Phun with IP's

S

Spazmatic

Well-Known Member
Joined
Aug 29, 2009
Messages
369
Hi Guys,

Anyhoo, I have recently come across an IP address attempting a brute force attack on one of my public servers.

196.15.50.12 <-----

Ran a port scan, pretty much every thing from 63 onwards is open.

So if anyone has some free time and wants to help find vulnerabilities on the machine, possibly inflict minor damage where possible :p
 
Nod

Nod

Honorary Master
Joined
Jul 22, 2005
Messages
10,057
http://www.projecthoneypot.org/ip_196.15.50.12
The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server. Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts. If you know something about this IP, please leave a comment.
Click to expand...
 
S

Spazmatic

Well-Known Member
Joined
Aug 29, 2009
Messages
369
Yeah, i did check that but did'nt give me much info except the location.
 
s0lar

s0lar

Executive Member
Joined
Sep 22, 2009
Messages
5,234
A while back I modified a version off SSH to log the attempt and retry the attacker with the same credentials. On occasion I would then login and kill the bot by hand. Not very ethical and wont try it these days, dont have the minor law on my side anymore :(
 
S

Spazmatic

Well-Known Member
Joined
Aug 29, 2009
Messages
369
Ok, so I phoned afrinic and according to them that IP address should not be use.

They are investingating and will let me know.
 
S

Spazmatic

Well-Known Member
Joined
Aug 29, 2009
Messages
369
In the meantime I have blocked the IP on our PIX. But the guy from afrinic was very confused as according to him that IP should not be in use so they are hopefully going to be able to get somewhere.

What i find quite strange is when I run port scans, the first scan shows only about 10 ports open then a little while later over 2000 ports open.
 
T

Techrat

Senior Member
Joined
Nov 15, 2009
Messages
990
If so many ports are open is it not maybe a zombie? Surely if it was a direct attack from a "sensible" attacker they'd actually know how to block their own ports? (maybe it's an idiot)

Not sure, but there's no way to spoof an IP address is there? (don't think so)
 
T

Techrat

Senior Member
Joined
Nov 15, 2009
Messages
990
So isn't it possible that this IP is being spoofed, as Afrinic are saying it shouldn't be in use?
 
A

ambo

Expert Member
Joined
Jun 9, 2005
Messages
2,685
Techrat said:
So isn't it possible that this IP is being spoofed, as Afrinic are saying it shouldn't be in use?
Click to expand...
It isn't just spoofing. They actually have a forged BGP announcement of the entire IP block. Looks like there is some nasty stuff coming from that IP.

This is actually more like IP address hijacking. Except there is not someone that they have 'hijacked' the IPs from since they are not currently in use. Sneaky.

EDIT: On further investigation it appears that its neither spoofing or hijacking. The IP's are being legitimately used by a University in Saudi Arabia. Just looks like one of their PCs has caught a virus and is busy spamming merrily.
 
Last edited:
You must log in or register to reply here.
Top