SYSMGR

We're a bunch of Computers: Diana, Daphne, and Dido, called the 3D-cluster, running OpenVMS, Io running OpenVMS as well (in some obscure role in the network) Aphrodite, Athene and Irene running WindowsXP-Pro (SP2, of course) and Cerberus at the edge of the Network, with Charon, also running Linux, as standby. SYSMGR takes care of us.

Thursday, December 1

01-dec-2005

Mail bomb?
Good to have RBL's installed. Today's log showed:

1-DEC-2005 09:31:07.06 CLNTINRBL 211.191.67.126

and 152 more , every 3 secords or so, and some quite time, until:

1-DEC-2005 13:52:34.77 CLNTINRBL 211.191.67.126

This address is Korean, but the English translation shown is:

KRNIC is not an ISP but a National Internet Registry similar to APNIC.The followings is organization information that is using the IPv4 address.

IPv4 Address : 211.191.67.0-211.191.67.255
Network Name : SHINBIRO-INFRA
Connect ISP Name : SHINBIRO
Connect Date : 20020605
Registration Date : 20031019
Publishes : Y

[ Organization Information ]
Organization ID : ORG2324
Org Name : ONSE Telecom
Address : Gumi-dong, Seongnam Si Bundang-gu, GYEONGGI-DO
Detail address : 192-2
Zip Code : 463-500

[ Technical Contact Information ]
Name : IP Manager
Org Name : ONSE Telecom
Address : Gumi-dong, Seongnam Si Bundang-gu, GYEONGGI-DO
Detail address : 192-2
Zip Code : 463-500
Phone : +82-31-738-6421
E-Mail : onse-ip@matrix.shinbiro.com
They can be contacted:

[ ISP Network Abuse Contact Information ]
Name : Network abusePhone : +82-31-738-6417
E-Mail : abuse@shinbiro.com

so that will be attempted.

Other mail trouble
Mail does arrive, but it is not shown in the webmail client, not will a message show up when logging in. As found, the mail is retrived by Aphrodite (is up and running) , but Outlook has not started...The messages are in the Wastebasket folder, so who picks them up and doesn't leave them there? Perhaps CommunigatePro on Io?

FTP Log not complete
Something has gone wrong in transferring the FTP logging to the web so extracting data off-site is not possible; The latest attempts to push things onto the system have been logged, but the log that is accessable using the web, doesn't show them. The information will be updated later this week.

More break-in attempts found
I scanned the audit jornal and found more interesting breakin attempts. Somehow, these don't show up in operator.log, what I really would like, so I will have to look in the system managers guide to find out how that can be done.

I extracted from 01-Jan-2005, have it edited somewhat, since some are either local (of no interest) and some are known. The result of this leaves the attempts of FTP, TELNET and HTTP that I did not yet see:

Auditable event: Network login failure (FTP)
Event time: 2-JAN-2005 02:41:11.90
Remote node fullname: 61-218-176-6.HINET-IP.hinet.net
Status: %LOGIN-F-NOEXTAUTH, external authentication service disabled or unavailable

Auditable event: Network login failure (FTP)
Event time: 3-APR-2005 08:17:08.78
Remote node fullname: relay.studenten.net
Status: %LOGIN-F-NOEXTAUTH, external authentication service disabled or unavailable

Auditable event: Network login failure (FTP)
Event time: 16-APR-2005 22:06:07.90
Username: anonymous@ft
Remote node fullname: toronto-HSE-ppp4325250.sympatico.ca
Status: %LOGIN-F-NOSUCHUSER, no such user

Auditable event: Remote interactive login failure (TELNET)
Event time: 7-JUN-2005 14:43:45.76
Username:
Remote node fullname: 12.160.197.66
Status: %LOGIN-F-CMDINPUT, error reading command input

(This address is owned by:

AT&T WorldNet Services ATT (NET-12-0-0-0-1)
12.0.0.0 - 12.255.255.255
STARWOOD HOTELS STARWOOD32-197-64 (NET-12-160-197-64-1)
12.160.197.64 - 12.160.197.127
# ARIN WHOIS database, last updated 2005-12-01 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database

This is where I stayed that time, so this this is me, from the US (VMS Bootcamp))

Auditable event: Network login failure (FTP)
Event time: 25-JUL-2005 12:03:54.37
Remote node fullname: wf100.internetdsl.tpnet.pl
Status: %LOGIN-F-NOEXTAUTH, external authentication service disabled or unavailable

