North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Rise in intrusion attempts from *.jp

  • From: Jeremy T. Bouse
  • Date: Tue Aug 15 00:32:44 2000

John Allspaw was said to been seen saying:
> yes, i have seen a large number of port scans on both work networks and
> home network space.  nothing more crazy then your standard sequential port
> scan for open 53, 1, 8, etc.
	What I'm talking about are not so obvious as a sequential port scan,
but rather attempts directed at ports with known exploits against either a
IP range or directed at a particular host. Also those hosts being directly
targeted are not servers publically known (ie - Domain name servers, mail
servers, etc) but those behind the scenes machines that help keep things
flowing. Also the fact that even if the ports were open the sites making
the attempts would have had no reason to make the connections in the first

	Granted the hardest part is getting any action taken. The times I do
find action is taken it seems 9 out of 10 times it's a server which was
inappropriately configured and thus compromised and used as a staging area for
further attacks. Some of my more enjoyable attempts have been with UUnet whom
I'd get a live body on the phone while it's occurring or shortly thereafter
and I'm told to send the email with the logs. I send the logs get their lovely
automated message then 48 hours later a message stating "we couldn't see anyone
on that IP at that time, please check your servers for accurate time". Which I
find humorous at the steps I take to ensure my logs are acurate and untampered.

	To give this more operational purpose. Has anyone found or aware of
any good sites with accurate Abuse/Security contact info? I've found a lot of
the companies still have telephone numbers listed with the various NICs that
are answered by a fax machine or email addresses that bounce. IIRC
had one for spam contacts but I realize some organizations have two seperate
departments to handle spam and network threats.

	Jeremy T. Bouse
	UnderGrid Network Services, LLC
| Jeremy T. Bouse  -  UnderGrid Network Services, LLC  -  |
|       All messages from this address should be atleast PGP/GPG signed       |
|        Public PGP/GPG fingerprint and location in headers of message        |
|     If received unsigned (without requesting as such) DO NOT trust it!      |
| [email protected]  -  NIC Whois: JB5713  -  [email protected] |

Attachment: pgp00010.pgp
Description: PGP signature