From dittrich@cac.washington.edu Tue Dec 19 16:28:18 2000 Received: from mxu1.u.washington.edu (mxu1.u.washington.edu [140.142.32.8]) by lists.u.washington.edu (8.9.3+UW00.05/8.9.3+UW00.12) with ESMTP id QAA193098; Tue, 19 Dec 2000 16:28:17 -0800 Received: from mxout2.cac.washington.edu (mxout2.cac.washington.edu [140.142.33.4]) by mxu1.u.washington.edu (8.9.3+UW00.02/8.9.3+UW99.09) with ESMTP id QAA18406; Tue, 19 Dec 2000 16:28:16 -0800 Received: from shiva1.cac.washington.edu (shiva1.cac.washington.edu [140.142.100.201]) by mxout2.cac.washington.edu (8.9.3+UW00.02/8.9.3+UW00.01) with ESMTP id QAA19499; Tue, 19 Dec 2000 16:28:16 -0800 Received: from localhost (dittrich@localhost) by shiva1.cac.washington.edu (8.9.3+UW00.02/8.9.3+UW99.09) with ESMTP id QAA09589; Tue, 19 Dec 2000 16:28:15 -0800 Date: Tue, 19 Dec 2000 16:28:15 -0800 (PST) From: Dave Dittrich To: Network System Adminstrators list cc: LAN Administrators list , Subject: Probes of campus systems from Netherlands Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII As many of you are probably aware by now, the UW Medical Center has been the center of a story of multi-system compromise (i.e., the use of "stepping stones"), with the intruder acknowledged to be coming in from the Netherlands. This morning, probes have been seen again coming from a different customer netblock, but from the same top level network provider "chello.nl". Today's probes came from: e72067.upc-e.chello.nl 213.93.72.67 inetnum: 213.93.72.0 - 213.93.75.255 netname: UPC-DRA-CABLE descr: Chello DHCP country: NL admin-c: ER1204-RIPE tech-c: RO641-RIPE tech-c: BB2539-RIPE tech-c: HMCB1-RIPE status: ASSIGNED PA remarks: Contact abuse@chello.nl concerning criminal remarks: activities like spam, hacks, portscans notify: hostmaster@chello.at mnt-by: CHELLO-MNT changed: hostmaster@chello.at 20001116 source: RIPE One of the systems involved in the UWMC attack this summer was in the ..telekabel.chello.nl domain: inetnum: 212.187.63.0 - 212.187.63.255 netname: TK-ZLT-CBL-1 descr: Zaltbommel Cablemodems 1 country: NL admin-c: WD294-RIPE tech-c: HTK1-RIPE tech-c: RO641-RIPE tech-c: BB2539-RIPE status: ASSIGNED PA notify: hostmaster@chello.at mnt-by: TK-MNT changed: sbaumann@chello.at 19991109 source: RIPE (Chello is a broadband provider in Europe, so this is like saying that these two probes/attacks are coming from two local customer sub-networks, who both get their network service from .uswest.net or .home.com.) It is not known if these are related to the earlier UWMC incident, are copycats, or just independant probes (the UW network is probed daily for vulnerable hosts). Hightened awareness of these issues is warranted, however, since shared networks (and things like IP based access controls like I mentioned this morning on lanadmin) can have cross-organizational security impact if intrusions are successful and sniffers installed. I would also remind everyone to be proactive about preparing for incident response by understanding the steps in the incident response cycle, and to be aware that preservation of evidence is an important step. The following documents are referenced to anyone reporting a security incident, but knowing them in advance will make everyones' lives easier: http://staff.washington.edu/dittrich/misc/faqs/responding.faq http://staff.washington.edu/dittrich/misc/forensics/ If you have evidence of successful intrusions from this site, please report it to security@cac.washington.edu. -- Dave Dittrich Computing & Communications dittrich@cac.washington.edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ---------- Forwarded message ---------- > Dec 19 08:55:53 XXXXXXX in.ftpd[18223]: refused connect from 213.93.72.67 > Dec 19 08:55:55 XXXXX in.ftpd[21131]: refused connect from 213.93.72.67 > Dec 19 08:55:53 XXXXX in.ftpd[29320]: refused connect from 213.93.72.67 > Dec 19 08:55:55 XXXXX in.ftpd[2806]: refused connect from 213.93.72.67 > Dec 19 08:55:43 XXXXX in.ftpd[28878]: refused connect from 213.93.72.67 > Dec 19 08:55:55 XXXXX in.ftpd[2777]: refused connect from 213.93.72.67 > Dec 19 08:55:55 XXXXX in.ftpd[16211]: refused connect from 213.93.72.67 > Dec 19 08:55:54 XXXXXXX in.ftpd[19211]: refused connect from > e72067.upc-e.chello.nl > Dec 19 08:55:55 XXXXX in.ftpd[9251]: refused connect from 213.93.72.67 > Dec 19 08:55:55 XXXXX in.ftpd[25201]: refused connect from 213.93.72.67 > Dec 19 08:55:54 XXXXX in.ftpd[29420]: refused connect from 213.93.72.67 > Dec 19 08:55:53 XXXXXXX in.ftpd[3604]: refused connect from 213.93.72.67 > Dec 19 08:55:53 XXXXXX in.ftpd[12157]: refused connect from > e72067.upc-e.chello.nl > Dec 19 08:55:55 XXXXX in.ftpd[1897]: refused connect from 213.93.72.67 > Dec 19 08:55:53 XXXXXX in.ftpd[10629]: refused connect from 213.93.72.67 > Dec 19 08:55:53 XXXXXXX in.ftpd[13670]: refused connect from 213.93.72.67 > Dec 19 08:55:53 XXXXXXX in.ftpd[18914]: refused connect from > e72067.upc-e.chello.nl > Dec 19 08:55:54 XXXXXX in.ftpd[13274]: refused connect from 213.93.72.67 > Dec 19 08:55:55 XXXXX in.ftpd[21257]: refused connect from 213.93.72.67 > Dec 19 08:55:55 XXXXXX in.ftpd[24124]: refused connect from 213.93.72.67 > Dec 19 09:08:50 XXXXX in.ftpd[19745]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:11:52 XXXXX2 in.ftpd[8395]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:11:58 XXXXXX ftpd[10589]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:11:58 XXXXX ftpd[28938]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:11:59 XXXXXX ftpd[5604]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:13:30 XXXXXXX ftpd[26961]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:13:30 XXXXXXftpd[15028]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:13:30 XXXXX ftpd[10492]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:13:30 XXXXX ftpd[30052]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:13:30 XXXXXXX ftpd[20209]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:13:30 XXXXXX ftpd[29197]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:13:30 XXXXXX ftpd[28598]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:17:42 XXXXXXX ftpd[20390]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:17:42 XXXXXX ftpd[28778]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:17:42 XXXXX ftpd[12027]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:18:13 XXXXXXX ftpd[27178]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:23:27 XXXXXXXX ftpd[19515]: refused connect from > e72067.upc-e.chello.nl > Dec 19 09:23:31 XXXXX ftpd[12827]: refused connect from > e72067.upc-e.chello.nl .