Incidents 02-17-02.02

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=

Feb 17 23:17:10 greatwall snort: [1:0:0] TCP to 12345 NetBus Backdoor {TCP}
 12.82.128.130:1240 -> 12.82.128.197:12345
Feb 17 23:17:31 greatwall last message repeated 3 times

Feb 17 23:17:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 12.82.128.130:1240
 12.82.128.197:12345 L=48 S=0x00 I=57388 F=0x4000 T=127 SYN (#64)
Feb 17 23:17:13 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 12.82.128.130:1240
 12.82.128.197:12345 L=48 S=0x00 I=65324 F=0x4000 T=127 SYN (#64)
Feb 17 23:17:19 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 12.82.128.130:1240
 12.82.128.197:12345 L=48 S=0x00 I=7981 F=0x4000 T=127 SYN (#64)
Feb 17 23:17:31 greatwall kernel: Packet log: input DENY ppp0 PROTO=6 12.82.128.130:1240
 12.82.128.197:12345 L=48 S=0x00 I=9005 F=0x4000 T=127 SYN (#64)

Sun Feb 17 23:17:10 2002 12.82.128.130 [2 hops]: Windows 9x or 2000
 12.82.128.130:1240 -> 12.82.128.197:12345 (timestamp: 184659971 @1014016630)
Sun Feb 17 23:17:13 2002 12.82.128.130 [2 hops]: Windows 9x or 2000
 12.82.128.130:1240 -> 12.82.128.197:12345 (timestamp: 184659971 @1014016633)
Sun Feb 17 23:17:19 2002 12.82.128.130 [2 hops]: Windows 9x or 2000
 12.82.128.130:1240 -> 12.82.128.197:12345 (timestamp: 184659971 @1014016639)
Sun Feb 17 23:17:31 2002> 12.82.128.130 [2 hops]: Windows 9x or 2000
 12.82.128.130:1240 -> 12.82.128.197:12345

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 

Request: 12.82.128.130
connecting to whois.arin.net [192.149.252.34:43] ...

AT&T ITS (NET-ATT)
   200 Laurel Avenue South
   Middletown, NJ 07748
   US    

Netname: ATT
   Netblock: 12.0.0.0 - 12.255.255.255
   Maintainer: ATTW    

Coordinator:
      Kostick, Deirdre  (DK71-ARIN)  help@IP.ATT.NET
      (888)613-6330    

Domain System inverse mapping provided by: 
   DBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.106
   DMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.70
   CBRU.BR.NS.ELS-GMS.ATT.NET199.191.128.105
   CMTU.MT.NS.ELS-GMS.ATT.NET12.127.16.69

Look at the IP address: it's almost identical to mine.

This is some clown that I see a *lot* of: he's on a dialup very close to me on access.att.net and he's constantly probing for cracked boxes with various cracker tools.

Lately he's looking for boxes cracked by the NetBus trojan.

This page last preened by Webmaster jsage@finchhaven.com on:

Last modified: Mon Feb 18 13:50:19 2002