Hi Christian, Im sorry to say; and you will most likely hear it from others too; but don't expect a fast respose from the ISP (your are lessthan likely to even get one). The next step would be to block that ip off on your firewalls, and update your machine if needed - this person obviously isnt just doing a C class sweep - they are looking hard for a way into either yours only, or a select few networks. What security mechanisms are you runnign currently? Perhaps now might be a wise time to conduct an audit, to find any holes before whoever is looking for them outside of your organisation does... After that the best advice would be to stay alert, and monitor your gateway logs closely. Kind regards, Hamish Stanaway Absolute Web Hosting / Koreworks Internet Security Owner/Operator Auckland New Zealand http://www.webhosting.net.nz/ ][ http://www.koreworks.com/ >From: Christian Stigen Larsen To: incidentsat_private Subject: >Attack attempts from 195.86.128.45 Date: Tue, 6 May 2003 19:36:34 +0200 >MIME-Version: 1.0 Received: from outgoing3.securityfocus.com >([205.206.231.27]) by mc5-f23.law1.hotmail.com with Microsoft >SMTPSVC(5.0.2195.5600); Tue, 6 May 2003 20:23:57 -0700 Received: from >lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])by >outgoing3.securityfocus.com (Postfix) with QMQPid E4D5DA30E6; Tue, 6 May >2003 21:15:27 -0600 (MDT) Received: (qmail 8386 invoked from network); 6 >May 2003 17:14:23 -0000 X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: >List-Subscribe: Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private Message-ID: ><20030506173634.GA19191at_private> User-Agent: Mutt/1.4.1i Return-Path: >incidents-return-5513-koremeltdown=hotmail.comat_private >X-OriginalArrivalTime: 07 May 2003 03:23:57.0967 (UTC) >FILETIME=[189D51F0:01C31448] > >Hi all, > >we've gotten a lot of attempted attacks from 195.86.128.45, which maps to >kes.wirehub.nl. I've already notified abuseat_private, but have >anybode else seen attacks from this ip ? > >From our log: > >05/06/2003 12:29:53.048 Sub Seven Attack Dropped 195.86.128.45, 4341, WAN >195.119.0.181, 6776, DMZ 05/06/2003 12:35:54.624 Ripper Attack Dropped >195.86.128.45, 3230, WAN 195.119.0.181, 2023, DMZ 05/06/2003 12:36:18.736 >Sub Seven Attack Dropped 195.86.128.45, 1780, WAN 195.119.0.181, 1243, DMZ >05/06/2003 12:43:28.928 Sub Seven Attack Dropped 195.86.128.45, 1627, WAN >195.119.0.181, 6711, DMZ 05/06/2003 12:52:30.176 Ini Killer Attack Dropped >195.86.128.45, 4690, WAN 195.119.0.181, 9989, DMZ 05/06/2003 12:54:06.592 >Striker Attack Dropped 195.86.128.45, 1327, WAN 195.119.0.181, 2565, DMZ >05/06/2003 12:59:22.640 Net Spy Attack Dropped 195.86.128.45, 2570, WAN >195.119.0.181, 1024, DMZ 05/06/2003 13:25:08.352 Net Spy Attack Dropped >195.86.128.45, 3754, WAN 195.119.0.181, 1024, DMZ 05/06/2003 13:32:18.144 >Striker Attack Dropped 195.86.128.45, 2661, WAN 195.119.0.181, 2565, DMZ >05/06/2003 13:34:10.352 Ini Killer Attack Dropped 195.86.128.45, 2307, WAN >195.119.0.181, 9989, DMZ 05/06/2003 13:42:59.320 Sub Seven Attack Dropped >195.86.128.45, 2832, WAN 195.119.0.181, 6711, DMZ 05/06/2003 13:48:29.528 >Sub Seven Attack Dropped 195.86.128.45, 1863, WAN 195.119.0.181, 1243, DMZ >05/06/2003 13:48:41.544 Ripper Attack Dropped 195.86.128.45, 4230, WAN >195.119.0.181, 2023, DMZ 05/06/2003 13:52:18.416 Sub Seven Attack Dropped >195.86.128.45, 3498, WAN 195.119.0.181, 6776, DMZ 05/06/2003 14:12:09.240 >NetBus Attack Dropped 195.86.128.45, 3677, WAN 195.119.0.181, 12345, DMZ >05/06/2003 14:36:07.608 Priority Attack Dropped 195.86.128.45, 2045, WAN >195.119.0.181, 16969, DMZ 05/06/2003 15:08:06.576 Priority Attack Dropped >195.86.128.45, 3927, WAN 195.119.0.181, 16969, DMZ 05/06/2003 15:11:52.048 >NetBus Attack Dropped 195.86.128.45, 1756, WAN 195.119.0.181, 12345, DMZ >05/06/2003 15:14:22.032 NetBus Attack Dropped 195.86.128.45, 3133, WAN >195.119.0.181, 12345, DMZ 05/06/2003 15:17:39.560 Priority Attack Dropped >195.86.128.45, 2129, WAN 195.119.0.181, 16969, DMZ 05/06/2003 15:47:12.224 >NetBus Attack Dropped 195.86.128.45, 3450, WAN 195.119.0.181, 20034, DMZ >05/06/2003 15:51:43.192 NetBus Attack Dropped 195.86.128.45, 4064, WAN >195.119.0.181, 20034, DMZ 05/06/2003 16:38:27.816 Back Orifice Attack >Dropped 195.86.128.45, 2249, WAN 195.119.0.181, 31337, DMZ [...] > >Plus numerous portscans. > >What should I do next, besides wait for a reply? > >-- >Christian Stigen Larsen -- http://sublevel3.org/~csl/ -- mob: +47 98 22 02 >15 > >---------------------------------------------------------------------------- >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the >world's premier event for IT and network security experts. The two-day >Training features 6 hand-on courses on May 12-13 taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no vendor >sales pitches. Deadline for the best rates is April 25. Register today to >ensure your place. http://www.securityfocus.com/BlackHat-incidents >---------------------------------------------------------------------------- > _________________________________________________________________ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 06 2003 - 20:59:32 PDT