[olug] Attacked by Romanian Script Kiddies

Charles Bird cbird at mail.datar8.com
Tue Oct 24 23:29:45 UTC 2006 

well, I see ssh brute attempts everyday, about 2 times, and all the other
"normal" activity.
This Romanian thing is two days now, Lease of the IP's are about 24hours.
its an attack on a couple of ports in particular that i am running some
services on. This isnt fitting the normal "FingerPrint" that I am used to
seeing. Its only the one IP they are going for, with port scans and then
garbage being sent, most is dropped now.
I need to figure out a way to get a serial interface to the ICBM's at
Offut(if there are any) and with GEOIP target the script kiddies.( note to
intel agencies, I am just kidding).
If it continues then it might be honeypot time. :)


> How long has this been happening because grandfathers computer just got
> hit
> by something and I was wondering if that had to any thing to with the
> Romanian Script Kiddies.
>
> Kbw
>
> -----Original Message-----
> From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
> Rob
> Townley
> Sent: Tuesday, October 24, 2006 2:38 PM
> To: Omaha Linux User Group
> Subject: Re: [olug] Attacked by Romanian Script Kiddies
>
> Ripe.net is the equivalent of Arin.net, but for Europe, the middle
> east and central asia.
> The American Registry for Internet Numbers covers Africa as well.
> Since we already know this is a European IP,  a query at ripe.net with
> the the 2nd IP returned plenty of direct contact info including email
> addresses and phone numbers.  abuse at rdsnet.ro is probably what you are
> looking for.  If this does not work, i know one or two ISPs in Romania
> that we could contact.
>
> http://ripe.net/fcgi-bin/whois?form_type=simple&full_query_string=&searchtex
> t=86.125.202.56&submit.x=6&submit.y=2&submit=Search
>
> % This is the RIPE Whois query server #2.
> % The objects are in RPSL format.
> %
> % Note: the default output of the RIPE Whois server
> % is changed. Your tools may need to be adjusted. See
> % http://www.ripe.net/db/news/abuse-proposal-20050331.html
> % for more details.
> %
> % Rights restricted by copyright.
> % See http://www.ripe.net/db/copyright.html
>
> % Note: This output has been filtered.
> %       To receive output for a database update, use the "-B" flag
>
> % Information related to '86.125.192.0 - 86.125.255.255'
>
> inetnum:         86.125.192.0 - 86.125.255.255
> netname:         RO-RDSNET-AR-ARAD-CABLELINK
> descr:           Cablelink access in Arad
> country:         RO
> admin-c:         RDS-RIPE
> tech-c:          RDS-RIPE
> status:          ASSIGNED PA "status:" definitions
> mnt-by:          AS8708-MNT
> mnt-lower:       AS8708-MNT
> mnt-routes:      AS8708-MNT
> source:          RIPE # Filtered
>
> role:            Romania Data Systems NOC
> address:         71-75 Dr. Staicovici
> address:         Bucharest / ROMANIA
> phone:           +40 21 30 10 888
> fax-no:          +40 21 30 10 892
> e-mail:          contact-tech at rdsnet.ro
> admin-c:         CN19-RIPE
> tech-c:          CN19-RIPE
> tech-c:          GEPU1-RIPE
> nic-hdl:         RDS-RIPE
> mnt-by:          AS8708-MNT
> remarks:
> +-----------------------------------------------------------+
> remarks:         | ABUSE CONTACT: abuse at rdsnet.ro IN CASE OF HACK ATTACKS,
> |
> remarks:         | ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC.
> |
> remarks:
> +-----------------------------------------------------------+
> source:          RIPE # Filtered
>
> % Information related to '86.120.0.0/13AS8708'
>
> route:           86.120.0.0/13
> descr:           RDSNET
> origin:          AS8708
> mnt-by:          AS8708-MNT
> source:          RIPE # Filtered
>
>
> On 10/24/06, Charles Bird <cbird at mail.datar8.com> wrote:
>> I have alot of packets coming thru going to a particular host. From
> Romania.
>> 86.123.164.172
>> 86.125.202.56
>> are the main ones, sending garbage and syn.
>> This happened yesterday from Romanian IPs as well, the IPs were added to
>> iptables i just drop em.
>> I am assuming these are dynamic IPs and the lease expired and the attack
>> carried on.
>> What can I do to turn in these a**h*les?
>> What should i provide to abuse at whatever their ISP is?
>> No one is gonna comprimise my uptime. arg
>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> http://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list