Examples of other intentional abuses:

Conclusion

> tracer crossmatch
====================================================
Tracer Starting Engines on all.net by fc.
     Mon Mar 18 10:36:53 EST 1996
Copyright (c), 1985-6 Management Analytics
          All Rights Reserved
====================================================

======>> Start:Crossmatching audit files.

Here's a case - 3 attempted telnets in 2 seconds, then another 10 seconds later and another 9 seconds later.


*** Host storm.stud.unit.no has exceeded detection threshold: host total = 5
*storm.stud.unit.no unknown 1996/03/15 05:13:22 in.telnetd 10445 all twist storm.stud.unit.no to (/bin/cat /etc/telmess)&
*storm.stud.unit.no unknown 1996/03/15 05:13:23 in.telnetd 10443 all twist storm.stud.unit.no to (/bin/cat /etc/telmess)&
*storm.stud.unit.no unknown 1996/03/15 05:13:23 in.telnetd 10444 all twist storm.stud.unit.no to (/bin/cat /etc/telmess)&
*storm.stud.unit.no unknown 1996/03/15 05:13:33 in.telnetd 10476 all twist storm.stud.unit.no to (/bin/cat /etc/telmess)&
*storm.stud.unit.no unknown 1996/03/15 05:13:42 in.telnetd 10487 all twist storm.stud.unit.no to (/bin/cat /etc/telmess)&

That one must have been automated - hardly an innocent victim. It appears to be an attempt to see if our defenses will break down when attempts come in rapid succession.

This superuser got the message 4 times before giving up too.

*** Host bushing.plastic.crosslink.net has exceeded detection threshold: host total = 4
*bushing.plastic.crosslink.net root 1996/03/14 19:05:16 in.telnetd 3847 all twist root@bushing.plastic.crosslink.net to (/bin/cat /etc/telmessage)&
*bushing.plastic.crosslink.net root 1996/03/14 19:05:33 in.telnetd 3876 all twist root@bushing.plastic.crosslink.net to (/bin/cat /etc/telmessage)&
.bushing.plastic.crosslink.net unknown 1996/03/14 19:05:57 in.identd 3931 all connect from bushing.plastic.crosslink.net
.bushing.plastic.crosslink.net unknown 1996/03/14 19:06:07 in.identd 3953 all connect from bushing.plastic.crosslink.net
*bushing.plastic.crosslink.net root 1996/03/14 19:06:23 in.telnetd 3978 all twist root@bushing.plastic.crosslink.net to (/bin/cat /etc/telmessage)&
.bushing.plastic.crosslink.net unknown 1996/03/14 19:06:45 in.identd 4018 all connect from bushing.plastic.crosslink.net
*bushing.plastic.crosslink.net root 1996/03/14 19:06:53 in.telnetd 4030 all twist root@bushing.plastic.crosslink.net to (/bin/cat /etc/telmessage)&
.bushing.plastic.crosslink.net unknown 1996/03/14 19:07:15 in.identd 4078 all connect from bushing.plastic.crosslink.net

Now in this case, we called the university while the attack was going on, but they couldn't track it down.

*** Host pip.shsu.edu has exceeded detection threshold: host total = 10
.pip.shsu.edu root 1996/03/14 18:29:30 in.thttpd 1455 all twist root@pip.shsu.edu to /usr/etc/in.thttpd pip.shsu.edu root
.pip.shsu.edu root 1996/03/14 18:29:30 thttpd 1455 all cat /index.html
.pip.shsu.edu root 1996/03/14 18:29:34 in.thttpd 1457 all twist root@pip.shsu.edu to /usr/etc/in.thttpd pip.shsu.edu root
.pip.shsu.edu root 1996/03/14 18:29:34 thttpd 1457 all cat /index.html
.pip.shsu.edu root 1996/03/14 18:29:45 in.thttpd 1479 all twist root@pip.shsu.edu to /usr/etc/in.thttpd pip.shsu.edu root
.pip.shsu.edu root 1996/03/14 18:29:45 thttpd 1479 all cat /admin/downtime.html
.pip.shsu.edu unknown 1996/03/14 18:30:11 in.thttpd 1510 all twist pip.shsu.edu to /usr/etc/in.thttpd pip.shsu.edu unknown
.pip.shsu.edu unknown 1996/03/14 18:30:11 thttpd 1510 all cat /integ/index.html

First they looked at our Web pages (above), then after being warned off by finger, they tried rlogin and several telnets:

.pip.shsu.edu unknown 1996/03/14 18:31:13 in.fingerd 1585 all connect from pip.shsu.edu
*pip.shsu.edu root 1996/03/14 18:31:19 in.rlogind 1586 all refused connect from root@pip.shsu.edu
*pip.shsu.edu root 1996/03/14 18:32:11 in.telnetd 1650 all twist root@pip.shsu.edu to (/bin/cat /etc/telmessage)&
*pip.shsu.edu root 1996/03/14 18:32:48 in.telnetd 1701 all twist root@pip.shsu.edu to (/bin/cat /etc/telmessage)&
*pip.shsu.edu unknown 1996/03/14 18:33:03 in.telnetd 1734 all twist pip.shsu.edu to (/bin/cat /etc/telmessage)&
*pip.shsu.edu unknown 1996/03/14 18:33:06 in.telnetd 1739 all twist pip.shsu.edu to (/bin/cat /etc/telmessage)&
*pip.shsu.edu stdjxw03 1996/03/14 18:59:50 in.telnetd 3488 all twist stdjxw03@pip.shsu.edu to (/bin/cat /etc/telmessage)&
*pip.shsu.edu unknown 1996/03/15 17:02:07 in.telnetd 29773 all refused connect from pip.shsu.edu
*pip.shsu.edu unknown 1996/03/15 17:02:14 in.telnetd 29777 all refused connect from pip.shsu.edu
*pip.shsu.edu unknown 1996/03/15 17:02:22 in.telnetd 29796 all refused connect from pip.shsu.edu
*pip.shsu.edu unknown 1996/03/15 17:04:05 in.telnetd 29911 all refused connect from pip.shsu.edu
.pip.shsu.edu unknown 1996/03/16 18:17:13 sendmail 12958 all connect from pip.shsu.edu
.pip.shsu.edu unknown 1996/03/16 19:22:42 sendmail 17711 all connect from pip.shsu.edu

