hi guys,
found this logs on my mail server about possible fraud attempt and phising.
is this normal ?
Found ip-based phishing fraud from 10.2.0.0
Found ip-based phishing fraud from 255.255.255.255
Found ip-based phishing fraud from 10.1.0.0
Found ip-based phishing fraud from 255.255.255.255
. MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee
Sent: Wednesday, February 08, 2006 6:01 PM
- Show quoted text -
Subject: Fwd: 16 new messages in 8 topics - digest
---------- Forwarded message ----------
From: comp.dcom.sys.cisco group <noreply@googlegroups.com>
Date: Feb 8, 2006 5:03 PM
Subject: 16 new messages in 8 topics - digest
To: "comp.dcom.sys.cisco digest subscribers" <comp.dcom.sys.cisco@googlegroups.com >
comp.dcom.sys.cisco
http://groups.google.com/group/comp.dcom.sys.cisco
comp.dcom.sys.cisco@googlegroups.com
Today's topics:
* getting in - 4 messages, 2 authors
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/f48de60251014965
* memory - 4 messages, 2 authors
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/235ec15b218debea
* Which switch? - 1 messages, 1 author
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/a6263c2a6cf2f5ab
* Definitive max flash/DRAM for a 2621 non-XM - 1 messages, 1 author
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/f7c8f2baa300293e
* C3750 Layer 3 Switching and VLANs - 1 messages, 1 author
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/d9a76f870e6b9fd0
* PIX to PIX VPN problem - 3 messages, 2 authors
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/d8ca3eca037301b1
* AP1200 wds server hanging - 1 messages, 1 author
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/ebddeedf52725a9
* IOS for 1401. - 1 messages, 1 author
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/f0db579a12642f33
==============================================================================
TOPIC: getting in
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/f48de60251014965
==============================================================================
== 1 of 4 ==
Date: Wed, Feb 8 2006 4:16am
From: roberson@hushmail.com (Walter Roberson)
In article <1139371420.774575.279580@f14g2000cwb.googlegroups.com>,
<fatlobsterman@yahoo.com > wrote:
[PIX 515E]
>thanks for replying so wuickly. I don't even know how to do that. I
>have it hooked to my pc but I heard that I have to match ip addresses
>and telnet which is way beyong my knowledge. Is it a big deal to do all
>of this?
Take the serial cable you got with the PIX 515E. Connect it to
a serial port on your PC. Plug the RJ45 end into the "console" connection
on the 515E. If you don't know which one that is, look at the
diagram at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/hig63/515.htm#wp1037358
Then on your PC, fire up Hyperterm and set it to use the appropriate
COM port at 9600 8 N 1. Now press return in the Hyperterm window.
Alternately, follow the instructions in chapter 3 of the Quick Start
Guide at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63qsg/515quick.pdf
== 2 of 4 ==
Date: Tues, Feb 7 2006 8:35pm
From: fatlobsterman@yahoo.com
are you referring to using the pcterminal adapter with the rj45into the
console like in figure 4-7?
== 3 of 4 ==
Date: Tues, Feb 7 2006 8:56pm
From: fatlobsterman@yahoo.com
I think I may be in if that is the way that you were referring to. I
used com3 with the other info you gave me and hyperterminal says
connected but show version does nothering- what else can I do?\
== 4 of 4 ==
Date: Wed, Feb 8 2006 6:15am
From:
roberson@hushmail.com (Walter Roberson)
In article <1139374576.472587.175160@o13g2000cwo.googlegroups.com>,
< fatlobsterman@yahoo.com> wrote:
[PIX 515E]
>I think I may be in if that is the way that you were referring to.
I don't use googlegroups for actively reading postings (only
when I am researching old postings), so your previous postings
are not visible on my screen. It would therefore be appreciated
if you would follow the Usenet convention of quoting enough of
the previous conversation to establish the context of your
remarks.
For example if you go back and re-read your message in isolation,
you will see that there is no reference present as to what kind
of device you are using -- that's why I stuck the "[PIX 515E]" in,
to give back that necessary context.
