On 2001-05-16 11:02:29 +0200, Thomas Roessler wrote: >The same characteristic also applies to the logs at >http://members.iinet.net.au/~paulhng/lrp/kernlog.txt which David >posted, and which are 10 days old. (!) Asking google for a randomly selected common IP address from the list, I found <http://my.maceast.com/homevision-u-l/ace-l/linux-router-l/%2330765452>, where Nicolas Riendeau reports a similar scan which happened on April 13, 2001. Taking his log file entries ("MrShield") into account, the table of attackers' IP addresses looks like this now: 140.239.176.162 keith sobolev tifa mrshield 165.121.70.75 keith 194.205.125.26 keith sobolev tifa mrshield 194.213.64.150 keith sobolev tifa mrshield 202.139.133.129 keith sobolev tifa mrshield 203.194.166.182 keith sobolev tifa mrshield 203.208.128.70 keith sobolev tifa mrshield 207.55.138.206 keith sobolev tifa 208.184.162.71 keith sobolev tifa mrshield 209.249.97.40 keith sobolev tifa mrshield 212.23.225.98 keith sobolev tifa mrshield 212.78.160.237 keith tifa mrshield 212.78.164.193 sobolev 216.220.39.42 keith sobolev tifa mrshield 216.33.35.214 keith sobolev tifa mrshield 216.34.68.2 keith sobolev tifa mrshield 216.35.167.58 keith sobolev tifa 62.23.80.2 keith sobolev tifa mrshield 62.26.119.34 keith sobolev tifa mrshield 63.209.147.246 keith sobolev tifa mrshield 64.14.200.154 keith sobolev tifa 64.37.200.46 keith sobolev tifa mrshield 64.56.174.186 keith sobolev tifa mrshield 64.78.235.14 keith sobolev tifa Maybe what we are seeing here are mostly decoy addresses used by some tool with an extremely bad RNG? -- Thomas Roessler http://log.does-not-exist.org/
This archive was generated by hypermail 2b30 : Wed May 16 2001 - 17:36:56 PDT