Phun with IP's

S

Spazmatic

Well-Known Member
Joined
Aug 29, 2009
Messages
369
Reaction score
12
Location
Cape Town
Hi Guys,

Anyhoo, I have recently come across an IP address attempting a brute force attack on one of my public servers.

196.15.50.12 <-----

Ran a port scan, pretty much every thing from 63 onwards is open.

So if anyone has some free time and wants to help find vulnerabilities on the machine, possibly inflict minor damage where possible :p
 
http://www.projecthoneypot.org/ip_196.15.50.12
The Project Honey Pot system has detected behavior from the IP address consistent with that of a mail server. Below we've reported some other data associated with this IP. This interrelated data helps map spammers' networks and aids in law enforcement efforts. If you know something about this IP, please leave a comment.
Click to expand...
 
A while back I modified a version off SSH to log the attempt and retry the attacker with the same credentials. On occasion I would then login and kill the bot by hand. Not very ethical and wont try it these days, dont have the minor law on my side anymore :(
 
Ok, so I phoned afrinic and according to them that IP address should not be use.

They are investingating and will let me know.
 
In the meantime I have blocked the IP on our PIX. But the guy from afrinic was very confused as according to him that IP should not be in use so they are hopefully going to be able to get somewhere.

What i find quite strange is when I run port scans, the first scan shows only about 10 ports open then a little while later over 2000 ports open.
 
If so many ports are open is it not maybe a zombie? Surely if it was a direct attack from a "sensible" attacker they'd actually know how to block their own ports? (maybe it's an idiot)

Not sure, but there's no way to spoof an IP address is there? (don't think so)
 
So isn't it possible that this IP is being spoofed, as Afrinic are saying it shouldn't be in use?
 
Techrat said:
So isn't it possible that this IP is being spoofed, as Afrinic are saying it shouldn't be in use?
Click to expand...
It isn't just spoofing. They actually have a forged BGP announcement of the entire IP block. Looks like there is some nasty stuff coming from that IP.

This is actually more like IP address hijacking. Except there is not someone that they have 'hijacked' the IPs from since they are not currently in use. Sneaky.

EDIT: On further investigation it appears that its neither spoofing or hijacking. The IP's are being legitimately used by a University in Saudi Arabia. Just looks like one of their PCs has caught a virus and is busy spamming merrily.
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X