Information from an FTP violation this weekend.

Smith, Rick rsmith at atsworld.com
Mon Apr 23 16:10:00 UTC 2001


Nanog; fyi.

APNIC / Excite / Home.net -

We have an ftp site running on 209.123.52.40 that is made writable at
certain periods of time for anonymous users.  Some of our customer's systems
are programmed to send in bug reports, problem programs, etc at these times.
One of these periods of time was this past Friday (4/20/01) from 6pm EST to
Saturday afternoon at Noon.  In that time period, a couple of hundred megs
of movies / warez / crap was dropped onto the ftp site, and then the people
that were (I presume) loading up the site got cut off.

Not only did the violator from 203.164.51.0/24 store illegal information on
our ftp site, they also deleted everything that existed.  Not anyone's fault
there but our own, and no problem since there were backups, but just fyi
that this stuff is happening out there from the reported networks.

Here's some information I collected from a .htaccess file in one of the
directories that these <insert explative here> left.

<Limit GET> 
order allow,deny 
deny from 141.201.222.
deny from 24.141.20.
deny from 24.141.36.
deny from 65.1.50.
.
.  Bunch of Denies
.
allow from  203.164.51.
deny from 203.164.3.
deny from 62.30.0.
.
.  Bunch of Denies
.
allow from all 
</Limit> 



I run Portsentry on my FreeBSD firewall, which caught and denied this:
987814775 - 04/20/2001 20:59:35 Host: www.uov.net/209.37.153.6 Port: 515 TCP
Blocked


The swip info for the one allow statement in that htaccess file:

[root]# whois -h whois.arin.net 203.164.51.0

Asia Pacific Network Information Center (APNIC2)
   These addresses have been further assigned to Asia-Pacific users.
   Contact info can be found in the APNIC database,
   at WHOIS.APNIC.NET or http://www.apnic.net/
   Please do not send spam complaints to APNIC.
   AU

   Netname: APNIC-CIDR-BLK
   Netblock: 202.0.0.0 - 203.255.255.255
   Maintainer: AP


Gee - go figure - a cable modem ween

[root]# whois -h whois.apnic.net 203.164.51.0

% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html

inetnum:     203.164.48.0 - 203.164.51.255
netname:     ATHOME-AU-RIVRW-1
descr:       Infrastructure
country:     AU
admin-c:     HH85-AP
tech-c:      AI13-AP
mnt-by:      MAINT-AU-ATHOME
changed:     ipmgmt at excitehome.net 20000911
source:      APNIC

person:      Hostmaster Home Network Australia
address:     100 Harris Street
address:     Pyrmont
address:     NSW 2009
phone:       +61 2 9005 1000
fax-no:      +61 2 9005 1076
country:     AU
e-mail:      hostmaster at homenetwork.com.au
nic-hdl:     HH85-AP
mnt-by:      MAINT-AU-ATHOME
changed:     judithh at corp.home.net 20000830
source:      APNIC

person:      ATHome-AU IP Mgmt
address:     450 Broadway Street
address:     Redwood City, CA 94063
address:     US
phone:       +1-800-872-3595
country:     AU
e-mail:      ipmgmt at excitehome.neet
nic-hdl:     AI13-AP
mnt-by:      MAINT-AU-ATHOME
changed:     judithh at corp.home.net 20000830
source:      APNIC



Thanks,
Rick Smith
Director of Technical Services 
Applied Tactical Systems 
(A division of Vertex Interactive, Inc.) 
<http://www.atsworld.com> --- <http://www.vertexinteractive.com> 
(973) 808 - 1750 x382 





More information about the NANOG mailing list