Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same?
I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down.
Regards John EI7IG
John et al;
inetnum: 5.135.134.0 - 5.135.135.255 netname: OVH descr: OVH SAS descr: Dedicated servers descr: http://www.ovh.com country: FR admin-c: OK217-RIPE tech-c: OTC2-RIPE status: ASSIGNED PA mnt-by: OVH-MNT source: RIPE # Filtered
role: OVH Technical Contact address: OVH SAS address: 2 rue Kellermann address: 59100 Roubaix address: France admin-c: OK217-RIPE tech-c: GM84-RIPE nic-hdl: OTC2-RIPE abuse-mailbox: abuse@ovh.net mnt-by: OVH-MNT source: RIPE # Filtered
person: Octave Klaba address: OVH SAS address: 2 rue Kellermann address: 59100 Roubaix address: France phone: +33 9 74 53 13 23 nic-hdl: OK217-RIPE abuse-mailbox: abuse@ovh.net mnt-by: OVH-MNT source: RIPE # Filtered
% Information related to '5.135.0.0/16AS16276'
route: 5.135.0.0/16 descr: OVH origin: AS16276 mnt-by: OVH-MNT source: RIPE # Filtered
It also appears as if amazon has been compromised like Target and Yahoo were recently. Their servers worldwide have been DoSsing me all weekend.
I saw them too. A whois lookup reveals that it is coming from a hosting provider in France.
I see lots of requests for http (port 80), telnet, sip, ping, etc. all the time. About one every 2-3 seconds.
My guess is they are compromised machines scanning for vulnerable hosts.
-Neil
On Sun, Feb 9, 2014 at 10:10 AM, John Ronan jpronans@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same?
I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down.
Regards John EI7IG
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
If you are running your gateway on a Linux box you can just watch tunnel traffic with following command.
tcpdump -i eth0 ip proto 4 (where "eth0" is your Internet facing interface).
-Neil
On Sun, Feb 9, 2014 at 11:35 AM, Neil Johnson neil.johnson@erudicon.com wrote:
I saw them too. A whois lookup reveals that it is coming from a hosting provider in France.
I see lots of requests for http (port 80), telnet, sip, ping, etc. all the time. About one every 2-3 seconds.
My guess is they are compromised machines scanning for vulnerable hosts.
-Neil
On Sun, Feb 9, 2014 at 10:10 AM, John Ronan jpronans@gmail.com wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi All,
I've seeing continuous traffic coming in from amprgw.sysnet.ucsd.edu. from 5.135.135.42 to 44.155.6.1 port 80 over my tunnel. Anyone else seeing the same?
I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down.
Regards John EI7IG
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
-- Neil Johnson http://erudicon.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 09/02/2014 17:10, John Ronan wrote:
I've disabled my tunnel for the moment as I don't have the time at the moment to chase it down.
Just drop traffic from that origin on your gateway/firewall.
73 de Marc, LX1DUC
Hello group:
Need some collective help here on a mail system hacker issue I've been having.
First, the IP address on my system he's coming in on is 44.2.14.1
This person is dumping thousands of random emails into my system and some of them will match BBS AREA patterns and get forwarded out to my forward partners.
At first, I set up a log book scan script to look for bad logins, and then ban the IP address, but then I found out that since my 44.2.14.1 ip address goes "around" my firewall via UCSD, the block rules literally have zero effect.
I found a common "from" (online...@....) line in his emails, so in my "rewrite" file I used this command "onl*@* | *@* refuse" but that also had zero effect.
Then I tried telling JNOS "stop smtp" and "stop pop3" and that had zero effect.
JNOS's email system uses very old RFC rules, and none of the modern RFC rules, so it's easy for this hacker to login to my JNOS mail server and dump this junk. Luckily most get held, but as stated, a few match forward patterns, so they slip through.
Right now I've completely taken my JNOS off-line until a fix can be found.
Anyone have some suggestions on blocking smtp and pop3 when my 44.2.14.1 address is live to global net ?
Any advise is appreciated in advance.
Thanks
Bill KG6BAJ
Congrats you have a spammer. Research the IP he's sourcing as and add it to your IPTables.
On Sun, 2014-02-09 at 11:54 -0800, William Lewis wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hello group:
Need some collective help here on a mail system hacker issue I've been having.
First, the IP address on my system he's coming in on is 44.2.14.1
This person is dumping thousands of random emails into my system and some of them will match BBS AREA patterns and get forwarded out to my forward partners.
At first, I set up a log book scan script to look for bad logins, and then ban the IP address, but then I found out that since my 44.2.14.1 ip address goes "around" my firewall via UCSD, the block rules literally have zero effect.
I found a common "from" (online...@....) line in his emails, so in my "rewrite" file I used this command "onl*@* | *@* refuse" but that also had zero effect.
Then I tried telling JNOS "stop smtp" and "stop pop3" and that had zero effect.
JNOS's email system uses very old RFC rules, and none of the modern RFC rules, so it's easy for this hacker to login to my JNOS mail server and dump this junk. Luckily most get held, but as stated, a few match forward patterns, so they slip through.
Right now I've completely taken my JNOS off-line until a fix can be found.
Anyone have some suggestions on blocking smtp and pop3 when my 44.2.14.1 address is live to global net ?
Any advise is appreciated in advance.
Thanks
Bill KG6BAJ
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Bill, sorry to hear about your troubles.
On 2/9/2014 11:54, William Lewis wrote:
At first, I set up a log book scan script to look for bad logins, and then ban the IP address, but then I found out that since my 44.2.14.1 ip address goes "around" my firewall via UCSD, the block rules literally have zero effect.
Don't know if this will help, but this is one major reason that a number of years ago I opted to do all my IPIP routing via the Linux kernel and no longer in *NOS. It has more advanced routing capability, and can filter / NAT / etc. everything going into or out of those tunnels (as well as all other traffic). Then, as others have said, if it's SMTP traffic bound for the BBS and it's not coming from a net-44 address, it *must* hit my Postfix gateway. NOS also is configured with access rules to deny all non-44 SMTP packets in order to help enforce that policy.
Hope you get it nailed down!
73,
Brett
-
Brett Mueller -
Brian -
John Ronan -
Marc, LX1DUC -
Neil Johnson -
William Lewis