From owner-freebsd-security Thu Jan 6 21:52: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from netbox.com (home.netbox.com [206.24.105.130]) by hub.freebsd.org (Postfix) with ESMTP id E3EFC14BDC for ; Thu, 6 Jan 2000 21:51:57 -0800 (PST) (envelope-from jwgray@netbox.com) Received: from localhost (jwgray@localhost) by netbox.com (8.8.8/8.8.7) with ESMTP id VAA02090; Thu, 6 Jan 2000 21:49:47 -0800 (PST) (envelope-from jwgray@netbox.com) Date: Thu, 6 Jan 2000 21:49:47 -0800 (PST) From: Jeff Gray To: "Chris Cason [work]" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Port scans and site theft from IP inside mr.net In-Reply-To: <002e01bf58c5$18cd90f0$cc0010ac@melbbureau.central.dubsat.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Chris, I cannot reach the IP address via http Pingable, tracerouteable. No information from dig -x Using lynx I get the message 'no startfile' Seems to have taken it down as a web server. Jeff On Fri, 7 Jan 2000, Chris Cason [work] wrote: > This is just a heads-up about some activity I've just seen, and > also I guess a query as to whether or not you guys have seen this > happen before. > > I'm the server admin of a graphics site that is reasonably popular > (www.irtc.org). > > Recently, we had a person write to us complaining that we were port- > scanning him and could we please explain why ? He included some logs > that showed that the port scans were coming from 137.192.77.10. > > Now, this is nothing whatsoever like our IP address, so we were kind > of scratching our heads wondering why he wrote to -US- to complain, > until we noticed that, if we made a HTTP connection to 137.192.77.10, > you got an exact duplicate of our site. To make sure it wasn't a > mirage, we changed a page on our site, hit the above one, and sure > enough the unchanged version was present. > > Whoever is operating the site has evidently gone to the trouble of > copying a large chunk of our site (I suspect using a reverse-proxy) > for some unknown reason. I assume it's a reverse proxy since, now > that I have ipfw'd his system off from ours, I still see it hitting > my HTTP ports from time to time. I've also seen him pinging us since. > > He has now configured his system to deny IP from my server, though > I can still ping him from elsewhere. Finally, the web server that > was running at 137.192.77.10 port 80 is now either not there at all, > or he's configured it not to accept connections from any of the > networks that we were previously using to look at what he was doing. > I believe it is still there as I am still getting attempted connections > from his server to mine on port 80. > > Given that he was port-scanning I can only guess that he wanted people > to complain to us instead of him, but that doesn't seem to make a lot > of sense either (it's kind of a weak cover). > > I'm curious to see if anyone else here is able to see his web server > anymore, and if so, if they could take a screen-shot including the > browser's address bar (as I didn't do so while I had the chance) > > Also, if anyone has seen anything like this in the past and can shed > any more light on it I'd appreciate knowing. > > FWIW, we have complained twice to mr.net (the hosts of this ip) over > the past week, and apart from their automated response, have been > greeted with nothing but thunderous silence. It appears to me that > they have little concern about this sort of activity. In fact I don't > even know myself if it's actually illegal (though it's certainly > unethical if it's not). > > thanks, > > -- Chris > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message