Date: Thu, 6 Jan 2000 21:49:47 -0800 (PST) From: Jeff Gray <jwgray@netbox.com> To: "Chris Cason [work]" <casonc@netplex.aussie.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port scans and site theft from IP inside mr.net Message-ID: <Pine.BSF.4.03.10001062147360.1931-100000@netbox.com> In-Reply-To: <002e01bf58c5$18cd90f0$cc0010ac@melbbureau.central.dubsat.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris, I cannot reach the IP address via http Pingable, tracerouteable. No information from dig -x Using lynx I get the message 'no startfile' Seems to have taken it down as a web server. Jeff On Fri, 7 Jan 2000, Chris Cason [work] wrote: > This is just a heads-up about some activity I've just seen, and > also I guess a query as to whether or not you guys have seen this > happen before. > > I'm the server admin of a graphics site that is reasonably popular > (www.irtc.org). > > Recently, we had a person write to us complaining that we were port- > scanning him and could we please explain why ? He included some logs > that showed that the port scans were coming from 137.192.77.10. > > Now, this is nothing whatsoever like our IP address, so we were kind > of scratching our heads wondering why he wrote to -US- to complain, > until we noticed that, if we made a HTTP connection to 137.192.77.10, > you got an exact duplicate of our site. To make sure it wasn't a > mirage, we changed a page on our site, hit the above one, and sure > enough the unchanged version was present. > > Whoever is operating the site has evidently gone to the trouble of > copying a large chunk of our site (I suspect using a reverse-proxy) > for some unknown reason. I assume it's a reverse proxy since, now > that I have ipfw'd his system off from ours, I still see it hitting > my HTTP ports from time to time. I've also seen him pinging us since. > > He has now configured his system to deny IP from my server, though > I can still ping him from elsewhere. Finally, the web server that > was running at 137.192.77.10 port 80 is now either not there at all, > or he's configured it not to accept connections from any of the > networks that we were previously using to look at what he was doing. > I believe it is still there as I am still getting attempted connections > from his server to mine on port 80. > > Given that he was port-scanning I can only guess that he wanted people > to complain to us instead of him, but that doesn't seem to make a lot > of sense either (it's kind of a weak cover). > > I'm curious to see if anyone else here is able to see his web server > anymore, and if so, if they could take a screen-shot including the > browser's address bar (as I didn't do so while I had the chance) > > Also, if anyone has seen anything like this in the past and can shed > any more light on it I'd appreciate knowing. > > FWIW, we have complained twice to mr.net (the hosts of this ip) over > the past week, and apart from their automated response, have been > greeted with nothing but thunderous silence. It appears to me that > they have little concern about this sort of activity. In fact I don't > even know myself if it's actually illegal (though it's certainly > unethical if it's not). > > thanks, > > -- Chris > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.03.10001062147360.1931-100000>