We get attempts from another computer at the same site - 5 more times:

*** Host camelot.shsu.edu has exceeded detection threshold: host total = 5
*camelot.shsu.edu unknown 1996/03/14 18:24:56 in.telnetd 1109 all twist camelot.shsu.edu to (/bin/cat /etc/telmessage)&
*camelot.shsu.edu unknown 1996/03/15 17:01:14 in.telnetd 29712 all refused connect from camelot.shsu.edu
*camelot.shsu.edu unknown 1996/03/15 17:01:20 in.telnetd 29719 all refused connect from camelot.shsu.edu
*camelot.shsu.edu unknown 1996/03/15 17:01:29 in.telnetd 29723 all refused connect from camelot.shsu.edu
*camelot.shsu.edu unknown 1996/03/15 17:01:42 in.telnetd 29747 all refused connect from camelot.shsu.edu

Meanwhile other machines at the same site show that people there read about the attack and were informed that logins were not authorized.

*** Network shsu.edu has exceeded detection threshold: net total = 17
.niord.shsu.edu unknown 1996/03/15 10:35:16 sendmail 292 all connect from niord.shsu.edu
.niord.shsu.edu unknown 1996/03/15 11:57:25 in.thttpd 7529 all twist niord.shsu.edu to /usr/etc/in.thttpd niord.shsu.edu unknown
.niord.shsu.edu unknown 1996/03/15 11:57:26 thttpd 7529 all cat /index.html
...
.felix.shsu.edu unknown 1996/03/15 17:38:17 in.thttpd 2327 all twist felix.shsu.edu to /usr/etc/in.thttpd felix.shsu.edu unknown
.felix.shsu.edu unknown 1996/03/15 17:38:20 thttpd 2327 all cat /journal/netsec/audits/intent2.html
*ghost.shsu.edu unknown 1996/03/15 17:44:03 in.telnetd 2731 all refused connect from ghost.shsu.edu
.felix.shsu.edu unknown 1996/03/15 17:46:36 in.thttpd 2913 all twist felix.shsu.edu to /usr/etc/in.thttpd felix.shsu.edu unknown

We also got port scans from that site.

And here's a classic:


*** Network crl.com has exceeded detection threshold: net total = 15
*crl.com unknown 1996/03/14 17:44:37 in.telnetd 28248 all twist crl.com to (/bin/cat /etc/telmessage)&
*crl2.crl.com unknown 1996/03/14 17:44:37 in.telnetd 28249 all twist crl2.crl.com to (/bin/cat /etc/telmessage)&
*crl3.crl.com unknown 1996/03/14 17:44:39 in.telnetd 28250 all twist crl3.crl.com to (/bin/cat /etc/telmessage)&
*crl4.crl.com unknown 1996/03/14 17:44:40 in.telnetd 28259 all twist crl4.crl.com to (/bin/cat /etc/telmessage)&
*crl5.crl.com unknown 1996/03/14 17:44:41 in.telnetd 28269 all twist crl5.crl.com to (/bin/cat /etc/telmessage)&
*crl6.crl.com unknown 1996/03/14 17:44:41 in.telnetd 28271 all twist crl6.crl.com to (/bin/cat /etc/telmessage)&
*crl7.crl.com unknown 1996/03/14 17:44:43 in.telnetd 28275 all twist crl7.crl.com to (/bin/cat /etc/telmessage)&
*crl8.crl.com unknown 1996/03/14 17:44:44 in.telnetd 28285 all twist crl8.crl.com to (/bin/cat /etc/telmessage)&
*crl9.crl.com unknown 1996/03/14 17:44:45 in.telnetd 28291 all twist crl9.crl.com to (/bin/cat /etc/telmessage)&
*crl11.crl.com unknown 1996/03/14 17:44:46 in.telnetd 28304 all twist crl11.crl.com to (/bin/cat /etc/telmessage)&
*crl10.crl.com unknown 1996/03/14 17:44:46 in.telnetd 28298 all twist crl10.crl.com to (/bin/cat /etc/telmessage)&
*crl12.crl.com unknown 1996/03/14 17:44:49 in.telnetd 28310 all twist crl12.crl.com to (/bin/cat /etc/telmessage)&
*crl13.crl.com unknown 1996/03/14 17:44:50 in.telnetd 28321 all twist crl13.crl.com to (/bin/cat /etc/telmessage)&
*crl14.crl.com unknown 1996/03/14 17:44:52 in.telnetd 28322 all twist crl14.crl.com to (/bin/cat /etc/telmessage)&
...
*crl11.crl.com unknown 1996/03/16 17:36:20 in.telnetd 10025 all twist crl11.crl.com to (/bin/cat /etc/telmess)&
...

Hey - I only tried once from each IP address. It's under the threshold of a legitimate attack - isn't it?
In this case, we contacted the site within a few minutes by phone, but they claimed they could find no common thread. I asked them to kick it upstairs but have heard nothing back since. It should be easy to track down the person responsible for this.

This one was part of a series where the systems administrator told us to stop sending "all this crap" about attempted telnets to them. I'd put in the whole list, but you'd run out of disk space. They also did a port scan.

