*SHORT* summary of some of the attacks against us for June 2006 Just too many scans and not enough time to keep the list up all the time so... some of the more intresting/annoying scans/attacks, or 1 day samples are here year - time EASTERN source_ip[:port] (dns name, if any) attack/scan/notes 2006/06/06-12:20:06 132.235.156.63 scanned port 135 445 in BR 2006/06/06-06:06:35 132.235.197.38 scanned port 137 over 109 ips in BR 2006/06/06-18:59:10 132.235.28.127 scanned port 135 2006/06/06-06:00:02 132.235.36.14 scanned port 123 137 138 in BR 2006/06/06-08:06:35 132.235.8.198 scanned port 137 over 111 ips in BR 2006/06/06-23:40:27 220.135.213.167 (220-135-213-167.HINET-IP.hinet.net.) brute force ftp logins for Administrator 2006/06/06-05:59:09 132.235.45.165 scanned port 445 2006/06/07-14:06:04 210.52.216.195 () brute force login attempt vi ssh 2006/06/07-06:00:20 132.235.156.63 () scanned port 445 2006/06/07-06:06:37 132.235.197.38 () scanned port 137 2006/06/07-06:00:02 132.235.36.14 scanned port 123 445 137 2006/06/07-08:46:57.63 132.235.59.191 () scanned port 139 445 2006/06/07-06:01:05 132.235.8.198 scanned port 137 2006/06/08-08:15:21 80.177.3.243 (jsdi.demon.co.uk.) attack web servers, get malware from 72.18.195.161 (file lnikon) 2006/06/12-05:23:12 125.246.51.194 () brute force user name attack via ssh 2006/06/12-05:40:13 211.169.132.162 () brute force user name attack via ssh 2006/06/12-05:23:15 211.239.158.166 () brute force user name attack via ssh 2006/06/21-07:38:50 - talk about port scanning - from 06:00:00 thru 07:18:30. 2006/06/21-07:38:50 - 204.16.208.66 scanned port 1026 over 654 ips 2006/06/21-07:38:50 - 204.16.208.66 scanned port 1027 over 441 ips 2006/06/21-07:38:50 - 204.16.208.75 scanned port 1026 over 579 ips 2006/06/21-07:38:50 - 204.16.208.75 scanned port 1027 over 503 ips 2006/06/21-07:38:50 - 204.16.208.101 scanned port 1026 over 75 ips 2006/06/21-07:38:50 - 204.16.208.101 scanned port 1027 over 78 ips 2006/06/21-07:38:50 - 204.16.208.102 scanned port 1026 over 121 ips 2006/06/21-07:38:50 - 204.16.208.102 scanned port 1027 over 118 ips 2006/06/21-07:38:50 - 204.16.208.105 scanned port 1026 over 109 ips 2006/06/21-07:38:50 - 204.16.208.105 scanned port 1027 over 99 ips 2006/06/21-07:38:50 - 204.16.208.106 scanned port 1026 over 105 ips 2006/06/21-07:38:50 - 204.16.208.106 scanned port 1027 over 103 ips 2006/06/21-07:38:50 - 204.16.208.113 scanned port 1026 over 115 ips 2006/06/21-07:38:50 - 204.16.208.113 scanned port 1027 over 117 ips 2006/06/21-07:38:50 - 204.16.208.116 scanned port 1026 over 160 ips 2006/06/21-07:38:50 - 204.16.208.116 scanned port 1027 over 140 ips 2006/06/21-07:38:50 - with the message to windows of: 2006/06/21-07:38:50 - SYSTEM 2006/06/21-07:38:50 - ALERT 2006/06/21-07:38:50 - Microsoft Windows has encounted an Internal Error 2006/06/21-07:38:50 - Your windows registry is corrupted. 2006/06/21-07:38:50 - Microsoft recommends a complete system scan. 2006/06/21-07:38:50 - Microsoft recommends 2006/06/21-07:38:50 - http://www.msreg.com 2006/06/21-07:38:50 - To repair now for a free download 2006/06/23-01:00:52 - Msg from abusedept@fastcolocation.net concerning port scans from 204.16.208.* 2006/06/23-01:00:52 - We have completed our investigation and have blocked the offending ip 2006/06/23-01:00:52 - from our network due to TOS/AUP violation. It may take up to 72 hours 2006/06/23-01:00:52 - for this process to be completed. 2006/06/26-06:01:48 - thru 07:55:16 - 2242 - connections from 204.16.208.* to ports 1026, 1027... 2006/06/26-06:01:48 - still waiting for 72 hours... 2006/06/27-06:09:20 - thru 2006/06/28-05:49:55 - 30600 - connections from 204.16.208.* to ports 1026, 1027... on subnets 1-3,14-19,201 2006/06/27-06:09:20 - (204.16.208. 59,66,74,75,101,103,105,106,111,113,116) 2006/06/27-06:09:20 - thru 2006/06/28-05:49:54 - 1783 - connections from 204.16.208.* to ports 1026, 1027... on subnet 4 2006/06/27-06:09:20 - (204.16.208. 59, 66, 74, 75 ) 2006/06/27-06:09:20 - STILL waiting for 72 hours... 2006/06/28-08:09:20 - STILL!!! waiting for 72 hours... (since their email was on friday, maybe they mean 4 work days?) 2006/06/28-22:49:04. 209.96.247.46 (ppp46.ts1.Gloucester.visi.net.) scanned our entire net for port 111. 2006/06/29-08:09:20 - STILL!!! 204.16.208. whatever with the popups. waiting for 72 hours... 2006/06/30-08:09:20 - STILL!!! 204.16.208. whatever with the popups. Emailed them again.