that were (I presume) loading up the site got cut off.
>
> Not only did the violator from 203.164.51.0/24 store illegal information on
> our ftp site, they also deleted everything that existed. Not anyone's fault
> there but our own, and no problem since there were backups, but just fyi
> that this stuff is happening out there from the reported networks.
>
> Here's some information I collected from a .htaccess file in one of the
> directories that these <insert explative here> left.
>
> <Limit GET>
> order allow,deny
> deny from 141.201.222.
> deny from 24.141.20.
> deny from 24.141.36.
> deny from 65.1.50.
> .
> . Bunch of Denies
> .
> allow from 203.164.51.
> deny from 203.164.3.
> deny from 62.30.0.
> .
> . Bunch of Denies
> .
> allow from all
> </Limit>
>
>
>
> I run Portsentry on my FreeBSD firewall, which caught and denied this:
> 987814775 - 04/20/2001 20:59:35 Host: www.uov.net/209.37.153.6 Port: 515 TCP
> Blocked
>
>
> The swip info for the one allow statement in that htaccess file:
>
> [root]# whois -h whois.arin.net 203.164.51.0
>
> Asia Pacific Network Information Center (APNIC2)
> These addresses have been further assigned to Asia-Pacific users.
> Contact info can be found in the APNIC database,
> at WHOIS.APNIC.NET or http://www.apnic.net/
> Please do not send spam complaints to APNIC.
> AU
>
> Netname: APNIC-CIDR-BLK
> Netblock: 202.0.0.0 - 203.255.255.255
> Maintainer: AP
>
>
> Gee - go figure - a cable modem ween
>
> [root]# whois -h whois.apnic.net 203.164.51.0
>
> % Rights restricted by copyright. See
> http://www.apnic.net/db/dbcopyright.html
>
> inetnum: 203.164.48.0 - 203.164.51.255
> netname: ATHOME-AU-RIVRW-1
> descr: Infrastructure
> country: AU
> admin-c: HH85-AP
> tech-c: AI13-AP
> mnt-by: MAINT-AU-ATHOME
> changed: ipmgmt@excitehome.net 20000911
> source: APNIC
>
> person: Hostmaster Home Network Australia
> address: 100 Harris Street
> address: Pyrmont
> address: NSW 2009
> phone: +61 2 9005 1000
> fax-no: +61 2 9005 1076
> country: AU
> e-mail: hostmaster@homenetwork.com.au
> nic-hdl: HH85-AP
> mnt-by: MAINT-AU-ATHOME
> changed: judithh@corp.home.net 20000830
> source: APNIC
>
> person: ATHome-AU IP Mgmt
> address: 450 Broadway Street
> address: Redwood City, CA 94063
> address: US
> phone: +1-800-872-3595
> country: AU
> e-mail: ipmgmt@excitehome.neet
> nic-hdl: AI13-AP
> mnt-by: MAINT-AU-ATHOME
> changed: judithh@corp.home.net 20000830
> source: APNIC
>
>
>
> Thanks,
> Rick Smith
> Director of Technical Services
> Applied Tactical Systems
> (A division of Vertex Interactive, Inc.)
> <http://www.atsworld.com> --- <http://www.vertexinteractive.com>
> (973) 808 - 1750 x382
>
>
>
--
Stephen J. Wilcox
IP Services Manager, Opal Telecom
http://www.opaltelecom.co.uk/
Tel: 0161 222 2000
Fax: 0161 222 2008