*** Host soda.csua.berkeley.edu has exceeded detection threshold: host total = 25
*soda.csua.berkeley.edu unknown 1996/03/13 15:12:01 in.telnetd 24216 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 15:12:39 in.telnetd 24326 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 15:13:10 in.telnetd 24370 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 15:13:51 in.telnetd 24461 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 15:14:12 sendmail 24511 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 15:14:37 sendmail 24550 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 15:15:05 sendmail 24607 all connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 15:20:03 in.telnetd 25282 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 15:38:50 in.telnetd 28188 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 16:03:54 in.telnetd 1669 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 16:04:26 in.fingerd 1735 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 16:05:01 in.fingerd 1819 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 16:05:11 in.fingerd 1846 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 16:05:17 in.fingerd 1865 all connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 16:06:19 in.telnetd 2006 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 16:28:49 in.fingerd 4364 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 16:29:09 in.fingerd 4396 all connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 16:31:15 in.telnetd 4600 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 16:39:29 in.telnetd 5373 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 16:51:37 in.telnetd 6425 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 16:56:14 in.telnetd 6845 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 16:57:02 sendmail 6915 all connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 17:07:13 in.telnetd 7796 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 17:13:54 sendmail 8370 all connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 17:30:26 in.telnetd 9798 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 17:30:46 in.rlogind 9824 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 17:33:24 in.fingerd 10041 all connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 17:47:44 in.ftpd 11188 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 18:20:54 in.telnetd 13912 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 19:19:54 in.fingerd 20649 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 19:39:35 in.thttpd 23306 all twist soda.CSUA.Berkeley.EDU to /usr/etc/in.thttpd soda.CSUA.Berkeley.EDU unknown
.soda.csua.berkeley.edu unknown 1996/03/13 19:39:35 thttpd 23306 all cat /index.html
.soda.csua.berkeley.edu unknown 1996/03/13 19:39:58 in.thttpd 23339 all twist soda.CSUA.Berkeley.EDU to /usr/etc/in.thttpd soda.CSUA.Berkeley.EDU unknown
.soda.csua.berkeley.edu unknown 1996/03/13 19:39:58 thttpd 23339 all cat /admin/usepolicy.html
...

They just looked at our use policy, next they get warned yet again by our Finger daemon, yet they telnet again.

*soda.csua.berkeley.edu unknown 1996/03/13 20:51:07 in.telnetd 29066 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 20:51:32 in.telnetd 29099 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/13 20:55:00 in.telnetd 29388 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/13 22:02:24 in.fingerd 5375 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/14 01:33:04 in.fingerd 20562 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/14 01:37:49 in.thttpd 20973 all twist soda.CSUA.Berkeley.EDU to /usr/etc/in.thttpd soda.CSUA.Berkeley.EDU unknown
.soda.csua.berkeley.edu unknown 1996/03/14 01:37:49 thttpd 20973 all cat /index.html
*soda.csua.berkeley.edu unknown 1996/03/14 03:43:56 in.telnetd 29784 all refused connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/14 17:37:16 in.fingerd 27812 all connect from soda.CSUA.Berkeley.EDU
.soda.csua.berkeley.edu unknown 1996/03/14 17:37:21 in.fingerd 27820 all connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/15 04:05:24 in.ftpd 6656 all refused connect from soda.CSUA.Berkeley.EDU
*soda.csua.berkeley.edu unknown 1996/03/15 04:10:16 in.telnetd 6931 all twist soda.CSUA.Berkeley.EDU to (/bin/cat /etc/telmess)&
*soda.csua.berkeley.edu unknown 1996/03/15 04:12:42 in.telnetd 7089 all twist soda.CSUA.Berkeley.EDU to (/bin/cat /etc/telmess)&
*soda.csua.berkeley.edu unknown 1996/03/15 06:16:42 in.telnetd 13945 all twist soda.CSUA.Berkeley.EDU to (/bin/cat /etc/telmess)&

While this was going on at soda, we also got attempts from uclink...

*** Host uclink.berkeley.edu has exceeded detection threshold: host total = 23
*uclink.berkeley.edu unknown 1996/03/13 16:31:47 in.telnetd 4640 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/13 16:36:47 in.telnetd 5142 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/13 17:21:08 in.telnetd 9003 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/13 17:21:22 in.telnetd 9031 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/13 17:33:00 in.telnetd 10006 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 00:43:44 in.telnetd 17128 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:34:49 in.telnetd 20679 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:35:51 in.telnetd 20772 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:35:55 in.telnetd 20799 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:36:43 in.telnetd 20860 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:37:16 in.telnetd 20921 all refused connect from uclink.Berkeley.EDU
.uclink.berkeley.edu unknown 1996/03/14 01:37:41 in.thttpd 20956 all twist uclink.Berkeley.EDU to /usr/etc/in.thttpd uclink.Berkeley.EDU unknown
*uclink.berkeley.edu unknown 1996/03/14 01:37:47 in.telnetd 20971 all refused connect from uclink.Berkeley.EDU
.uclink.berkeley.edu unknown 1996/03/14 01:38:23 thttpd 20956 all cat /index.html
*uclink.berkeley.edu unknown 1996/03/14 01:38:44 in.telnetd 21075 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:40:15 in.telnetd 21221 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:40:51 in.telnetd 21281 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:41:02 in.telnetd 21295 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 01:44:00 in.telnetd 21545 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 03:53:43 in.telnetd 566 all refused connect from uclink.Berkeley.EDU
.uclink.berkeley.edu unknown 1996/03/14 13:46:14 in.fingerd 12389 all connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/14 13:46:32 in.telnetd 12409 all twist uclink.Berkeley.EDU to (/bin/cat /etc/telmessage)&
*uclink.berkeley.edu unknown 1996/03/14 23:08:03 in.telnetd 20277 all twist uclink.Berkeley.EDU to (/bin/cat /etc/telmess)&
*uclink.berkeley.edu unknown 1996/03/15 04:15:57 in.telnetd 7303 all twist uclink.Berkeley.EDU to (/bin/cat /etc/telmess)&
*uclink.berkeley.edu unknown 1996/03/15 17:45:54 in.telnetd 2862 all refused connect from uclink.Berkeley.EDU
*uclink.berkeley.edu unknown 1996/03/15 22:21:09 in.telnetd 22750 all twist uclink.Berkeley.EDU to (/bin/cat /etc/telmess)&

And at pentell, they read about our site then did a port scan...


