[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Should I be worried?
- Subject: RE: [cobalt-security] Should I be worried?
- From: "Simon Wilson" <simon@xxxxxxxxxxxxx>
- Date: Wed, 27 Jun 2001 09:44:04 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi
We also get heavily probed by Wanadoo is there nothing we can do about it?
Simon
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Michael
Stauber
Sent: 26 June 2001 18:05
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Should I be worried?
Hi Johan,
> Where do these people find our servers? From the Cobalt lists, or perhaps
> by trying address blocks assigned to well-known RaQ ISP's?
Correct. They just hit one of the big fish and know they have an entire
class
C net full with vulnerable Cobalt machines.
If the attacker's FTP-tool reports back that it found a proftpd version less
than 1.2.2rc1-C2, then they know you've been lazy on the patches and they
know you can be exploited in a couple of ways.
Let's see ... if you haven't got the FTPd update, then you also have the old
2.2.14 kernel, the old qdpopper, perhaps even the old bind-version.
I have 32 IP addresses from two different class C nets on my RaQ3. I get hit
by systematic FTP-probes usually 2-3 times per week:
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jun 25 22:51:03 admin proftpd[12773]: 206.239.85.115
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:03 admin proftpd[12774]: 206.239.85.119
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:03 admin proftpd[12775]: 206.239.85.117
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:03 admin proftpd[12776]: 206.239.85.121
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:03 admin proftpd[12777]: 206.239.85.120
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:03 admin proftpd[12778]: 206.239.85.128
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:05 admin proftpd[12779]: 206.239.85.113
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:05 admin proftpd[12780]: 206.239.85.114
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:06 admin proftpd[12781]: 206.239.85.116
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:51:11 admin proftpd[12782]: 206.239.85.118
(210.123.52.157[210.123.52.157]) - FTP session opened.
Jun 25 22:56:03 admin proftpd[12777]: 206.239.85.120
(210.123.52.157[210.123.52.157]) - FTP login timed out, disconnected
> Here is a list of IP's that tried to gain access during the last week:
>
> - (213-193-168-86.adsl.easynet.be[213.193.168.86])
> - (cr343120-a.slnt1.on.wave.home.com[24.114.67.151])
> - (p3EE2471D.dip.t-dialin.net[62.226.71.29])
> - (a194-109-224-201.adsl.xs4all.nl[194.109.224.201])
> - (ABayonne-101-1-2-41.abo.wanadoo.fr[217.128.82.41])
> - (61.76.195.24[61.76.195.24])
> - (cx337781-a.alsv1.occa.home.com[24.15.142.186])
> - (u011.d017166210.ctt.ne.jp[210.166.17.11])
Hmm ... interesting. Quite a few fellow Europeans there. T-Online,
Access4all, Wanadoo and Easynet. I get a ton of probes from Wanadoo these
days. Already thought of blocking them altogether. ;o)
--
Mit freundlichen Grüßen / Best regards
Michael Stauber
Stauber Multimedia Design ____ Phone: +49-6471-923812
Hauptstrasse 31 ______ D-56244 Goddert ______ Germany
SMD.NET ___ SOLARSPEED.NET ___ FORUMWORLD.COM
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security