>I used com3 with the other info you gave me and hyperterminal says
>connected but show version does nothering- what else can I do?\
You haven't provided any information about what kind of
PC you are using or how it is set up, so I will have to make
wild guesses here.
In most PCs that I have seen, COM3 is either not connected at all,
or is a modem port; the standard serial ports that are connected
are COM1 and COM2. On most laptops that I have seen, the standard
serial ports are COM1 and COM3 with COM2 not present, and COM3
usually being a modem port. So, lacking further
information, I
would -suspect- that you have used the wrong COM port number and
that if you are talking to anything, you are talking to a modem.
==============================================================================
TOPIC: memory
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/235ec15b218debea
==============================================================================
== 1 of 4 ==
Date: Tues, Feb 7 2006 8:18pm
From: fatlobsterman@yahoo.com
I have 2 pix- one is a 515e-UR and the other is 515e-FO. I don't even
know how to get into the pix. I have it hooked
up to my PC but I am
clueless when it comes to these. Is there a place where I can go or
could you possibly help me get it to get that information. I was told
that I have to set up the same ips and telnet but again, I'm clueless
when it comes to this but I do know my way around PCs very well just to
give you an idea of my knowledge.
thanks
== 2 of 4 ==
Date: Tues, Feb 7 2006 8:54pm
From: fatlobsterman@yahoo.com
I think that I am logged in b/c hypertermal is saying I'm
connected- I
used the serial to rj45 to the console on the back- I used com 3 is
that alright? maybe it is since I am connected but I tried shpow
version in the hyperterminal window and nothing happens
== 3 of 4 ==
Date: Tues, Feb 7 2006 8:54pm
From: fatlobsterman@yahoo.com
I think that I am logged in b/c hypertermal is saying I'm connected- I
used the serial to rj45 to the console on the back- I used com 3 is
that alright? maybe it is since I am connected but I tried shpow
version in the hyperterminal window and nothing happens
== 4 of 4 ==
Date: Tues, Feb 7 2006 10:07pm
From: "J"
Honestly I don't know if I could walk you through this. Connecting to
the console could be an all day speaking event for some people. Do you
have
the right cable, a serial port or USB adapter, and DB9 adapter if
applicable? What COM port are you on. Are you using the 9600 8N1
settings? Do you know the password for the device? Do you have the
necessary file to attempt password recovery? There are too many
unknowns for me to be of any real assistance. I googled for "cisco
console howto" and found a few useful hits.
http://www.google.com/search?hl=en&q=cisco+console+howto&btnG=Google+Search
Setting up a Pix is certainly not a trivial manner. I recommend
finding a person qualified to take on the task. I could write a book
on nothing but Pix basics and still not cover everything you should
know. Someone else may be able to provide
better input than I. Best
of luck.
J
==============================================================================
TOPIC: Which switch?
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/a6263c2a6cf2f5ab
==============================================================================
== 1 of 1 ==
Date: Tues, Feb 7 2006 8:28pm
From: "www.BradReese.Com"
Andrew,
The 2005 Cisco Product Guide has a good matrix:
http://www.bradreese.com/2005-cisco-guide.htm
Found at Cisco Product Guides:
http://www.bradreese.com/refurbished-cisco-product-guide.htm
Sincerely,
Brad Reese
BradReese.Com Cisco Engineers
http://www.BradReese.Com
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
International: 828-277-7272
==============================================================================
TOPIC: Definitive max flash/DRAM for a 2621 non-XM
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/f7c8f2baa300293e
==============================================================================
== 1 of 1 ==
Date: Tues, Feb 7 2006 8:44pm
From: "J"
I thought for sure the 2621 I had was an XM but apparently it's not.
I'm not sure how I missed it but I did. I need to be able to run a
PPPoE client on this guy. Unfortunately it looks like that feature is
only found in the advanced entreprise services code which require 96MB
DRAM and 32MB flash for 12.3. This 2621 is running 64/16. I've
researched the max resources for the 2621 on both Google and Cisco's
website and have gotten mixed results. What's the definitive maximum
flash and DRAM for this router?
Does anyone else
have any ideas for running a PPPoE client on this
router rather than running c2600-adventerprisek9-mz.123-4.xd1?
Thanks
J
==============================================================================
TOPIC: C3750 Layer 3 Switching and VLANs
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/d9a76f870e6b9fd0
==============================================================================
== 1 of 1 ==
Date: Tues, Feb 7 2006 8:45pm
From: "NETADMIN"
Hi Lutz..
>>Hi Lutz - thanks a million for the reply - I was looking into VACLs and
>>all sorts - didn't think it was as easy as that! I am just wondering if
>>you could also provide an
example on configuring the L3 part of the
>>switch?
Is posted ryanfinne...@hotmail.com not by me
Thanks,
NETADMIN
==============================================================================
TOPIC: PIX to PIX VPN problem
http://groups.google.com/group/comp.dcom.sys.cisco/browse_thread/thread/d8ca3eca037301b1
==============================================================================
== 1 of 3 ==
Date: Wed, Feb 8 2006
5:00am
From: John Scholvin
In article <BVaGf.581257$ki.478851@pd7tw2no>,
Walter Roberson <roberson@hushmail.com> wrote:
>No, when you are ssh'd in and you use 'debug' commands, the output goes
>to your ssh session. You might possibly need to adjust the
>"logging monitor" level but I don't think so.
Weird...this never worked for me. I tried turning on all kinds of debug and
saw none of it in my ssh session. But I did manage to use "logging console"
to see some debug output on the console port, so I made progress on my problem.
I'll have to come back to this after I solve the more pressing crisis...
Thanks,
john
--
John Scholvin -- john@scholvin.com -- an E7b5#9 man in an F major world
== 2 of 3 ==
Date: Wed, Feb 8 2006 5:29am
From: John Scholvin
In article < ds8duj$1bu$1@chessie.cirr.com>,
John Scholvin <john@scholvin.com.REMOVETHIS> wrote:
>
>I am trying to establish a VPN tunnel between 2 PIX 506E's. This is, for
>now, as straightforward a setup as there could be:
>
>private LAN 1 --- PIX 1 ----- internet ----- PIX 2 ----- private LAN 2
>
>The problem is that the pixen don't seem to even want to get to phase 1
>negotiations. "show isakmp sa" returns 0 associations on both sides.
OK, I worked around the weird debug problem I had (thanks for the tips!) and
now I have the two pixes connected through isakmp phase II. But they still
won't pass traffic.
Here's is my theory. One of the pixes handles incoming VPN client connections
in addition to the "dedicated" connection to the other pix. Looking at the output
from "show ipsec sa" on that dual-purpose pix, I see something funny right at the
top:
interface: outside
Crypto map tag: CRYPTO_MAP, local addr. MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee
local ident (addr/mask/prot/port): (MailScanner has detected a possible fraud attempt from "10.1.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.1.0.0/255.255.0.0/0/0 )
remote ident (addr/mask/prot/port): (MailScanner has detected a possible fraud attempt from "10.2.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.2.0.0/255.255.0.0/0/0)
current_peer: MailScanner has detected a possible fraud attempt from "cc.cc.cc.cc:500" claiming to be MailScanner warning: numerical links are often malicious: cc.cc.cc.cc:500
dynamic allocated peer ip: MailScanner has detected a possible fraud attempt from "0.0.0.0" claiming to be MailScanner warning: numerical links are often malicious: 0.0.0.0
(MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee and MailScanner has detected a possible fraud attempt from "cc.cc.cc.cc" claiming to be MailScanner warning: numerical links are often malicious: cc.cc.cc.cc are the public IPs of the pixes)
That dynamically allocated peer doesn't make sense to me. The other pix
doesn't have that line in the output. I'm guessing I have
somehow
butchered the config of the crypto map and it's confusing this peer with the
VPN clients. The config of this pix is below, hopefully someone here can spot
the problem.