*** Host pentell.hip.berkeley.edu has exceeded detection threshold: host total = 4
.pentell.hip.berkeley.edu unknown 1996/03/14 19:00:48 in.fingerd 3571 all connect from pentell.HIP.Berkeley.EDU
.pentell.hip.berkeley.edu unknown 1996/03/14 19:01:43 in.thttpd 3620 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:01:43 thttpd 3620 all cat /index.html
.pentell.hip.berkeley.edu unknown 1996/03/14 19:01:49 in.thttpd 3638 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:01:49 thttpd 3638 all cat /allnet.gif
.pentell.hip.berkeley.edu unknown 1996/03/14 19:02:19 in.thttpd 3666 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:02:19 thttpd 3666 all cat /readonly.html
.pentell.hip.berkeley.edu unknown 1996/03/14 19:03:10 in.thttpd 3718 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:03:11 thttpd 3718 all cat /admin/downtime.html
.pentell.hip.berkeley.edu unknown 1996/03/14 19:03:51 in.thttpd 3769 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:03:51 thttpd 3769 all cat /ips/index.html
.pentell.hip.berkeley.edu unknown 1996/03/14 19:05:09 in.thttpd 3845 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:05:09 thttpd 3845 all cat /ips/audit.html
.pentell.hip.berkeley.edu unknown 1996/03/14 19:05:58 in.thttpd 3932 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:05:58 thttpd 3932 all cat /ips/vts.html
.pentell.hip.berkeley.edu unknown 1996/03/14 19:06:14 in.thttpd 3967 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.thttpd pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:06:14 thttpd 3967 all cat /tests/index.html

Beginning of the port scan:

*pentell.hip.berkeley.edu unknown 1996/03/14 19:07:11 in.ftpd 4067 all refused connect from pentell.HIP.Berkeley.EDU
*pentell.hip.berkeley.edu unknown 1996/03/14 19:07:24 in.readonly 4088 all twist pentell.HIP.Berkeley.EDU to /usr/etc/in.readonly pentell.HIP.Berkeley.EDU unknown
.pentell.hip.berkeley.edu unknown 1996/03/14 19:07:26 thttpd 4088 all ls 
*pentell.hip.berkeley.edu unknown 1996/03/14 19:07:49 in.telnetd 4125 all twist pentell.HIP.Berkeley.EDU to (/bin/cat /etc/telmessage)&
.pentell.hip.berkeley.edu unknown 1996/03/14 19:08:18 in.identd 4170 all connect from pentell.HIP.Berkeley.EDU
.pentell.hip.berkeley.edu unknown 1996/03/14 19:08:26 in.identd 4190 all connect from pentell.HIP.Berkeley.EDU
.pentell.hip.berkeley.edu unknown 1996/03/14 19:16:06 sendmail 4657 all connect from pentell.HIP.Berkeley.EDU
.pentell.hip.berkeley.edu unknown 1996/03/14 19:16:42 sendmail 4699 all connect from pentell.HIP.Berkeley.EDU
*pentell.hip.berkeley.edu unknown 1996/03/14 19:18:41 in.rlogind 4811 all refused connect from pentell.HIP.Berkeley.EDU
.pentell.hip.berkeley.edu unknown 1996/03/14 19:18:44 in.identd 4829 all connect from pentell.HIP.Berkeley.EDU
.pentell.hip.berkeley.edu unknown 1996/03/14 19:18:51 in.identd 4839 all connect from pentell.HIP.Berkeley.EDU

End of port scan from pentell, several different users try to login. This is probably the result of an anouncement that claimed we provided free network access or some such thing.


*** Host godzilla.eecs.berkeley.edu has exceeded detection threshold: host total = 4
.godzilla.eecs.berkeley.edu danh 1996/03/13 16:40:30 thttpd 5469 all cat /index.html
.godzilla.eecs.berkeley.edu danh 1996/03/13 16:40:30 in.thttpd 5469 all twist danh@godzilla.EECS.Berkeley.EDU to /usr/etc/in.thttpd godzilla.EECS.Berkeley.EDU danh
.godzilla.eecs.berkeley.edu unknown 1996/03/13 16:40:50 in.redirect 5502 all connect from godzilla.EECS.Berkeley.EDU
...
.godzilla.eecs.berkeley.edu danh 1996/03/13 16:44:36 thttpd 5843 all cat /refs/Boorman88.html
*godzilla.eecs.berkeley.edu kenji 1996/03/14 03:43:15 in.telnetd 29717 all refused connect from kenji@godzilla.EECS.Berkeley.EDU
.godzilla.eecs.berkeley.edu unknown 1996/03/14 03:43:48 in.identd 29777 all connect from godzilla.EECS.Berkeley.EDU
.godzilla.eecs.berkeley.edu unknown 1996/03/14 03:45:21 sendmail 29901 all connect from godzilla.EECS.Berkeley.EDU
...
.godzilla.eecs.berkeley.edu danh 1996/03/14 17:48:49 in.thttpd 28690 all twist danh@godzilla.EECS.Berkeley.EDU to /usr/etc/in.thttpd godzilla.EECS.Berkeley.EDU danh
.godzilla.eecs.berkeley.edu danh 1996/03/14 17:48:49 thttpd 28690 all cat /progver.html
*godzilla.eecs.berkeley.edu agee 1996/03/14 18:21:51 in.telnetd 890 all twist agee@godzilla.EECS.Berkeley.EDU to (/bin/cat /etc/telmessage)&
.godzilla.eecs.berkeley.edu unknown 1996/03/14 18:22:27 in.identd 954 all connect from godzilla.EECS.Berkeley.EDU
.godzilla.eecs.berkeley.edu danh 1996/03/17 02:02:20 thttpd 14546 all cat /index.html
.godzilla.eecs.berkeley.edu danh 1996/03/17 02:02:20 in.thttpd 14546 all twist danh@godzilla.EECS.Berkeley.EDU to /usr/etc/in.thttpd godzilla.EECS.Berkeley.EDU danh
.godzilla.eecs.berkeley.edu danh 1996/03/17 02:02:29 thttpd 14563 all cat /products/index.html
.godzilla.eecs.berkeley.edu danh 1996/03/17 02:02:29 in.thttpd 14563 all twist danh@godzilla.EECS.Berkeley.EDU to /usr/etc/in.thttpd godzilla.EECS.Berkeley.EDU danh
.godzilla.eecs.berkeley.edu danh 1996/03/17 02:03:08 in.thttpd 14607 all twist danh@godzilla.EECS.Berkeley.EDU to /usr/etc/in.thttpd godzilla.EECS.Berkeley.EDU danh
.godzilla.eecs.berkeley.edu danh 1996/03/17 02:03:09 thttpd 14607 all cat /products/otp.html
*godzilla.eecs.berkeley.edu unknown 1996/03/17 02:54:13 in.ftpd 17867 all refused connect from godzilla.EECS.Berkeley.EDU
*godzilla.eecs.berkeley.edu manoj 1996/03/17 02:54:27 in.telnetd 17885 all twist manoj@godzilla.EECS.Berkeley.EDU to (/bin/cat /etc/telmess)&
.godzilla.eecs.berkeley.edu unknown 1996/03/17 02:55:00 in.identd 17944 all connect from godzilla.EECS.Berkeley.EDU

There were also a few spurious attempts from other computers. All told, there were 67 attempts from UCB.


*** Network net.berkeley.edu has exceeded detection threshold: net total = 67
*madrone.cs.berkeley.edu unknown 1996/03/13 16:05:54 in.telnetd 1946 all refused connect from madrone.CS.Berkeley.EDU
.madrone.cs.berkeley.edu unknown 1996/03/13 16:29:20 thttpd 4406 all cat /index.html
.madrone.cs.berkeley.edu unknown 1996/03/13 16:29:20 in.thttpd 4406 all twist madrone.CS.Berkeley.EDU to /usr/etc/in.thttpd madrone.CS.Berkeley.EDU unknown
...
.madrone.cs.berkeley.edu unknown 1996/03/13 16:30:56 in.thttpd 4567 all twist madrone.CS.Berkeley.EDU to /usr/etc/in.thttpd madrone.CS.Berkeley.EDU unknown
.uclink4.berkeley.edu unknown 1996/03/13 16:33:10 in.identd 4786 all connect from uclink4.Berkeley.EDU
*othello.sph.berkeley.edu unknown 1996/03/13 16:34:02 in.telnetd 4881 all refused connect from othello.SPH.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/13 16:38:04 in.identd 5268 all connect from uclink4.Berkeley.EDU
.madrone.cs.berkeley.edu unknown 1996/03/13 16:42:02 in.thttpd 5612 all twist madrone.CS.Berkeley.EDU to /usr/etc/in.thttpd madrone.CS.Berkeley.EDU unknown
.madrone.cs.berkeley.edu unknown 1996/03/13 16:42:03 thttpd 5612 all cat /hudsonoh/index.html
.madrone.cs.berkeley.edu unknown 1996/03/13 16:47:45 sendmail 6103 all connect from madrone.CS.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/13 17:22:26 in.identd 9161 all connect from uclink4.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/13 17:22:38 in.identd 9174 all connect from uclink4.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/13 17:33:55 in.identd 10089 all connect from uclink4.Berkeley.EDU
.oceanus.cs.berkeley.edu unknown 1996/03/13 18:10:04 in.fingerd 13020 all connect from oceanus.CS.Berkeley.EDU
*franklin.cs.berkeley.edu 9918 1996/03/13 19:19:08 in.telnetd 20570 all refused connect from 9918@franklin.CS.Berkeley.EDU
.haas.berkeley.edu unknown 1996/03/13 19:23:03 in.identd 20900 all connect from haas.Berkeley.EDU
.millay.cs.berkeley.edu unknown 1996/03/13 21:33:49 in.thttpd 3099 all twist millay.CS.Berkeley.EDU to /usr/etc/in.thttpd millay.CS.Berkeley.EDU unknown
...
.millay.cs.berkeley.edu 25294 1996/03/13 21:57:13 in.thttpd 4961 all twist 25294@millay.CS.Berkeley.EDU to /usr/etc/in.thttpd millay.CS.Berkeley.EDU 25294
.millay.cs.berkeley.edu 25294 1996/03/13 21:57:42 in.thttpd 5001 all twist 25294@millay.CS.Berkeley.EDU to /usr/etc/in.thttpd millay.CS.Berkeley.EDU 25294
.millay.cs.berkeley.edu 25294 1996/03/13 21:57:42 thttpd 5001 all cat /tests/testsuite.html
*scam.xcf.berkeley.edu unknown 1996/03/13 21:57:55 in.telnetd 5023 all refused connect from scam.XCF.Berkeley.EDU
.brunello.cs.berkeley.edu unknown 1996/03/13 22:00:25 thttpd 5220 all cat /index.html
...
.broken.hip.berkeley.edu unknown 1996/03/13 22:07:25 thttpd 5805 all cat /readonly.html
.broken.hip.berkeley.edu unknown 1996/03/13 22:07:25 in.thttpd 5805 all twist broken.HIP.Berkeley.EDU to /usr/etc/in.thttpd broken.HIP.Berkeley.EDU unknown
*noah.cs.berkeley.edu unknown 1996/03/13 22:10:05 in.telnetd 6016 all refused connect from noah.CS.Berkeley.EDU
.scam.xcf.berkeley.edu unknown 1996/03/13 22:10:48 sendmail 6088 all connect from scam.XCF.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/14 00:44:38 in.identd 17200 all connect from uclink4.Berkeley.EDU
...
.chianti.cs.berkeley.edu unknown 1996/03/14 01:42:07 thttpd 21402 all cat /admin/downtime.html
.chianti.cs.berkeley.edu unknown 1996/03/14 01:42:07 in.thttpd 21402 all twist chianti.CS.Berkeley.EDU to /usr/etc/in.thttpd chianti.CS.Berkeley.EDU unknown
.uclink4.berkeley.edu unknown 1996/03/14 01:42:09 in.identd 21413 all connect from uclink4.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/14 01:42:13 in.identd 21426 all connect from uclink4.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/14 01:44:55 in.identd 21634 all connect from uclink4.Berkeley.EDU
*fhe35.reshall.berkeley.edu unknown 1996/03/14 02:23:11 in.telnetd 24265 all refused connect from fhe35.ResHall.Berkeley.EDU
*fhe35.reshall.berkeley.edu unknown 1996/03/14 02:23:38 in.telnetd 24316 all refused connect from fhe35.ResHall.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/14 03:54:42 in.identd 649 all connect from uclink4.Berkeley.EDU
