1 kiddiot down - several hundred thousand to go!

[ntsa]

w00t!

I got this response back from the net block admin - Just thought I'd post it to let everyone know that this approach works...

-----Original Message-----
From: James A. Jokl [mailto:[email protected]]
Sent: 17 June 2002 06:11
To: Simon Barnett
Cc: [email protected]; [email protected]
Subject: Re: Network attack originating from your network.


199.111.104.x is owned and operated by the library of virginia.
www.lva.lib.va.us

I have copied them on this email.

[Phactorial]

Actually, I find this quite mean...

You just screwed someones life up, you could have found your own ways to put a scare in that student, instead of getting him completely banned from college.

[draziw]

Originally posted here by Phactorial
Actually, I find this quite mean...

You just screwed someones life up, you could have found your own ways to put a scare in that student, instead of getting him completely banned from college.

Well, you tell me what you would do if someone came to your house, went to every door and window and shook and rattled the thing to see if they could open it. Would this be some person that you would want to "go talk to" and calmly tell them the error of their ways, or would like to take out a gun and threaten them with it and "put a scare in to them" hoping that they, in-turn, don't have a gun... or would you rather call the police and have them possibly come lecture them on the wrongs that they are commiting?

<edit>
BTW, great post, ntsa... as usual.

Please note, however, that many of these cmd.exe and system32 robo-searches are, rather than be k1dd10ts could possibly be an IIS worm trying to "make friends" and the like with other servers... to think, from now until basically enternity there'll be these stupid M$ worms roaming the Internet, always eating up a chunk of bandwidth. That is, at least, until free speech and communication has been made illegal. *chuckle*
</edit>

[VictorKaum]

Originally posted here by leadbelly
so let me get this straight...
everytime my zone alarm/visualzone report alerts me to someone trying to scan my box or something like that i can report them....??
i would be a busy guy i think..

hmm I shouldn't do that... ZA picks up many things as 'attacks' it can also be some broadcast or misconfigured routers causing your ZA to react. Only notify an ISP when it's clear that it's an attack (like in the case of NTSA) or when several approaches come from the same IP (or small IP range). that's IMHO.

About replies from isp net admins, yep they do reply. A while ago I had a scriptkiddie trying stuff against my boxes (unsuccesfull) and I did the same as NTSA. I mailed to the IP adress block owner abuse adress. And they replied with thanks to notify, they gave me the e-mail adress of the real owner and I never saw that IP again on my logs. Some ISP's / admins care .

[Sh4d0wX]

I am with draziw he should'nt be hacking against a private computer in the first place.As for getting banned from college I think they will prob just ban him from the college computers.Anyway....,who would be dumb enough to hack from a college computer?.




-Sh4d0wX

[Sh4d0wX]

Oh yeh i forgot to ask......,how do you view those type of log files on a WinXp and Win98 systems?




-Sh4d0wX

[VictorKaum]

I wonder if someone gets banned cause if I read correctly in NTSA post it was a library computer... therefor anyone can use those comps to scan some IP's,
or the library is infected with the Nimda / codeRed worm.... poor M$ systems

[bello]

quote:
GetAd?PG=HOTBOS?SC=LG? HM=04514b47584b101e551e3b4719110440696909163a45132
44c125b515f5244194149616d?LOC=I?TF=adframe?PUID=00014C60E6AC87BE?UC=1

Turn in him!!
this look like an attempted buffer-overflow attempt to me

[phorax]

i have a dedicated server in germany and i recieve all sorts of hack attempts from all over the world but especially from canada and germany. the problem with reacting like ntsa is that most of the attacks originate from huge isp networks with thousands, nearly millions, of users. a simple email informing the admin does change anything-- their wont even identify the user which scanned.

here: several attempts a day on my ded:

[Sat Jun 15 06:18:19 2002] [error] [client 208.245.147.50] Client sent malformed Host header
[Sat Jun 15 14:09:51 2002] [error] [client 65.94.72.106] Client sent malformed Host header
[Sat Jun 15 16:19:27 2002] [error] [client 213.67.12.82] Client sent malformed Host header
[Sat Jun 15 21:04:50 2002] [error] [client 217.162.164.98] Client sent malformed Host header
[Sun Jun 16 02:30:59 2002] [error] [client 81.72.230.164] File does not exist: /home/httpd/html/scripts/..%5c%5c../winnt/system32/cmd.exe
[Sun Jun 16 03:56:42 2002] [error] [client 81.72.230.164] File does not exist: /home/httpd/html/scripts/..%5c%5c../winnt/system32/cmd.exe
[Sun Jun 16 06:22:16 2002] [error] [client 81.72.230.164] File does not exist: /home/httpd/html/scripts/..%5c%5c../winnt/system32/cmd.exe
[Mon Jun 17 02:36:35 2002] [error] [client 212.84.99.228] Client sent malformed Host header
[Mon Jun 17 04:22:37 2002] [error] [client 217.52.98.105] Client sent malformed Host header

[phorax]

@ntsa: referring to germany isps:

if the attacts you registered from germany were coming from networks like t-online.de, t-dialin.net or anything like t-something you wont even be able to change anything. (same goes for hansenet.de)

the german telekom has millions of users and clients all over the world. the will not react and response to your emails and probably not even trace the little hacker......... almost scripts-kiddies-paradise