[ale] Backtracking to an IP

John Mills johnmills at speakeasy.net
Wed Sep 8 09:07:08 EDT 2004


Michael -

Thanks. I sent a note. I also read of the identical attack (with a
different range of common user names and very different IP) reported on
the 'freebsd-questions' list.  Respondent there suggested a firewall
block, but if these are compromised systems I guess this could be a "push
it down here and it comes up over there" situation.

Any ideas of the virus involved? (I say 'virus' because we suppose these
are cracked systems, not intentionally run attacks.)

On Wed, 8 Sep 2004, Michael Still wrote:

> On Wed, 8 Sep 2004 07:26:57 -0500 (EST), John Mills
> <johnmills at speakeasy.net> wrote:
> > ALERs -
> > 
> > My box got a suspect series of ssh login attempts under common, but unused
> > account names, all from the same IP address: 64.124.210.23
> > 
> > How can I learn a bit more about the source?
> > 
> http://ws.arin.net/cgi-bin/whois.pl?queryinput=!%20NET-64-124-210-0-1
> 
> Shows that its an AboveNet IP block reassigned to APS communications. 
> Send a msg to the the noc at above.net address or abuse at above.net and
> tell them that box might be cracked.

 - John Mills
   john.m.mills at alum.mit.edu



More information about the Ale mailing list