*gwythaint.hip.berkeley.edu unknown 1996/03/14 13:07:14 in.telnetd 9796 all twist gwythaint.HIP.Berkeley.EDU to (/bin/cat /etc/telmessage)&
.gwythaint.hip.berkeley.edu unknown 1996/03/14 13:08:17 in.identd 9877 all connect from gwythaint.HIP.Berkeley.EDU
.uclink4.berkeley.edu unknown 1996/03/14 13:47:55 in.identd 12516 all connect from uclink4.Berkeley.EDU
.cranach.cs.berkeley.edu 25470 1996/03/14 13:51:06 in.thttpd 12718 all twist 25470@cranach.CS.Berkeley.EDU to /usr/etc/in.thttpd cranach.CS.Berkeley.EDU 25470
.cranach.cs.berkeley.edu 25470 1996/03/14 13:51:06 thttpd 12718 all cat /index.html
.beer.csua.berkeley.edu unknown 1996/03/14 14:27:21 in.thttpd 15041 all twist beer.CSUA.Berkeley.EDU to /usr/etc/in.thttpd beer.CSUA.Berkeley.EDU unknown
.beer.csua.berkeley.edu unknown 1996/03/14 14:27:22 thttpd 15041 all cat /admin/downtime.html
*monsoon.berkeley.edu ahm 1996/03/14 18:25:25 in.telnetd 1162 all twist ahm@monsoon.Berkeley.EDU to (/bin/cat /etc/telmessage)&
.monsoon.berkeley.edu unknown 1996/03/14 18:25:55 in.identd 1205 all connect from monsoon.Berkeley.EDU
*alumni.eecs.berkeley.edu vchang 1996/03/14 18:33:32 in.telnetd 1793 all twist vchang@alumni.EECS.Berkeley.EDU to (/bin/cat /etc/telmessage)&
.alumni.eecs.berkeley.edu unknown 1996/03/14 18:34:11 in.identd 1883 all connect from alumni.EECS.Berkeley.EDU
.estienne.cs.berkeley.edu 9800 1996/03/14 19:11:02 in.thttpd 4342 all twist 9800@estienne.CS.Berkeley.EDU to /usr/etc/in.thttpd estienne.CS.Berkeley.EDU 9800
...
.brunello.cs.berkeley.edu unknown 1996/03/15 08:01:48 in.thttpd 19319 all twist brunello.CS.Berkeley.EDU to /usr/etc/in.thttpd brunello.CS.Berkeley.EDU unknown
.brunello.cs.berkeley.edu unknown 1996/03/15 08:01:48 thttpd 19319 all cat /allnet.gif
.estienne.cs.berkeley.edu 9800 1996/03/15 17:23:05 in.thttpd 1293 all twist 9800@estienne.CS.Berkeley.EDU to /usr/etc/in.thttpd estienne.CS.Berkeley.EDU 9800
.estienne.cs.berkeley.edu 9800 1996/03/15 17:23:08 thttpd 1293 all cat /journal/netsec/audits/intent2.html
*sushi.hip.berkeley.edu unknown 1996/03/15 20:50:36 in.telnetd 16627 all twist sushi.HIP.Berkeley.EDU to (/bin/cat /etc/telmess)&
.sushi.hip.berkeley.edu unknown 1996/03/15 20:52:06 sendmail 16726 all connect from sushi.HIP.Berkeley.EDU
...

It continued unabated long after we provided notice. We contacted UCB but they told us to report it to our local police! The Munroe Falls police department doesn't even have a computer, much less know about computer crime, but we have filed a report. This is a necessaary step in follwing up on any crime.
I finally got an administrator from UCB on the phone and by Saturday the 16th the attempts were completely halted. They asked us to update this document to reflect that they did eventually act to mitigate the situation and that they don't condone this sort of behavior.

How's this one?

*** Host 198.133.170.253 has exceeded detection threshold: host total = 31
*198.133.170.253 unknown 1996/03/13 19:56:33 in.telnetd 24601 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:01:45 in.telnetd 25009 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:02:01 in.telnetd 25046 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:03:02 in.telnetd 25138 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:03:57 in.telnetd 25228 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:08:58 in.telnetd 25630 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:13:57 in.telnetd 26141 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:18:57 in.telnetd 26542 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:23:57 in.telnetd 26930 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:28:57 in.telnetd 27317 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:33:57 in.telnetd 27715 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:38:55 in.telnetd 28108 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:43:56 in.telnetd 28499 all refused connect from 198.133.170.253
*198.133.170.253 unknown 1996/03/13 20:48:56 in.telnetd 28890 all refused connect from 198.133.170.253
...
*198.133.170.253 unknown 1996/03/13 22:10:07 in.telnetd 6022 all refused connect from 198.133.170.253

That one was from a system where the root had been compromised and used to attempt one entry every 5 minutes. It took a few tries before the user decided to automate. and it took the admin two hours to respond after we got him on the phone.

