'Incident report to PacBell regarding suspicious activity from 216'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    Incident report to PacBell regarding suspicious activity from 216
From:       Ernie Pritchard <ernie () cashpoint ! net>
Date:       2002-01-30 17:29:32
[Download RAW message or body]

A quick google search shows many other networks reporting versioning from
this host also.

-Ernie


Hello,

The host at 216.103.54.218 continues to perform dns versions of random ip
addresses on our external network.
I have notified PacBell about this in the past and the abuse departments
response follows.

Your AUP states:
You may not attempt to circumvent user authentication or security of any
host, network or account ("cracking"). This includes, but is not limited to,
accessing data not intended for you, logging into or making use of a server
or account you are not expressly authorized to access, or probing the
security of other networks. Use or distribution of tools designed for
compromising security is prohibited. Examples of these tools include, but
are not limited to, password guessing programs, cracking tools or network
probing tools. 

In my opinion this traffic is an attempt to enumerate details of our
external network which would fall under the description of "network probing
tools".

Thanks!
Ernie Pritchard
Network Administrator




[**] [1:257:1] P-1-DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/29-15:24:42.469418 216.103.54.218:5736 -> xxx.xxx.xxx.17:53 
UDP TTL:53 TOS:0x0 ID:55171 IpLen:20 DgmLen:58

[**] [1:257:1] P-1-DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/27-19:51:15.017729 216.103.54.218:4636 -> xxx.xxx.xxx.69:53   
UDP TTL:52 TOS:0x0 ID:51203 IpLen:20 DgmLen:58


Hi Ernie,


The use of Pacific Bell Internet accounts to attempt to gain
unauthorized access to a host, server or network  is prohibited by our 
Acceptable Use Policy which may be found at the following URL:

http://public.pacbell.net/faq/

I will investigate your complaint and take appropriate action.

On behalf of Pacific Bell Internet, I apologize for any inconvenience
caused by our customer.  Please do not hesitate to write again if you
have any questions or if you wish to report other instances of abuse by
Pacific  Bell Internet customers.

Sincerely,



----------------------------
Pacific Bell Internet
Policy Department
abuse@pacbell.net
----------------------------



Original Message Follows:
-------------------------



Hello,

Starting on 01-04-02 the host at 216.103.54.218 performed dns version
query's. Since there
is no known legitimate reason for that system to attempt to connect to 
any
of our hosts in this fashion, this activity is being considered as a
reconnaissance scan with the intent to attack vulnerable systems in the
future.


This host has performed dns version query's on our external hosts
numerous
times in the past and with a little investigation it has versioned many
other DNS server in the past also.

Please take those measures you deem necessary to prevent such an
incident
from occurring in the future.

Included at the end of this message are the log file entries from our
firewall (log times are CST, synchronized using NTP).

Thanks,
Ernie Pritchard
Network Administrator



Links to this host versioning other dns hosts
http://www.incidents.org/archives/intrusions/msg02086.html
www.physiology.rwth-aachen.de/cgi-bin/firewall
http://www.incidents.org/archives/intrusions/msg02489.html
http://wwwscience.murdoch.edu.au/logpage/months/Jan_2000.html
Logs from this host running DNS versions Today.
[**] [1:257:1] P-1-DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/04-06:21:41.501596 216.103.54.218:7076 -> xxx.xxx.xxx.132:53
UDP TTL:54 TOS:0x0 ID:24945 IpLen:20 DgmLen:58
Len: 38
[Xref => http://www.whitehats.com/info/IDS278]

[**] [1:257:1] P-1-DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
01/04-09:48:58.183842 216.103.54.218:6436 -> xxx.xxx.xxx.65:53
UDP TTL:52 TOS:0x0 ID:12190 IpLen:20 DgmLen:58
Len: 38
[Xref => http://www.whitehats.com/info/IDS278]

Logs from this host versioning in the past.


[**] [1:257:1] P-1-DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 3]
11/23-20:54:22.205781 216.103.54.218:8422 -> xxx.xxx.xxx.164:53
UDP TTL:52 TOS:0x0 ID:38101 IpLen:20 DgmLen:58
Len: 38
[Xref => http://www.whitehats.com/info/IDS278]

[**] [1:257:1] P-1-DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 3]
12/07-04:24:10.173850 216.103.54.218:6916 -> xxx.xxx.xxx.157:53
UDP TTL:53 TOS:0x0 ID:44172 IpLen:20 DgmLen:58
Len: 38
[Xref => http://www.whitehats.com/info/IDS278]



[**] [1:257:1] P-1-DNS named version attempt [**]
[Classification: Attempted Information Leak] [Priority: 3]
11/10-19:31:30.714006 216.103.54.218:7320 -> xxx.xxx.xxx.25:53
UDP TTL:54 TOS:0x0 ID:16624 IpLen:20 DgmLen:58
Len: 38
[Xref => http://www.whitehats.com/info/IDS278]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic