202.8.85.112, also known as: ppp-202.85.112.revip.proen.co.th has been trying to force a login to one of my FTP boxes for the last few hours. I'm assuming malware is to blame, judging from the pattern of traffic. I closed the door a few minutes ago (and in doing so stopped one of my own pending transfers), so Mr Fuckwit's infected p.os. machine in Thailand can no longer come knocking. I've mailed Proen Internet, but I'm not expecting a positive response - after all, ISPs aren't usually proactive in stopping malware. They don't care how the bandwidth is being used, as long as someone is paying for it.
In situations like this it is tempting to go looking for whatever backdoor the machine has installed and to attack it back, but I really can't be bothered going to all that effort for one little s'kiddie's 0wn3d box. Besides, I have better things to do.
If you've stumbled on this page while searching for this IP address, the email address you want to contact is ABUSE@PROEN.CO.TH. The IP is serving up a webpage of some sort on the URL http://www.ssko.moph.go.th/, very very slowly, but I can make head nor tail of it. It's running PHPNuke and ThaiNuke too, apropos of nothing at all. The IP has also shown up in the defacements archive at zone-h.org - so there's a history of solid security there then. Assholes.
posted @ Sunday, October 15, 2006 7:07 PM