Notice didn't stop these people from trying.

The people given notice, just like some others who were not, purposely telnetted into this site to trigger a response. These are not innocents. They are malicious. They know they are doing something they are not supposed to be doing and they continue anyway.

They are given notice, but they continue. They break into sites to cover their tracks. They write programs to carry out their attacks.

Then we have this email from a systems administrator:

"Sure, I would be more than happy to track down breakin attempts. If you get repeated attempts please contact me, if it is a single "telnet" without any attempt to enter a false username or truely break in I don't need to be bothered."

Here's the audit trail we returned to them:

Mar 14 23:46:11 all in.thttpd[22685]: twist fully.organic.com to /usr/etc/in.thttpd fully.organic.com unknown
Mar 14 23:46:19 all in.thttpd[22694]: twist fully.organic.com to /usr/etc/in.thttpd fully.organic.com unknown
Mar 14 23:46:46 all in.thttpd[22716]: twist fully.organic.com to /usr/etc/in.thttpd fully.organic.com unknown
Mar 14 23:53:00 all in.telnetd[23097]: twist fully.organic.com to (/bin/cat /etc/telmess)&
Mar 14 23:58:12 all in.thttpd[23456]: twist fully.organic.com to /usr/etc/in.thttpd fully.organic.com unknown

fully.organic.com unknown 1996/03/14 23:46:11 22686 22685 cat /index.html
fully.organic.com unknown 1996/03/14 23:46:19 22695 22694 cat /allnet.gif
fully.organic.com unknown 1996/03/14 23:46:51 22717 22716 cat /journal/netsec/9604.html
fully.organic.com unknown 1996/03/14 23:58:13 23457 23456 cat /readonly.html

This administrator read about the attack on our Web site then intentionally telnetted in to give himself an excuse to complain. He didn't like the fact that we returned the full audit trail to him. I guess he thought we couldn't detect that sort of thing.

This person doesn't seem to care about being notified that s/he is not wanted here.

*** Host dyn1193a.dialin.rad.net.id has exceeded detection threshold: host total = 7
*dyn1193a.dialin.rad.net.id unknown 1996/03/15 20:10:52 in.telnetd 13997 all twist dyn1193a.dialin.rad.net.id to (/bin/cat /etc/telmess)&
*dyn1193a.dialin.rad.net.id unknown 1996/03/15 20:11:12 in.telnetd 14029 all twist dyn1193a.dialin.rad.net.id to (/bin/cat /etc/telmess)&
*dyn1193a.dialin.rad.net.id unknown 1996/03/15 20:16:43 in.telnetd 14403 all twist dyn1193a.dialin.rad.net.id to (/bin/cat /etc/telmess)&
*dyn1193a.dialin.rad.net.id unknown 1996/03/15 20:19:37 in.telnetd 14588 all twist dyn1193a.dialin.rad.net.id to (/bin/cat /etc/telmess)&
*dyn1193a.dialin.rad.net.id unknown 1996/03/15 20:20:02 in.telnetd 14616 all twist dyn1193a.dialin.rad.net.id to (/bin/cat /etc/telmess)&
*dyn1193a.dialin.rad.net.id unknown 1996/03/15 20:21:50 in.telnetd 14734 all twist dyn1193a.dialin.rad.net.id to (/bin/cat /etc/telmess)&
*dyn1193a.dialin.rad.net.id unknown 1996/03/15 20:24:08 in.telnetd 14887 all twist dyn1193a.dialin.rad.net.id to (/bin/cat /etc/telmess)&

And here's an adminstrator with a poor attitude. After being notified of a total of 21 different attempted telnets from his site, many of them after notice had been served to the individual users, he advised us:

I don't care if one of my users tried to telnet into your site, live with it, and please do not send me any more of the BULLSHIT! Telnetting to someones site is not my idea of a serious offense, in fact I see nothing wrong with it. Maybe I will instruct all my users to telnet to your machine. What I do see as a problem is the fact that because of your anal security you feel you have the right to send me mail telling me about your so-called problems. I will have to start ignoring your mail if I see any more of it coming into my mailbox. Please leave me out of your problems.

Here are the audit records - and please note that mindspring.com is an ISP and is not necessarily responsible for this activity themselves:

*** Host max1-dyn15.mindspring.com has exceeded detection threshold: host total = 4
*max1-dyn15.mindspring.com unknown 1996/03/13 15:48:26 in.telnetd 29724 all refused connect from max1-dyn15.mindspring.com
*max1-dyn15.mindspring.com unknown 1996/03/13 15:49:52 in.telnetd 29881 all refused connect from max1-dyn15.mindspring.com
*max1-dyn15.mindspring.com unknown 1996/03/13 15:50:18 in.telnetd 29936 all refused connect from max1-dyn15.mindspring.com
*max1-dyn15.mindspring.com unknown 1996/03/13 15:50:39 in.telnetd 29985 all refused connect from max1-dyn15.mindspring.com

*** Host ding.mindspring.com has exceeded detection threshold: host total = 6
*ding.mindspring.com unknown 1996/03/13 11:31:10 in.telnetd 1778 all refused connect from ding.mindspring.com
*ding.mindspring.com unknown 1996/03/13 11:31:19 in.telnetd 1806 all refused connect from ding.mindspring.com
*ding.mindspring.com unknown 1996/03/13 12:29:18 in.telnetd 8045 all refused connect from ding.mindspring.com
*ding.mindspring.com unknown 1996/03/13 12:29:31 in.telnetd 8084 all refused connect from ding.mindspring.com
*ding.mindspring.com unknown 1996/03/13 12:29:36 in.telnetd 8099 all refused connect from ding.mindspring.com
*ding.mindspring.com unknown 1996/03/16 09:54:08 in.telnetd 8754 all twist ding.mindspring.com to (/bin/cat /etc/telmess)&
 ding.mindspring.com unknown 1996/03/16 15:37:52 in.fingerd 2042 all connect from ding.mindspring.com