Summary:
* one pix is in Evanston (public=MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee), one in Chicago (MailScanner has detected a possible fraud attempt from "cc.cc.cc.cc" claiming to be MailScanner warning: numerical links are often malicious: cc.cc.cc.cc)
* the pix in Evanston also handles incoming VPN client connections
* the Evanston private lans are MailScanner has detected a possible fraud attempt from "10.1.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.1.0.0/16 and MailScanner has detected a possible fraud attempt from "192.168.0.0" claiming to be MailScanner warning: numerical links are often malicious: 192.168.0.0/24; and Chicago's is MailScanner has detected a possible fraud attempt from "10.2.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.2.0.0/16- Show quoted text -
Thanks in advance if anyone can spot the problem here.
PIX Version 6.3(3)
interface ethernet0 auto
interface
ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ** encrypted
passwd ** encrypted
hostname pix-evn
domain-name **
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 700
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
name MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious:
ee.ee.ee.ee vpn-evn
object-group icmp-type icmp_traffic
icmp-object echo-reply
icmp-object source-quench
icmp-object unreachable
icmp-object time-exceeded
access-list PERMIT_IN permit icmp any any object-group icmp_traffic
access-list PERMIT_IN permit tcp any host MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee eq ssh
access-list PERMIT_IN permit tcp any host MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee eq www
access-list PERMIT_IN permit tcp any host MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee eq https
access-list PERMIT_IN permit udp any host MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee eq isakmp
access-list PERMIT_IN permit ah any host MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious:
ee.ee.ee.ee
access-list PERMIT_IN permit esp any host MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are often malicious: ee.ee.ee.ee
access-list NONAT permit ip MailScanner has detected a possible fraud attempt
from "192.168.0.0" claiming to be MailScanner warning: numerical links are often malicious: 192.168.0.0 MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.255.0 MailScanner has detected a possible fraud attempt from "10.1.250.0" claiming to be MailScanner warning: numerical links are often malicious: 10.1.250.0 MailScanner has detected a possible fraud attempt from
"255.255.255.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.255.0
access-list NONAT permit ip MailScanner has detected a possible fraud attempt from "10.1.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.1.0.0 MailScanner has detected a possible fraud attempt from "255.255.0.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.0.0 MailScanner has detected a possible fraud attempt from "10.1.250.0" claiming to be MailScanner warning: numerical links are often malicious: 10.1.250.0 MailScanner has detected a possible fraud attempt from "255.255.255.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.255.0
access-list NONAT permit ip MailScanner has detected a possible fraud attempt from "10.1.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.1.0.0 MailScanner has detected a possible fraud attempt from "255.255.0.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.0.0 MailScanner has detected a possible fraud attempt from "10.2.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.2.0.0 MailScanner has detected a possible fraud attempt from "255.255.0.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.0.0
access-list CHICAGO permit ip MailScanner has detected a possible fraud attempt from "10.1.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.1.0.0 MailScanner has detected a possible fraud attempt from "255.255.0.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.0.0 MailScanner has detected a possible fraud attempt from "10.2.0.0" claiming to be MailScanner warning: numerical links are often malicious: 10.2.0.0 MailScanner has detected a possible fraud attempt from "255.255.0.0" claiming to be MailScanner warning: numerical links are often malicious: 255.255.0.0
no pager
logging on
logging trap
notifications
logging host inside MailScanner has detected a possible fraud attempt from "192.168.0.200" claiming to be MailScanner warning: numerical links are often malicious: 192.168.0.200
no logging message 106023
no logging message 305005
no logging message 304001
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside MailScanner has detected a possible fraud attempt from "ee.ee.ee.ee" claiming to be MailScanner warning: numerical links are
often malicious: ee.ee.ee.ee MailScanner has detected a possible fraud attempt from "255.255.255.248" claiming to be MailScanner warning: numerical links are often malicious: 255.255.255.248
ip address inside MailScanner has detected a possible fraud attempt from "10.1.1.1" claiming to be MailScanner warning: numerical links are often malicious: 10.1.1.1 MailScanner has detected a possible
fraud attempt from "255.0.0.0" claiming to be Mai
Brings words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.