Auditable event: Remote interactive login failure (TELNET)
Event time: 9-SEP-2005 17:20:34.41
Username: SYSTEM
Remote node fullname: 62.59.190.14
Status: %LOGIN-F-INVPWD, invalid password

Who is 62.59.190.14:

inetnum: 62.59.190.0 - 62.59.190.127
netname: VERSATEL-DIAL-PRETIUM-ROTTERDAM-1
descr: Versatel Pretium customer
country: NL
admin-c: VT1029-RIPE
tech-c: VT1029-RIPE
status: ASSIGNED PA
mnt-by: AS13127-MNT
source: RIPE # Filtered

role: VT HOSTMASTER
address: Hullenbergweg 101
address: 1101 CL Amsterdam ZuidOost
address: The Netherlands
remarks: trouble: For ZON related abuse issues please contact abuse@zonnet.nl
remarks: trouble: For all abuse issues please contact abuse@versatel.net

Ok, abuse should be signalled. So I will - but it is a bit late, perhaps...

Auditable event: Remote interactive login failure (TELNET)
Event time: 11-SEP-2005 21:16:51.38
Username: <login>
Remote node fullname: xxxxxx.grootersnet.nl.ccc.bbb.aaa.in-addr.arpa
Status: %LOGIN-F-CMDINPUT, error reading command input

Auditable event: Remote interactive login failure (TELNET)
Event time: 11-SEP-2005 21:16:58.13
Username: <login>
Remote node fullname: yyyyyy.grootersnet.nl.ccc.bbb.aaa.in-addr.arpa
Status: %LOGIN-F-CMDINPUT, error reading command input

These two are very, very weird. Both xxxxxx.grootersnet.nl and yyyyy.grootersnet.nl are DNS entries at my ISP so I can access my desk and mail via the web, using my normal IP address, and these are virtual webs in Apache., and aaa.bbb.ccc.0 is my intranet-address, where these are known as "xxxxxx"and "yyyyyy". So there are no real nodes with these names
(Obviously, for security reasons, I have changed the names)

Auditable event: Network login failure (FTP)
Event time: 16-OCT-2005 02:55:17.88
Username: test
Remote node fullname: sipco92.sipco.fr
Status: %LOGIN-F-NOSUCHUSER, no such user

Repeated a number of times, every 200 miliseconds or so:

Event time: 16-OCT-2005 02:55:18.12
Event time: 16-OCT-2005 02:55:18.38
Event time: 16-OCT-2005 02:55:18.61
Event time: 16-OCT-2005 02:55:19.13
Event time: 16-OCT-2005 02:55:19.39
Event time: 16-OCT-2005 02:55:19.70
Event time: 16-OCT-2005 02:55:19.94
Event time: 16-OCT-2005 02:55:20.20
Event time: 16-OCT-2005 02:55:20.44
Event time: 16-OCT-2005 02:55:20.71
Event time: 16-OCT-2005 02:55:20.95
Event time: 16-OCT-2005 02:55:21.19
Event time: 16-OCT-2005 02:55:21.43
Event time: 16-OCT-2005 02:55:21.68
Event time: 16-OCT-2005 02:55:21.92

Remember this one? See log of 16-Oct-2005.

The last one - that wasn't noticed (because these audits don't show up in operator.log yet)

Auditable event: Network login failure (FTP)
Event time: 17-NOV-2005 05:18:43.54
Username: test
Remote node fullname: dslb-084-057-128-227.pools.arcor-ip.net
Status: %LOGIN-F-NOSUCHUSER, no such user

repeated a number of times, again, evere 200 miliseconds:

Event time: 17-NOV-2005 05:18:43.87
Event time: 17-NOV-2005 05:18:44.09
Event time: 17-NOV-2005 05:18:44.29
Event time: 17-NOV-2005 05:18:44.50
Event time: 17-NOV-2005 05:18:44.71
Event time: 17-NOV-2005 05:18:44.91
Event time: 17-NOV-2005 05:18:45.13
Event time: 17-NOV-2005 05:18:45.33
Event time: 17-NOV-2005 05:18:45.52
Event time: 17-NOV-2005 05:18:45.71
Event time: 17-NOV-2005 05:18:45.89
Event time: 17-NOV-2005 05:18:46.21
Event time: 17-NOV-2005 05:18:46.40
Event time: 17-NOV-2005 05:18:46.59
Event time: 17-NOV-2005 05:18:46.79

and since the FTP_RUN log hasn't been updated I cannot look into it.
Trying to get the system down?

posted by SYSMGR @ 11:00 PM 

0 Comments:

Post a Comment

<< Home