RE: Walker Wireless attacking other ISPs?
We have noticed this and have taken action to stop these SNMP polls from reaching other ISPs. The polling of addresses blocks managed by other ISPs was purely accidental and should not happen again. Walker Wireless is more than willing to investigate incidents like this directly. If anyone has concerns about unusual activity orginating from anywhere in the Walker Wireless network please contact our Network Operations Centre on 0800-WWCARE or myself directly. Thank you, Richard Watson Network Infrastructure Engineer WALKER WIRELESS LIMITED Tel: +64 (9) 522 3674 Fax: +64 (9) 520 3447 Mob: +6427 286 6681 Email: rwatson(a)walkerwireless.com 0800 NO NETLAG Get high speed wireless internet and private network connectivity with Walker Wireless. Visit www.walkerwireless.com for information. The information in this electronic mail and its attachments is legally privileged and confidential. If the reader of this electronic mail and attachments is not the intended recipient, you are hereby notified that any use, dissemination or reproduction of this electronic mail its contents and attachments is prohibited. This email is personal and may not reflect Walker Wireless', Walker Corporation's subsidiaries or affiliated companies' position. -----Original Message----- From: Gordon Smith [mailto:gordons(a)morenet.net.nz] Sent: Friday, 3 May 2002 4:09 p.m. To: Nznog Subject: FW: Walker Wireless attacking other ISPs? Hi all, Has anyone else been seeing mail1.walkerwireless.com attempting to break in to their border routers? Picked this up on a routine log audit. Although we actively block and log this sort of activity, others may not be aware of it. Of particular concern is the attempted use of the ILMI exploit, detailed at http://www.kb.cert.org/vuls/id/976280 which has no legitimate reason to be seen. Attacking machine is running Checkpoint FW-1 mail server! Cheers, Gordon Smith CCNA Network Operations Manager MoreNet Ltd. Fingerprint: 4093 91BC 0055 46B9 1B1A EDBA 45AD 2381 7B1D E4BE Log extract (multiple occurrances of this): 04/23/2002 15:38.24 WARN:SNMP last message repeated 2 times 04/23/2002 15:38.14 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 15:38.14 WARN:SNMP last message repeated 2 times 04/23/2002 15:38.02 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 15:38.02 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.52 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7" 04/23/2002 15:37.52 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.44 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "wd1h2dt2d" 04/23/2002 15:37.44 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.34 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "private" 04/23/2002 15:37.34 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.24 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "public" 04/23/2002 11:37.42 WARN:SNMP last message repeated 2 times 04/23/2002 11:37.32 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 11:37.32 WARN:SNMP last message repeated 2 times 04/23/2002 11:37.18 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 11:37.18 WARN:SNMP last message repeated 2 times 04/23/2002 11:37.10 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7" - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Congats to all parties involved for doing the right thing here. A reminder that NZNOG is not the place to post issues like this unless you have talked to the network operator in question first (which was done in this case). It would smooth things over if people in future would put a small note like "X has been advised" in the post so that people know. Also a Congrats to Walker Wireless for coming out so fast with a reply. Good to see that the old days of witch hunting on the list are over. Dean (The list nazi) On Fri, 2002-05-03 at 16:22, Richard Watson wrote:
We have noticed this and have taken action to stop these SNMP polls from reaching other ISPs. The polling of addresses blocks managed by other ISPs was purely accidental and should not happen again.
Walker Wireless is more than willing to investigate incidents like this directly. If anyone has concerns about unusual activity orginating from anywhere in the Walker Wireless network please contact our Network Operations Centre on 0800-WWCARE or myself directly.
Thank you,
Richard Watson Network Infrastructure Engineer WALKER WIRELESS LIMITED Tel: +64 (9) 522 3674 Fax: +64 (9) 520 3447 Mob: +6427 286 6681 Email: rwatson(a)walkerwireless.com 0800 NO NETLAG
Get high speed wireless internet and private network connectivity with Walker Wireless. Visit www.walkerwireless.com for information.
The information in this electronic mail and its attachments is legally privileged and confidential. If the reader of this electronic mail and attachments is not the intended recipient, you are hereby notified that any use, dissemination or reproduction of this electronic mail its contents and attachments is prohibited.
This email is personal and may not reflect Walker Wireless', Walker Corporation's subsidiaries or affiliated companies' position.
-----Original Message----- From: Gordon Smith [mailto:gordons(a)morenet.net.nz] Sent: Friday, 3 May 2002 4:09 p.m. To: Nznog Subject: FW: Walker Wireless attacking other ISPs?
Hi all,
Has anyone else been seeing mail1.walkerwireless.com attempting to break in to their border routers? Picked this up on a routine log audit.
Although we actively block and log this sort of activity, others may not be aware of it.
Of particular concern is the attempted use of the ILMI exploit, detailed at http://www.kb.cert.org/vuls/id/976280 which has no legitimate reason to be seen.
Attacking machine is running Checkpoint FW-1 mail server!
Cheers,
Gordon Smith CCNA Network Operations Manager
MoreNet Ltd.
Fingerprint: 4093 91BC 0055 46B9 1B1A EDBA 45AD 2381 7B1D E4BE
Log extract (multiple occurrances of this):
04/23/2002 15:38.24 WARN:SNMP last message repeated 2 times 04/23/2002 15:38.14 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 15:38.14 WARN:SNMP last message repeated 2 times 04/23/2002 15:38.02 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 15:38.02 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.52 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7" 04/23/2002 15:37.52 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.44 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "wd1h2dt2d" 04/23/2002 15:37.44 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.34 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "private" 04/23/2002 15:37.34 WARN:SNMP last message repeated 2 times 04/23/2002 15:37.24 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "public" 04/23/2002 11:37.42 WARN:SNMP last message repeated 2 times 04/23/2002 11:37.32 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "ILMI" 04/23/2002 11:37.32 WARN:SNMP last message repeated 2 times 04/23/2002 11:37.18 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "DHdW7tr5nP" 04/23/2002 11:37.18 WARN:SNMP last message repeated 2 times 04/23/2002 11:37.10 WARN:SNMP SNMP request received from 210.54.139.178 with unknown community "P8nD8l1n7"
- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (2)
-
Dean Pemberton -
Richard Watson