North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Information from an FTP violation this weekend.
And I thought the Internet was such a friendly, welcoming environment.. maybe I should remove all my telnet guest logins from my servers and remove my credit card number from my homepage.. Steve On Mon, 23 Apr 2001, Smith, Rick wrote: > > > Nanog; fyi. > > APNIC / Excite / Home.net - > > We have an ftp site running on 209.123.52.40 that is made writable at > certain periods of time for anonymous users. Some of our customer's systems > are programmed to send in bug reports, problem programs, etc at these times. > One of these periods of time was this past Friday (4/20/01) from 6pm EST to > Saturday afternoon at Noon. In that time period, a couple of hundred megs > of movies / warez / crap was dropped onto the ftp site, and then the people > that were (I presume) loading up the site got cut off. > > Not only did the violator from 203.164.51.0/24 store illegal information on > our ftp site, they also deleted everything that existed. Not anyone's fault > there but our own, and no problem since there were backups, but just fyi > that this stuff is happening out there from the reported networks. > > Here's some information I collected from a .htaccess file in one of the > directories that these <insert explative here> left. > > <Limit GET> > order allow,deny > deny from 141.201.222. > deny from 24.141.20. > deny from 24.141.36. > deny from 65.1.50. > . > . Bunch of Denies > . > allow from 203.164.51. > deny from 203.164.3. > deny from 62.30.0. > . > . Bunch of Denies > . > allow from all > </Limit> > > > > I run Portsentry on my FreeBSD firewall, which caught and denied this: > 987814775 - 04/20/2001 20:59:35 Host: www.uov.net/209.37.153.6 Port: 515 TCP > Blocked > > > The swip info for the one allow statement in that htaccess file: > > [root]# whois -h whois.arin.net 203.164.51.0 > > Asia Pacific Network Information Center (APNIC2) > These addresses have been further assigned to Asia-Pacific users. > Contact info can be found in the APNIC database, > at WHOIS.APNIC.NET or http://www.apnic.net/ > Please do not send spam complaints to APNIC. > AU > > Netname: APNIC-CIDR-BLK > Netblock: 202.0.0.0 - 203.255.255.255 > Maintainer: AP > > > Gee - go figure - a cable modem ween > > [root]# whois -h whois.apnic.net 203.164.51.0 > > % Rights restricted by copyright. See > http://www.apnic.net/db/dbcopyright.html > > inetnum: 203.164.48.0 - 203.164.51.255 > netname: ATHOME-AU-RIVRW-1 > descr: Infrastructure > country: AU > admin-c: HH85-AP > tech-c: AI13-AP > mnt-by: MAINT-AU-ATHOME > changed: [email protected] 20000911 > source: APNIC > > person: Hostmaster Home Network Australia > address: 100 Harris Street > address: Pyrmont > address: NSW 2009 > phone: +61 2 9005 1000 > fax-no: +61 2 9005 1076 > country: AU > e-mail: [email protected] > nic-hdl: HH85-AP > mnt-by: MAINT-AU-ATHOME > changed: [email protected] 20000830 > source: APNIC > > person: ATHome-AU IP Mgmt > address: 450 Broadway Street > address: Redwood City, CA 94063 > address: US > phone: +1-800-872-3595 > country: AU > e-mail: [email protected] > nic-hdl: AI13-AP > mnt-by: MAINT-AU-ATHOME > changed: [email protected] 20000830 > source: APNIC > > > > Thanks, > Rick Smith > Director of Technical Services > Applied Tactical Systems > (A division of Vertex Interactive, Inc.) > <http://www.atsworld.com> --- <http://www.vertexinteractive.com> > (973) 808 - 1750 x382 > > > -- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
|