Crack attempt

[Dustin Decker]

> -----Original Message-----
> From: kclug-bounces at kclug.org [mailto:kclug-bounces at kclug.org] On Behalf
> Of Brian Densmore
> Sent: Friday, October 29, 2004 11:45 AM
> To: KCLUG
> Subject: RE: Crack attempt
> 
[snip]
> It could also be a friend of mine playing a joke on me.
> He investigates cattle rustling and such stuff for the USDA
> people. Yeah, cattle rustling is big business in the US,
> it just doesn't make headlines much. I don't put much stock
> in this theory though. He's got better things to do at 3am.
Not much stock... no pun intended I presume?  ;)

> My bet is the ip is spoofed somehow, or one of the USDAs
> networks has been compromised. In any event, I'd recommend
> anyone who has a PC visible to the net to block this address.
> So far it's the only one in that block I've seen. I've got 24
> entries in my blacklist.

Immediately after I replied to your earlier post, I thought to myself, "I
really aught to ask Brian what the traffic looked like."  If it's UDP, I'd
almost wholesale expect it is spoofed.  Same applies to ICMP, but if you're
looking at genuine TCP traffic, with an established three-way-handshake,
it's a different story.  (If you're working solely on the basis of what you
find in syslog and the like, you might not be able to answer the question
either. [Insert soapbox about logging all packets that traverse the border
here.])

It's also entirely possible you're machine is being targeted with USDA
spoofed, in hopes that you and several others targeted in the same fashion
will respond with ICMP unreachable or prohibited messages.  Enough of these,
and USDA will feel the wrath, so to speak.

Hope this helps out... /me wanders off to see if that IP was noteworthy on
any of his sensors.

Dustin