[Box-Admins] Re: Fwd: 85.10.195.197 [Fwd: [REF#: 1257]: To whom it
may concern]
Rita Freudenberg
rita at isg.cs.uni-magdeburg.de
Tue Feb 3 08:56:16 UTC 2009
Marcus Denker wrote:
>>
>
> Hi,
>
> There is a complaint from undernet about our server.
I received that, too, but I really have no idea what action is required
in such a case. For the future, will it be ok just to forward this
message to squeakfoundation?
Best Regards,
Rita
>
>>
>> -------- Original-Nachricht --------
>> Betreff: [REF#: 1257]: To whom it may concern
>> Datum: Mon, 02 Feb 2009 19:59:03 +0000
>> Von: deathy at undernet.org
>> Antwort an: deathy at undernet.org
>> An: abuse at hetzner.de
>>
>> Security coordinators,
>>
>> I found these suspicious looking connections on the Undernet IRC Chat
>> Network connecting from a netblock you control. The originating ip(s)
>> and undernet server(s) each one was connected to is listed below. The
>> destination port they were using is most likely port 6667. Other
>> possible
>> ports are included between 6000-9999 (a full list of our servers can
>> be found at www.undernet.org/servers.php ).
>>
>> box2!~box at box2.squeakfoundation.org [85.10.195.197] - DIEMEN.NL.EU
>>
>>
>> Please check for a compromise, possible hidden process running and an
>> altered process listing.
>> Run the updates for your system to close possible exploit holes, and
>> send any unusual programs found to info at cyberabuse.org for
>> investigation.
>>
>> We strive to eliminate these abusive connections from our network, but
>> simply banning them can only be a temporary solution. We hope to
>> work with authorities to achieve our aim of reducing abuse on our
>> network, as well as the general internet community.
>>
>> If you are not familiar with it, IRC is a text based chat communication
>> medium, details at:
>>
>> http://www.irc.org/
>>
>> and our webpage:
>>
>> www.undernet.org
>>
>> Time of capture for the affected IP(s) is: Mon, 02 Feb 2009 19:44:05
>> +0000
>>
>> We have assigned an internal reference number 1257
>> to this report and it is included in the subject line of
>> this e-mail message. We would appreciate your including
>> it in the subject line of future correspondence about this
>> report. We would really appreciate your cooperation in looking into
>> this matter.
>>
>> Please take into account that most bots used these days are
>> either GTbots (used on Windows and which can be found by
>> searching for a file named mirc.ini which is normally
>> required to run these bots) or emechs (used on linux/unix which
>> can be generally found easily by doing a:
>> find . -exec grep -l "undernet.org" {} + )
>>
>> Thank you for your cooperation.
>>
>> Regards,
>>
>> Caesar Stoica
>> --------------
>> Undernet Irc Operator
>> www.undernet.org
>>
>>
>
> --
> Marcus Denker -- denker at iam.unibe.ch
> http://www.iam.unibe.ch/~denker
>
--
Rita Freudenberg
FIN-ISG
Otto-von-Guericke-Universität Magdeburg
http://isgwww.cs.uni-magdeburg.de/isg/rita.html
More information about the Box-Admins
mailing list