Information from an FTP violation this weekend.
Jade E. Deane
jade.deane at HelloNetwork.com
Mon Apr 23 20:47:39 UTC 2001
Hello, my toaster is connected at 192.168.5.44 and it was hax0red. My
social security number is 275-53-4678, and my favorite color is blue.
How pointless is this mail-list?
/paxil
> On Mon, 23 Apr 2001, Smith, Rick wrote:
>
> >
> >
> > Nanog; fyi.
> >
> > APNIC / Excite / Home.net -
> >
> > We have an ftp site running on 209.123.52.40 that is made writable at
> > certain periods of time for anonymous users. Some of our customer's
systems
> > are programmed to send in bug reports, problem programs, etc at these
times.
> > One of these periods of time was this past Friday (4/20/01) from 6pm EST
to
> > Saturday afternoon at Noon. In that time period, a couple of hundred
megs
> > of movies / warez / crap was dropped onto the ftp site, and then the
people
> > that were (I presume) loading up the site got cut off.
> >
> > Not only did the violator from 203.164.51.0/24 store illegal information
on
> > our ftp site, they also deleted everything that existed. Not anyone's
fault
> > there but our own, and no problem since there were backups, but just fyi
> > that this stuff is happening out there from the reported networks.
> >
> > Here's some information I collected from a .htaccess file in one of the
> > directories that these <insert explative here> left.
> >
> > <Limit GET>
> > order allow,deny
> > deny from 141.201.222.
> > deny from 24.141.20.
> > deny from 24.141.36.
> > deny from 65.1.50.
> > .
> > . Bunch of Denies
> > .
> > allow from 203.164.51.
> > deny from 203.164.3.
> > deny from 62.30.0.
> > .
> > . Bunch of Denies
> > .
> > allow from all
> > </Limit>
> >
> >
> >
> > I run Portsentry on my FreeBSD firewall, which caught and denied this:
> > 987814775 - 04/20/2001 20:59:35 Host: www.uov.net/209.37.153.6 Port: 515
TCP
> > Blocked
> >
> >
> > The swip info for the one allow statement in that htaccess file:
> >
> > [root]# whois -h whois.arin.net 203.164.51.0
> >
> > Asia Pacific Network Information Center (APNIC2)
> > These addresses have been further assigned to Asia-Pacific users.
> > Contact info can be found in the APNIC database,
> > at WHOIS.APNIC.NET or http://www.apnic.net/
> > Please do not send spam complaints to APNIC.
> > AU
> >
> > Netname: APNIC-CIDR-BLK
> > Netblock: 202.0.0.0 - 203.255.255.255
> > Maintainer: AP
> >
> >
> > Gee - go figure - a cable modem ween
> >
> > [root]# whois -h whois.apnic.net 203.164.51.0
> >
> > % Rights restricted by copyright. See
> > http://www.apnic.net/db/dbcopyright.html
> >
> > inetnum: 203.164.48.0 - 203.164.51.255
> > netname: ATHOME-AU-RIVRW-1
> > descr: Infrastructure
> > country: AU
> > admin-c: HH85-AP
> > tech-c: AI13-AP
> > mnt-by: MAINT-AU-ATHOME
> > changed: ipmgmt at excitehome.net 20000911
> > source: APNIC
> >
> > person: Hostmaster Home Network Australia
> > address: 100 Harris Street
> > address: Pyrmont
> > address: NSW 2009
> > phone: +61 2 9005 1000
> > fax-no: +61 2 9005 1076
> > country: AU
> > e-mail: hostmaster at homenetwork.com.au
> > nic-hdl: HH85-AP
> > mnt-by: MAINT-AU-ATHOME
> > changed: judithh at corp.home.net 20000830
> > source: APNIC
> >
> > person: ATHome-AU IP Mgmt
> > address: 450 Broadway Street
> > address: Redwood City, CA 94063
> > address: US
> > phone: +1-800-872-3595
> > country: AU
> > e-mail: ipmgmt at excitehome.neet
> > nic-hdl: AI13-AP
> > mnt-by: MAINT-AU-ATHOME
> > changed: judithh at corp.home.net 20000830
> > source: APNIC
> >
> >
> >
> > Thanks,
> > Rick Smith
> > Director of Technical Services
> > Applied Tactical Systems
> > (A division of Vertex Interactive, Inc.)
> > <http://www.atsworld.com> --- <http://www.vertexinteractive.com>
> > (973) 808 - 1750 x382
> >
> >
> >
>
> --
> Stephen J. Wilcox
> IP Services Manager, Opal Telecom
> http://www.opaltelecom.co.uk/
> Tel: 0161 222 2000
> Fax: 0161 222 2008
>
>
More information about the NANOG
mailing list