[Nottingham] CyberKit
Martin
martin at ml1.co.uk
Thu Sep 25 15:40:50 BST 2003
James Beckett wrote:
> On Thu, 2003-09-25 at 10:14, Colin Saxton wrote:
>
>>I am being hammered by the following server
>>*
>>
>>81.108.3.246
>>*
>>with Pings from CyberKit...I think that it may be a worm trying to creep
>>through the system. Have you any idea what is going on? My snort log is
>>filling up like crazy!!
>
>
> It's an address within NTL's Broadband allocation in Nottingham.
> You might try emailing or phoning NTL:
>
> trouble: email : abuse at ntlworld.com
> trouble: telephone : +44 2920 305142
I've only had five recent pings from his/her presumed MSBlaster infection:
Sep 22 20:48:29 ... Shorewall:net2all:DROP:IN=eth0 OUT= MAC=...
SRC=81.108.3.246 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=14197
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=352
Sep 22 23:22:15 ... Shorewall:net2all:DROP:IN=eth0 OUT= MAC=...
SRC=81.108.3.246 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=35546
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=1632
Sep 23 00:19:54 ... Shorewall:net2all:DROP:IN=eth0 OUT= MAC=...
SRC=81.108.3.246 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=48475
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=58719
Sep 23 09:48:36 ... Shorewall:net2all:DROP:IN=eth0 OUT= MAC=...
SRC=81.108.3.246 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=24052
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=42591
Sep 24 12:13:21 ... Shorewall:net2all:DROP:IN=eth0 OUT= MAC=...
SRC=81.108.3.246 DST=... LEN=92 TOS=0x00 PREC=0x00 TTL=125 ID=5733
PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=61254
Pretty slow compared to some of the other MSWorm crap.
Martin
--
----------------
Martin Lomas
martin at ml1.co.uk
----------------
More information about the Nottingham
mailing list