Fw: Information from an FTP violation this weekend.

Moe Allen moe at vidnet.net
Mon Apr 23 18:39:20 UTC 2001


Good luck, guys.  We had left an incoming open on our FTP server for our
Unix guys to upload code on.  BTW, this occurred over the Thanks Giving
Holiday.  Anyway a guy from .ru uploaded the latest version of
(sp)Tumbarator 5  which had just been released in Europe, that morning &
Mummy.  Then the bum put our IP address on all the warez sites and we had so
may people hitting our server that we had no bandwidth left back to the
Internet and no more ports on our FTP Unix server.

It got so bad that we had to deny all of Europe just to take some of the
load off us.  Then for the next 60 days we handled the US group.  Needless
to say we logged everything and contacted the software groups involved and
made them available.  But it was a nightmare for a long time at our office.
So I can sympathize with your problems.
Respectfully,
Morris Allen
VidcomNet, Inc.
----- Original Message -----
From: "Stephen J. Wilcox" <steve at opaltelecom.co.uk>
To: "Smith, Rick" <rsmith at atsworld.com>
Cc: <nanog at merit.edu>
Sent: Monday, April 23, 2001 11:19 AM
Subject: Re: Information from an FTP violation this weekend.


>
> And I thought the Internet was such a friendly, welcoming
> environment.. maybe I should remove all my telnet guest logins from my
> servers and remove my credit card number from my homepage..
>
> Steve
>
>
>
> On Mon, 23 Apr 2001, Smith, Rick wrote:
>
> >
> >
> > Nanog; fyi.
> >
> > APNIC / Excite / Home.net -
> >
> > We have an ftp site running on 209.123.52.40 that is made writable at
> > certain periods of time for anonymous users.  Some of our customer's
systems
> > are programmed to send in bug reports, problem programs, etc at these
times.
> > One of these periods of time was this past Friday (4/20/01) from 6pm EST
to
> > Saturday afternoon at Noon.  In that time period, a couple of hundred
megs
> > of movies / warez / crap was dropped onto the ftp site, and then the
people
> > that were (I presume) loading up the site got cut off.
> >
> > Not only did the violator from 203.164.51.0/24 store illegal information
on
> > our ftp site, they also deleted everything that existed.  Not anyone's
fault
> > there but our own, and no problem since there were backups, but just fyi
> > that this stuff is happening out there from the reported networks.
> >
> > Here's some information I collected from a .htaccess file in one of the
> > directories that these <insert explative here> left.
> >
> > <Limit GET>
> > order allow,deny
> > deny from 141.201.222.
> > deny from 24.141.20.
> > deny from 24.141.36.
> > deny from 65.1.50.
> > .
> > .  Bunch of Denies
> > .
> > allow from  203.164.51.
> > deny from 203.164.3.
> > deny from 62.30.0.
> > .
> > .  Bunch of Denies
> > .
> > allow from all
> > </Limit>
> >
> >
> >
> > I run Portsentry on my FreeBSD firewall, which caught and denied this:
> > 987814775 - 04/20/2001 20:59:35 Host: www.uov.net/209.37.153.6 Port: 515
TCP
> > Blocked
> >
> >
> > The swip info for the one allow statement in that htaccess file:
> >
> > [root]# whois -h whois.arin.net 203.164.51.0
> >
> > Asia Pacific Network Information Center (APNIC2)
> >    These addresses have been further assigned to Asia-Pacific users.
> >    Contact info can be found in the APNIC database,
> >    at WHOIS.APNIC.NET or http://www.apnic.net/
> >    Please do not send spam complaints to APNIC.
> >    AU
> >
> >    Netname: APNIC-CIDR-BLK
> >    Netblock: 202.0.0.0 - 203.255.255.255
> >    Maintainer: AP
> >
> >
> > Gee - go figure - a cable modem ween
> >
> > [root]# whois -h whois.apnic.net 203.164.51.0
> >
> > % Rights restricted by copyright. See
> > http://www.apnic.net/db/dbcopyright.html
> >
> > inetnum:     203.164.48.0 - 203.164.51.255
> > netname:     ATHOME-AU-RIVRW-1
> > descr:       Infrastructure
> > country:     AU
> > admin-c:     HH85-AP
> > tech-c:      AI13-AP
> > mnt-by:      MAINT-AU-ATHOME
> > changed:     ipmgmt at excitehome.net 20000911
> > source:      APNIC
> >
> > person:      Hostmaster Home Network Australia
> > address:     100 Harris Street
> > address:     Pyrmont
> > address:     NSW 2009
> > phone:       +61 2 9005 1000
> > fax-no:      +61 2 9005 1076
> > country:     AU
> > e-mail:      hostmaster at homenetwork.com.au
> > nic-hdl:     HH85-AP
> > mnt-by:      MAINT-AU-ATHOME
> > changed:     judithh at corp.home.net 20000830
> > source:      APNIC
> >
> > person:      ATHome-AU IP Mgmt
> > address:     450 Broadway Street
> > address:     Redwood City, CA 94063
> > address:     US
> > phone:       +1-800-872-3595
> > country:     AU
> > e-mail:      ipmgmt at excitehome.neet
> > nic-hdl:     AI13-AP
> > mnt-by:      MAINT-AU-ATHOME
> > changed:     judithh at corp.home.net 20000830
> > source:      APNIC
> >
> >
> >
> > Thanks,
> > Rick Smith
> > Director of Technical Services
> > Applied Tactical Systems
> > (A division of Vertex Interactive, Inc.)
> > <http://www.atsworld.com> --- <http://www.vertexinteractive.com>
> > (973) 808 - 1750 x382
> >
> >
> >
>
> --
> Stephen J. Wilcox
> IP Services Manager, Opal Telecom
> http://www.opaltelecom.co.uk/
> Tel: 0161 222 2000
> Fax: 0161 222 2008
>
>





More information about the NANOG mailing list