Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
Network Security
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Abuse notification ( IP = 198.111.249.2 )

  • From: Mohler, Dave
  • Date: Thu Dec 27 15:16:51 2001 
Paul,

Thanks for writing. There appears to be a new round of Nimda and similar
stuff going around and we are certainly under attach. 198.111.249.2 is an
infected server that was breached via IIS. All patches and security devices
have been applied yet all of our systems offering IIS have been breached. We
are working as quickly as we can to stamp  this thing out.

-----Original Message-----
From: Paul Pilipshen [mailto:paul.pilipshen@ncc.edu]
Sent: Thursday, December 27, 2001 09:36
To: mohler@mcnamee.com; tom.taylor@ncc.edu
Subject: Abuse notification ( IP = 198.111.249.2 )


Dear ISP,

I have recently been the victim of a hack attempt by an individual who
appears to make use of your services. Please investigate these
intrusions. I
have included all available information below. If you require any
additional
information please do not hesitate to contact me.

Paul Pilipshen
Academic Computer Services
Nassau Community College

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:45.609118 198.111.249.2:1039 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:41557 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9D14FF8B  Ack: 0xE6E940E6  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:45.706568 198.111.249.2:1050 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:48981 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9D1B18C0  Ack: 0xE6EC1B58  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-FRONTPAGE /_vti_bin/ access [**]
12/27-05:52:45.806818 198.111.249.2:1062 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:54613 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9D22D24B  Ack: 0xE6EDC376  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:45.894464 198.111.249.2:1068 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:61013 IpLen:20 DgmLen:157 DF
***AP*** Seq: 0x9D26D383  Ack: 0xE6EF6DA6  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:45.983348 198.111.249.2:1080 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:1878 IpLen:20 DgmLen:185 DF
***AP*** Seq: 0x9D2E1413  Ack: 0xE6F161DB  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.124170 198.111.249.2:1094 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:10326 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9D353EB1  Ack: 0xE6F36581  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.264005 198.111.249.2:1111 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:18006 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9D401A0E  Ack: 0xE6F73CB9  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.362960 198.111.249.2:1133 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:27990 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9D4DADEC  Ack: 0xE6F8A3A7  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.481802 198.111.249.2:1142 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:36438 IpLen:20 DgmLen:137 DF
***AP*** Seq: 0x9D52C4F7  Ack: 0xE6FB52E4  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.593929 198.111.249.2:1160 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:46678 IpLen:20 DgmLen:138 DF
***AP*** Seq: 0x9D5DAE1E  Ack: 0xE6FE3ED3  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.691850 198.111.249.2:1170 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:54614 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9D658C18  Ack: 0xE6FFF7C2  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.801044 198.111.249.2:1177 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:63574 IpLen:20 DgmLen:140 DF
***AP*** Seq: 0x9D6A90F3  Ack: 0xE7026B0E  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:46.906641 198.111.249.2:1188 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:4695 IpLen:20 DgmLen:136 DF
***AP*** Seq: 0x9D72D83D  Ack: 0xE7043E59  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS CodeRed v2 root.exe access [**]
12/27-05:52:45.280322 198.111.249.2:4984 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:20053 IpLen:20 DgmLen:112 DF
***AP*** Seq: 0x9D019D6F  Ack: 0xE6E2741D  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] WEB-IIS cmd.exe access [**]
12/27-05:52:45.502015 198.111.249.2:4998 -> 198.38.8.203:80
TCP TTL:114 TOS:0x0 ID:34645 IpLen:20 DgmLen:120 DF
***AP*** Seq: 0x9D0CA873  Ack: 0xE6E773DF  Win: 0x2238  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.