[Nlnog] Cyberangels?

Sabri Berisha sabri at cluecentral.net
Thu Apr 24 13:54:07 UTC 2003 

On Thu, Apr 24, 2003 at 09:28:19AM +0200, Sabri Berisha wrote:

Hi,

> Is er iemand op deze lijst die hier meer van weet? Filtert iemand ze al?

Ter FYI: ik heb vandaag es zitten monitoren wat er heen en weer gaat aan
traffic:

tcpdump: listening on eth2
12:57:18.129334 213.136.0.33 > 217.21.112.1: icmp: echo request
12:57:18.132196 217.21.112.1 > 213.136.0.33: icmp: echo reply
14:33:00.323067 213.136.12.52.36147 > 217.21.112.2.53:  13572[|domain]
14:33:00.325041 217.21.112.2.53 > 213.136.12.52.36147:  13572
NXDomain*[|domain] (DF)
14:55:19.949765 217.21.114.70.0 > 213.136.23.169.3128: S 9240:9240(0)
win 512 (DF)
14:55:19.969837 217.21.114.70.0 > 213.136.3.140.3128: S 9265:9265(0) win
512 (DF)
14:55:19.969975 217.21.114.70.0 > 213.136.3.130.3128: S 9263:9263(0) win
512 (DF)
14:55:20.009411 217.21.114.70.0 > 213.136.3.216.3128: S 9300:9300(0) win
512 (DF)
14:55:20.009876 213.136.3.130.3128 > 217.21.114.70.0: R 0:0(0) ack 9264
win 0
14:55:20.029460 217.21.114.70.0 > 213.136.3.4.3128: S 9291:9291(0) win
512 (DF)
14:55:20.029766 217.21.114.70.0 > 213.136.3.61.3128: S 9266:9266(0) win
512 (DF)14:55:20.064095 213.136.3.216.3128 > 217.21.114.70.0: R 0:0(0)
ack 9301 win 0
14:55:20.089912 217.21.114.70.0 > 213.136.3.9.3128: S 9307:9307(0) win
512 (DF)
14:55:20.099920 213.136.3.4.3128 > 217.21.114.70.0: R 9291:9291(0) ack
9292 win 512 (DF)
14:55:20.117217 213.136.3.9.3128 > 217.21.114.70.0: S
432233594:432233594(0) ack 9308 win 8760 <mss 1460> (DF)
14:55:20.119815 217.21.114.70.0 > 213.136.3.9.3128: R 9308:9308(0) win 0
14:55:20.124121 213.136.3.140.3128 > 217.21.114.70.0: R 0:0(0) ack 9266
win 0
14:55:21.002361 213.136.3.61.3128 > 217.21.114.70.0: S
740035615:740035615(0) ack 9267 win 8576 <mss 1460> (DF)
14:55:21.004946 217.21.114.70.0 > 213.136.3.61.3128: R 9267:9267(0) win
0
15:11:27.643169 213.136.12.52.40787 > 217.21.112.2.53:  57752[|domain]
15:11:27.645462 217.21.112.2.53 > 213.136.12.52.40787:  57752 NXDomain*
0/1/0 (109) (DF)
15:11:33.038605 213.136.12.52.54082 > 217.21.112.3.53:  58010[|domain]
15:11:33.040617 217.21.112.3.53 > 213.136.12.52.54082:  58010*[|domain]
(DF)
15:12:04.731218 217.21.114.70.0 > 213.136.23.169.80: S 25510:25510(0)
win 512 (DF)
15:12:04.731528 217.21.114.70.0 > 213.136.3.130.80: S 25494:25494(0) win
512 (DF)
15:12:04.771182 217.21.114.70.0 > 213.136.3.140.80: S 25551:25551(0) win
512 (DF)
15:12:04.792398 217.21.114.70.0 > 213.136.3.228.80: S 25439:25439(0) win
512 (DF)
15:12:04.811510 217.21.114.70.0 > 213.136.3.61.80: S 25495:25495(0) win
512 (DF)15:12:04.811511 217.21.114.70.0 > 213.136.3.4.80: S
25511:25511(0) win 512 (DF)
15:12:04.831662 217.21.114.70.0 > 213.136.3.9.80: S 25465:25465(0) win
512 (DF)
15:12:04.832764 217.21.114.70.0 > 213.136.3.216.80: S 25515:25515(0) win
512 (DF)
15:12:04.835750 213.136.3.228.80 > 217.21.114.70.0: R 0:0(0) ack 25440
win 0
15:12:04.848318 213.136.3.61.80 > 217.21.114.70.0: R 0:0(0) ack 25496
win 0
15:12:04.855898 213.136.3.4.80 > 217.21.114.70.0: R 0:0(0) ack 25512 win
0
15:12:04.944980 213.136.3.140.80 > 217.21.114.70.0: R 0:0(0) ack 25552
win 0
15:12:04.973020 213.136.3.216.80 > 217.21.114.70.0: R 0:0(0) ack 25516
win 0
15:32:11.464848 217.21.114.70.0 > 213.136.23.169.8080: S 41768:41768(0)
win 512 (DF)
15:32:11.484729 217.21.114.70.0 > 213.136.3.216.8080: S 41711:41711(0)
win 512 (DF)
15:32:11.485378 217.21.114.70.0 > 213.136.3.4.8080: S 41695:41695(0) win
512 (DF)
15:32:11.524320 217.21.114.70.0 > 213.136.3.9.8080: S 41769:41769(0) win
512 (DF)
15:32:11.524323 217.21.114.70.0 > 213.136.3.61.8080: S 41746:41746(0)
win 512 (DF)
15:32:11.536248 213.136.3.4.8080 > 217.21.114.70.0: R 41695:41695(0) ack
41696 win 512 (DF)
15:32:11.563426 213.136.3.61.8080 > 217.21.114.70.0: R 0:0(0) ack 41747
win 0
15:32:11.606648 213.136.3.216.8080 > 217.21.114.70.0: R 0:0(0) ack 41712
win 0


213.136.3.0/24 is een inbelrange van ons. Kennelijk zijn ze op zoek naar
open proxies. Het source ip resolvet: office-005.client.cyberangels.nl.
Ik heb ze ondertussen in de filters.

-- 
Sabri Berisha   "I route, therefore you are"

Per user RBL checking: http://www.cluecentral.net/rblcheck/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://mailman.nlnog.net/pipermail/nlnog/attachments/20030424/8093ef6e/attachment.pgp>

More information about the NLNOG mailing list