[Dshield] Mytob?

Tony Earnshaw tonye at billy.demon.nl
Mon Jun 13 12:54:32 GMT 2005


Hi list,

First a mea culpa: I don't contribute to the dshield list in the way the
original intention was: running the app and sending in reports; I can't
- my home setup is dialup (static IP) and my live sites leave no chance
for this (site policy).

Nevertheless: home site's Red Hat RHAS3 Linux with iptables hung onto a
ppp static IP number. I run Fireparse which gives me a tabular view of
what's happened the day before of nasties. Every morning I read the
report of what's happened the day before, what people have tried on my
node.

I'm based in the Netherlands, a European Union founder member for the
rednecks that didn't know. "We are civilized" (TM). My ISP's among the
best, most professional, in Europe.

Most days for the past months I've been getting 20-30 nasties a day
trying out things. They're mostly Microsoft Windows port (udp and TCP)
attempts though various other things including domain and high ports.

This morning I find *500+* attempts to connect to microsoft-ds (445
TCP), far and away the most from APNIC addresses, each with bands of IPs
within the same /16 network. I wasn't on line that much, and for only
short periods at a time (a couple of minutes, to 15 minutes).

- Anyone else with the same experience?
- Why almost all from APNIC networks (only 2 from my own 212.238.0.0/16
network, as I said, my ISP's pretty good at weeding out lusers)? People
here are just as stupid at hitting on attachments as those on the other
side of the world.

Thanks,

--Tonni

-- 
mail: tonye at billy.demon.nl
http://www.billy.demon.nl





More information about the list mailing list