Yeah, just looked them up myself. I'm getting the info. from several other
higher ed. admins to let others know to look out for it and I thought I'd
pass it on here. I thought I was on the securityfocus lists, but I must not
be on incidents...
Gavin
----------
>From: Chuck Mead <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Re: port 98 linuxconf exploit?
>Date: Thu, Nov 18, 1999, 4:46 PM
>
> On Thu, 18 Nov 1999, Gavin Durman said:
>
> GD>Don't know if I've missed it, but there's an awful lot of "heads up" e-mail
> GD>coming to me about scans of port 98 from 170.1.173.82, 216.59.27.31 and
> GD>216.0.149.200 ( and I think there's more, but these were the most common).
> GD>Is this an "stealthy" way of detecting LINUX boxes running linuxconf for an
> GD>exploit? Or is it just to see if that system is running LINUX? Thanks.
>
> This is being discussed on [EMAIL PROTECTED] and has been reported
> to Cert. Here's some info about the hosts you've reported. These should be
> reported to the folks who own the ip space! I would do it but I haven't been
> scanned and do not have the logs... not my issue! :-)
>
> [root@server /etc]# host 170.1.173.82
> Host not found.
> [root@server /etc]# getip 170.1.173.82
> [whois.arin.net]
> Columbia Health Care (NET-COLUMBIAHEALTH)
> 708 W. Magazine Street
> Louisville, KY 40201-7434
>
> Netname: COLUMBIAHEALTH
> Netnumber: 170.1.0.0
>
> Coordinator:
> Service Administration, Domain Name (DNS1048-ARIN)
> [EMAIL PROTECTED]
> Voice 415-988-2900 Fax 415-988-2906
>
> Domain System inverse mapping provided by:
>
> NS.BRAINSTORM.NET 205.164.112.2
> LAMBDA.LAMBDATEL.COM 192.83.199.1
> NS2.BRAINSTORM.NET 205.164.112.3
>
> Record last updated on 03-Sep-1996.
> Database last updated on 17-Nov-1999 15:58:47 EDT.
>
> [root@server /etc]# host 216.59.27.31
> 31.27.59.216.IN-ADDR.ARPA domain name pointer 216-59-27-31.usa.flashcom.net
> [root@server /etc]# getip 216.59.27.31
> [whois.arin.net]
> Flashcom, Inc. (NETBLK-NETBLK-FLASHCOM-1)
> 5312 Bolsa Ave.
> Huntington Beach, CA 92649
> US
>
> Netname: NETBLK-FLASHCOM-1
> Netblock: 216.59.0.0 - 216.59.127.255
> Maintainer: FLCM
>
> Coordinator:
> Benton, Curtis (CB373-ARIN) [EMAIL PROTECTED]
> (714) 891-7891
>
> Domain System inverse mapping provided by:
>
> NS1.FLASHCOM.COM 209.185.207.135
> NS2.FLASHCOM.COM 216.32.32.182
> NS3.FLASHCOM.COM 209.0.225.243
>
> ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
>
> Record last updated on 13-Oct-1999.
> Database last updated on 17-Nov-1999 15:58:47 EDT.
> [root@server /etc]# getip 216.0.149.200
> [whois.arin.net]
> DIGEX, Inc. (NETBLK-DIGEX-BLK16)
> 6800 Virginia Manor Road
> Beltsville, MD 20705
> US
>
> Netname: DIGEX-BLK16
> Netblock: 216.0.0.0 - 216.5.255.255
> Maintainer: DIGX
>
> Coordinator:
> Hostmaster Role Account (DIGEX2-ARIN) [EMAIL PROTECTED]
> 301.847.5000
> Fax- 301.847.6296
>
> Domain System inverse mapping provided by:
>
> NS.DIGEX.NET 164.109.1.3
> NS2.DIGEX.NET 164.109.10.23
>
> *Rwhois information on assignments from this block available from
> * rwhois.digex.net 4321
>
> ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
>
> Record last updated on 17-May-1999.
> Database last updated on 17-Nov-1999 15:58:47 EDT.
>
>
> --
> Chuck Mead, CTO, MoonGroup Consulting, Inc. <http://moongroup.com>
> Mail problems? Send "s-u-b-s-c-r-i-b-e mailhelp" (no quotes and no
> hyphens) in the body of a message to [EMAIL PROTECTED]
> Public key available at: wwwkeys.us.pgp.net
>
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
