[Box-Admins] Fwd: 85.10.195.197 [Fwd: [REF#: 1257]: To whom it
may concern]
Ken Causey
ken at kencausey.com
Tue Feb 3 18:13:42 UTC 2009
From the statement 'I found these suspicious looking connections...' I
would expect to see a bit more detail. I can only assume 'these' is
meant to refer to the one line
box2!~box at box2.squeakfoundation.org [85.10.195.197] - DIEMEN.NL.EU
Is DIEMEN.NL.EU meant to be the IRC server to which the connnection was
made?
As I understand it the connection happened at Mon, 02 Feb 2009 19:44:05
+0000 but I'm curious about the length of the connection and any other
detail that might help us identify the activity or person.
As far as I can tell I was the only one on the server at the time and
and I don't remember doing anything that would have resulted in an IRC
connection of any kind. In fact I'm not aware of any IRC software
installed on the server.
Ken
On Tue, 2009-02-03 at 09:42 +0100, Marcus Denker wrote:
> >
>
> Hi,
>
> There is a complaint from undernet about our server.
>
> >
> > -------- Original-Nachricht --------
> > Betreff: [REF#: 1257]: To whom it may concern
> > Datum: Mon, 02 Feb 2009 19:59:03 +0000
> > Von: deathy at undernet.org
> > Antwort an: deathy at undernet.org
> > An: abuse at hetzner.de
> >
> > Security coordinators,
> >
> > I found these suspicious looking connections on the Undernet IRC Chat
> > Network connecting from a netblock you control. The originating ip(s)
> > and undernet server(s) each one was connected to is listed below. The
> > destination port they were using is most likely port 6667. Other
> > possible
> > ports are included between 6000-9999 (a full list of our servers can
> > be found at www.undernet.org/servers.php ).
> >
> > box2!~box at box2.squeakfoundation.org [85.10.195.197] - DIEMEN.NL.EU
> >
> >
> > Please check for a compromise, possible hidden process running and an
> > altered process listing.
> > Run the updates for your system to close possible exploit holes, and
> > send any unusual programs found to info at cyberabuse.org for
> > investigation.
> >
> > We strive to eliminate these abusive connections from our network, but
> > simply banning them can only be a temporary solution. We hope to
> > work with authorities to achieve our aim of reducing abuse on our
> > network, as well as the general internet community.
> >
> > If you are not familiar with it, IRC is a text based chat
> > communication
> > medium, details at:
> >
> > http://www.irc.org/
> >
> > and our webpage:
> >
> > www.undernet.org
> >
> > Time of capture for the affected IP(s) is: Mon, 02 Feb 2009 19:44:05
> > +0000
> >
> > We have assigned an internal reference number 1257
> > to this report and it is included in the subject line of
> > this e-mail message. We would appreciate your including
> > it in the subject line of future correspondence about this
> > report. We would really appreciate your cooperation in looking into
> > this matter.
> >
> > Please take into account that most bots used these days are
> > either GTbots (used on Windows and which can be found by
> > searching for a file named mirc.ini which is normally
> > required to run these bots) or emechs (used on linux/unix which
> > can be generally found easily by doing a:
> > find . -exec grep -l "undernet.org" {} + )
> >
> > Thank you for your cooperation.
> >
> > Regards,
> >
> > Caesar Stoica
> > --------------
> > Undernet Irc Operator
> > www.undernet.org
> >
> >
>
> --
> Marcus Denker -- denker at iam.unibe.ch
> http://www.iam.unibe.ch/~denker
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.squeakfoundation.org/pipermail/box-admins/attachments/20090203/7b87c8d1/attachment.pgp
More information about the Box-Admins
mailing list