[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Another Exploit?!? (different than before)...

Subject: RE: [cobalt-users] Another Exploit?!? (different than before)...
From: "Sim Ayers" <sim@xxxxxxxxxxxx>
Date: Tue Dec 11 14:51:15 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Guys,
>
> Seems we were violated last night sometime just before midnight.
> - There is several entries, approx 100 within 8 seconds, in the Secure log
> around the same time as the exploit with this syntax all trying different
> IP's on my network:
> " Dec 11 00:33:26 raq4-1 proftpd[31068]: my.ip.add.res
> (bzq-236-175.red.bezeqint. net[212.179.236.175]) - USER anonymous: no such
> user found from bzq-236-175.red. bezeqint.net [212.179.236.175] to
> my.ip.add.res:21"
>
> Possibly and FTP exploit? I dunno and it's starting to become and
> issue. If
> there is a separate update that isn't included with the latest .pkg
> releases, could someone point me in the right direction?
>
> Thanks,
> Jordan Sharples
>
Jordan,

I had the same anonymous ftp login error messages so I added the following
to our
host.deny file.

Sim


in.telnetd: 163.28.0.0/255.255.0.0
in.proftpd: 163.28.0.0/255.255.0.0
in.telnetd: 212.179.0.0/255.255.0.0
in.proftpd: 212.179.0.0/255.255.0.0
in.telnetd: 61.216.0.0/255.255.0.0
in.proftpd: 61.216.0.0/255.255.0.0
in.telnetd: ALL EXCEPT .com, .net
in.proftpd: ALL EXCEPT .com, .net
in.telnetd: 62.243.185.0/255.255.255.0, 62.161.48.100/255.255.0.0,
.microsoft.com
in.proftpd:  62.243.185.0/255.255.255.0, 62.161.48.100/255.255.0.0,
.microsoft.com


Just to let ADSL-CUSTOMER-CONNECTION know that their service might be the
root of the
hack.
#===========================================================================
=============

inetnum:      212.179.192.0 - 212.179.255.255
 netname:      ADSL-CUSTOMER-CONNECTION
 descr:        ADSL-CUSTOMER-CONNECTION
 country:      IL
 admin-c:      ES4966-RIPE
 tech-c:       NP469-RIPE
 status:       ASSIGNED PA
 notify:       hostmaster@xxxxxxxxxxx
 mnt-by:       RIPE-NCC-NONE-MNT
 changed:      hostmaster@xxxxxxxxxxx 20001109
 source:       RIPE

 route:        212.179.224.0/20
 descr:        BezeqInt
 origin:       AS8551
 notify:       hostmaster@xxxxxxxxxxxx
 mnt-by:       AS8551-MNT
 changed:      hostmaster@xxxxxxxxxxxx 20011122
 source:       RIPE

 person:       Eran Shchori
 address:      BEZEQ INTERNATIONAL
 address:      40 Hashacham Street
 address:      Petach-Tikva 49170 Israel
 phone:        +972 3 9257710
 fax-no:       +972 3 9257726
 e-mail:       hostmaster@xxxxxxxxxxxx
 nic-hdl:      ES4966-RIPE
 changed:      registrar@xxxxx 20000309
 source:       RIPE

 person:       Nati Pinko
 address:      Bezeq International
 address:      40 Hashacham St.
 address:      Petach Tikvah  Israel
 phone:        +972 3 9257761
 e-mail:       hostmaster@xxxxxxxxxxx
 nic-hdl:      NP469-RIPE
 changed:      registrar@xxxxx 19990902
 source:       RIPE

References:
- [cobalt-users] Another Exploit?!? (different than before)...
  - From: Jordan Sharples

Prev by Date: Re: [cobalt-users] Spam and AV protection
Next by Date: [cobalt-users] Shared SSL & CGI
Previous by thread: Re: [cobalt-users] Another Exploit?!? (different than before)...
Next by thread: Re: [cobalt-users] Another Exploit?!? (different than before)...

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index