dabystru
05-02-2001, 02:35 PM
Hello,
I have a RaQ 4 with RackShack and got the e-mail below. I have 3 IP addresses on my RaQ but none of them is 216.40.212.18. I forwarded this to Rackshack (whom I believe this address belongs), but why was I contacted at all?
And what should I do about such activity if anything?
------------------------------ cut------------------------------
We recently monitored a scan of at least 26000 addresses in our domain.
The scan came from 216.40.212.18 and involved attempted connections to
multiple ports:
portmap (~26000 addresses scanned)
39168 (~10 addresses scanned)
The maximum scan rate was 1134 connections per second and I've included
a partial connection log below.
This activity is consistent with an attacker looking for known security
holes. This appears to be an *intentional abuse* of our systems. You're
listed as the contact(s) for the domain including 216.40.212.18. Please
investigate this activity and/or forward this message to the
appropriate people. I've also CCed CP-Abuse@LBL.GOV in case this is
part of a bigger picture.
> ---[times are Pacific Daylight Time (GMT-7)]---
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.1/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.6/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.2.95/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.3/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.51/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.94/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.96/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.97/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.1.11/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.226/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.2.25/portmap
> ---- [connections deleted] ----
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.217/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.226/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.219/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.224/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.228/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.225/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.152/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.227/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.156/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.212/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.5.138/portmap
Incident Response
Computer Protection Program
Lawrence Berkeley National Laboratory
------------------------------ cut------------------------------
I have a RaQ 4 with RackShack and got the e-mail below. I have 3 IP addresses on my RaQ but none of them is 216.40.212.18. I forwarded this to Rackshack (whom I believe this address belongs), but why was I contacted at all?
And what should I do about such activity if anything?
------------------------------ cut------------------------------
We recently monitored a scan of at least 26000 addresses in our domain.
The scan came from 216.40.212.18 and involved attempted connections to
multiple ports:
portmap (~26000 addresses scanned)
39168 (~10 addresses scanned)
The maximum scan rate was 1134 connections per second and I've included
a partial connection log below.
This activity is consistent with an attacker looking for known security
holes. This appears to be an *intentional abuse* of our systems. You're
listed as the contact(s) for the domain including 216.40.212.18. Please
investigate this activity and/or forward this message to the
appropriate people. I've also CCed CP-Abuse@LBL.GOV in case this is
part of a bigger picture.
> ---[times are Pacific Daylight Time (GMT-7)]---
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.1/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.6/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.2.95/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.3/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.51/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.94/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.96/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.2.97/portmap
> Apr 30 02:52:20 216.40.212.18 > 128.3.1.11/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.1.226/portmap
> Apr 30 02:52:17 216.40.212.18 > 128.3.2.25/portmap
> ---- [connections deleted] ----
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.217/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.226/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.219/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.224/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.228/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.225/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.152/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.227/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.156/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.3.212/portmap
> Apr 30 02:52:26 216.40.212.18 > 128.3.5.138/portmap
Incident Response
Computer Protection Program
Lawrence Berkeley National Laboratory
------------------------------ cut------------------------------