[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed Sep 8 09:07:08 2004 -->
- <!--x-from-r13: wbuazvyyf ng fcrnxrnfl.arg (Xbua [vyyf) -->
- <!--x-message-id: Pine.LNX.4.44.0409080756490.5289-[email protected] -->
- <!--x-reference: [email protected] --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Backtracking to an IP -->
- <li><em>date</em>: Wed Sep 8 09:07:08 2004</li>
- <li><em>from</em>: johnmills at speakeasy.net (John Mills)</li>
- <li><em>in-reply-to</em>: <<a href="msg00230.html">[email protected]</a>></li>
- <li><em>subject</em>: [ale] Backtracking to an IP</li>
Thanks. I sent a note. I also read of the identical attack (with a
different range of common user names and very different IP) reported on
the 'freebsd-questions' list. Respondent there suggested a firewall
block, but if these are compromised systems I guess this could be a "push
it down here and it comes up over there" situation.
Any ideas of the virus involved? (I say 'virus' because we suppose these
are cracked systems, not intentionally run attacks.)
On Wed, 8 Sep 2004, Michael Still wrote:
> On Wed, 8 Sep 2004 07:26:57 -0500 (EST), John Mills
> <johnmills at speakeasy.net> wrote:
> > ALERs -
> >
> > My box got a suspect series of ssh login attempts under common, but unused
> > account names, all from the same IP address: 64.124.210.23
> >
> > How can I learn a bit more about the source?
> >
> <a rel="nofollow" href="http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-64-124-210-0-1";>http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-64-124-210-0-1</a>
>
> Shows that its an AboveNet IP block reassigned to APS communications.
> Send a msg to the the noc at above.net address or abuse at above.net and
> tell them that box might be cracked.
- John Mills
john.m.mills at alum.mit.edu
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00230" href="msg00230.html">[ale] Backtracking to an IP</a></strong>
<ul><li><em>From:</em> stillwaxin at gmail.com (Michael Still)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00231.html">[ale] Backtracking to an IP</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00233.html">[ale] Backtracking to an IP</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00231.html">[ale] Backtracking to an IP</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00233.html">[ale] Backtracking to an IP</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00232"><strong>Date</strong></a></li>
<li><a href="threads.html#00232"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>