Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Brain dead SSH scans from Italy

from [Vania Martino Toma] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Brain dead SSH scans from Italy
Date: Fri, 28 Oct 2005 23:42:19 +0200 
Etaoin Shrdlu wrote:


Well, I'm stumped. I mean, really stumped.

I've had a host scanning my network for the past three days, and it
initially looked like one of the automated scans we've all become so
familiar with (unfortunately). Naturally, the automatic defense was
engaged, and I thought that would be the end of it. Nope.

It continues to send SYN packets, and although it's dropped off in attacks
to the other machines, it still pounds at the doors of two of them. Those
two machines have a couple of things in common: they are both running BIND
9, and are both OpenBSD {mumble}.

I've sent email off to the RIPE contacts for the IP (195.250.227.226), and
to the WHOIS contacts for the domain (ocem.com), and to abuse@ocem.com as
well. Nothing. If I take off the null routing on either of those machines,
it immediately starts hammering at them, with no signs of cessation. I have
considered just letting it finish, but I'm more concerned that there's a
new variant on this moronic scan that doesn't know when to quit. I suspect
that the continuation is because they are DNS servers, since I took the
blocking off of one of the other machines also running OpenBSD, and the
scanning did not resume (although I had expected it to).

I'm at a loss. If anyone knows Italian (I don't), and can contact one of:

fabiom@uni.net
ennio.scheda@ocem.com
lucamarino@cassiopea.it

or anyone at ocem.com, please, let them know that the machine is
compromised, and that they need to take it off line, and clean it up.

TIA and all that.

--
There are two ways, my friend, that you can be rich in life.
One is to make a lot of money and the other is to have few needs.

William Sloane Coffin, "Letters to a Young Doubter"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 


I'm italian, if you want, send to me the text of the email for:

fabiom@uni.net
ennio.scheda@ocem.com
lucamarino@cassiopea.it

and I will take care myself of the translation.
Regards

Vania


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Brain dead SSH scans from Italy, Valdis . Kletnieks
Next by Date:  [Full-disclosure] [USN-151-3] zlib vulnerabilities, Martin Pitt
Previous by Thread:  Re: [Full-disclosure] Brain dead SSH scans from Italy, Nick FitzGerald
Next by Thread:  [ GLSA 200510-23 ] TikiWiki: XSS vulnerability, Thierry Carrez
Indexes:  [Date] [Thread] [Top] [All Lists]