*** Network mindspring.com has exceeded detection threshold: net total = 21
*max1-dyn21.mindspring.com unknown 1996/03/15 23:04:01 in.telnetd 25648 all twist max1-dyn21.mindspring.com to (/bin/cat /etc/telmess)&
*max1-dyn21.mindspring.com unknown 1996/03/15 23:04:14 in.telnetd 25659 all twist max1-dyn21.mindspring.com to (/bin/cat /etc/telmess)&
*max1-dyn21.mindspring.com unknown 1996/03/15 23:05:53 in.telnetd 25801 all twist max1-dyn21.mindspring.com to (/bin/cat /etc/telmess)&
*max1-dyn34.mindspring.com unknown 1996/03/16 00:19:28 in.telnetd 832 all twist max1-dyn34.mindspring.com to (/bin/cat /etc/telmess)&
*max1-dyn34.mindspring.com unknown 1996/03/16 00:19:42 in.telnetd 873 all twist max1-dyn34.mindspring.com to (/bin/cat /etc/telmess)&
 max1-dyn36.mindspring.com unknown 1996/03/13 17:03:15 in.redirect 7437 all connect from max1-dyn36.mindspring.com
 max1-dyn36.mindspring.com unknown 1996/03/13 17:03:21 in.thttpd 7438 all twist max1-dyn36.mindspring.com to /usr/etc/in.thttpd max1-dyn36.mindspring.com unknown
 max1-dyn36.mindspring.com unknown 1996/03/13 17:03:22 thttpd 7438 all cat /index.html
...

After 5 warnings and viewing our Web site, this user still attempted entry 4 more times.

*max1-dyn6.mindspring.com unknown 1996/03/13 15:31:13 in.telnetd 26914 all refused connect from max1-dyn6.mindspring.com
*max1-dyn6.mindspring.com unknown 1996/03/13 15:40:46 in.telnetd 28570 all refused connect from max1-dyn6.mindspring.com
*max1-dyn6.mindspring.com unknown 1996/03/13 15:40:58 in.telnetd 28643 all refused connect from max1-dyn6.mindspring.com
*max1-dyn39.mindspring.com unknown 1996/03/13 11:37:14 in.telnetd 2493 all refused connect from max1-dyn39.mindspring.com
...
java.mindspring.com unknown 1996/03/16 12:34:26 in.thttpd 19560 all twist java.mindspring.com to /usr/etc/in.thttpd java.mindspring.com unknown
...

***This user actually read about the incident and then attempted entry.

 java.mindspring.com unknown 1996/03/16 12:52:55 in.thttpd 20790 all twist java.mindspring.com to /usr/etc/in.thttpd java.mindspring.com unknown
 java.mindspring.com unknown 1996/03/16 12:52:55 thttpd 20790 all cat /journal/netsec/audits/afternoon.html
*java.mindspring.com unknown 1996/03/16 12:53:15 in.telnetd 20816 all twist java.mindspring.com to (/bin/cat /etc/telmess)&
 borg.mindspring.com unknown 1996/03/13 11:36:28 sendmail 2409 all connect from borg.mindspring.com
 borg.mindspring.com unknown 1996/03/13 11:36:52 sendmail 2459 all connect from borg.mindspring.com
 borg.mindspring.com unknown 1996/03/13 12:13:40 sendmail 6444 all connect from borg.mindspring.com
 borg.mindspring.com unknown 1996/03/13 12:35:23 sendmail 8730 all connect from borg.mindspring.com
 irish.mindspring.com unknown 1996/03/17 10:34:46 in.thttpd 17147 all twist irish.mindspring.com to /usr/etc/in.thttpd irish.mindspring.com unknown
 irish.mindspring.com unknown 1996/03/17 10:35:07 thttpd 17147 all cat /books/iwar/disrupt.html
*blalock.mindspring.com unknown 1996/03/16 01:13:57 in.telnetd 4525 all twist blalock.mindspring.com to (/bin/cat /etc/telmess)&
...

On March 18, we got the following helpful lead on this one:

Date: Mon, 18 Mar 96 17:32:04 EST
To: fc@all.net
Subject: breakin

Hi
  There is a http site being distributed publicly and being spred arround.
Yes some one is playing a joke on your site which is kind of sad.  Here is
the site you can take a look at and probably do something about it. I would
be pissed about it too.
		"http://www.shorty.com/[details witheld]"

This might help you solve a part of your problem

It turns out that www.shorty.com resolves to a domain within mindspring that is (essentially) leased for customer use.

% traceroute www.shorty.com
traceroute to widow.mindspring.com (204.180.128.20), 30 hops max, 40 byte packets
...

The site www.shorty.com prohibits Web access from our site, however, we asked another site to get the data for us.
The URL has a link for "hackers" to "hack into" our computer, and when they press on the link, it causes their browser to telnet into our site. The information contained in the page on the attack that exploits Web browsers is also false and misleading, however the page does assert that it is satire.
The administrators at Mindspring are helping us out with this and Mindspring seem to be a responsible company that got caught in the middle.

Total records = 17539 ignored 16461 and used 1078 (6.14630252579965%)

<<=== End:Done crossmatching audit files.

====================================================
Tracer done - Mon Mar 18 10:44:02 EST 1996
====================================================

A final log entry exctracted from our packet filter that stops many of these attacks before they get to the stage of sending email:

3/27-05:45:30-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:45:35-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:45:39-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:45:45-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:45:50-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:45:55-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:45:59-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:46:06-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-05:46:10-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
...
3/27-06:20:31-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:20:36-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:20:41-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:20:46-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:20:51-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:20:56-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:21:06-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:21:11-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
3/27-06:21:17-153 tcp 204.7.229.1/telnet <- 193.124.65.96/4072 44 syn !pass(11)
...

This one traces back to St. Petersburg, Russia.

Conclusion