Sagonet - Failing miserably with network security Someone needs to handle this.

Not that this is his real name, or business, but a whois on
the IP
yields:

[whois.arin.net]
Sago Networks SAGO-20030401 (NET-65-110-32-0-1) 
                                  65.110.32.0 -
65.110.63.255
Anton Tenev SAGO-65-110-62-120 (NET-65-110-62-120-1) 
                                  65.110.62.120 -
65.110.62.129



-----Original Message-----
From: owner-nanogmerit.edu [mailto:owner-nanogmerit.edu] On Behalf Of
Chris Jester
Sent: Sunday, October 29, 2006 11:29 AM
To: nanognanog.org
Cc: abusesagonet.com
Subject: Sagonet - Failing miserably with network security
Someone needs
to handle this.


65.110.62.120

Sagonet,

We have a serious hacker here who is ACTIVLY engaged in
logins on our
network (have him in a honeypot at the moment). He is
running exploits
from your network and also I have been hearing from others
that you have
been notified of this a few times yet have done nothing
about it.  Can
we get someone to handle this immediately please?

This hacker has rooted at least 35 servers on a friends
network
(friendly
competitor) and now hes scanning ours...

This is what was said by my friend after contacting you guys
about this:
"Good... They will not listen... I have provided them
logs, screen
shots, etc..."

Additionally, I would LOVE to know what is on that server...
this guy is
not to be taken lightly, he is VERY methodical and patient.
He's
problably owning your network too.

[rootmail /home]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign
Address

 State
tcp        0      0 0.0.0.0:21                  0.0.0.0

 LISTEN
tcp        0      0 :::38300                    ::

 LISTEN
tcp        0      0 ::ffff:66.11.112.15:38300
::ffff:65.110.62.120:59979
 ESTABLISHED
 ESTABLISHED

Customer has been nuked.

--
Jordan Medlen
Sago Networks

On Oct 30, 2006, at 11:54 AM, Lasher, Donn wrote:

>
>
> Not that this is his real name, or business, but a
whois on the IP
> yields:
>
> [whois.arin.net]
> Sago Networks SAGO-20030401 (NET-65-110-32-0-1)
>                                   65.110.32.0 -
65.110.63.255
> Anton Tenev SAGO-65-110-62-120 (NET-65-110-62-120-1)
>                                   65.110.62.120 -
65.110.62.129
>
>
>
> -----Original Message-----
> From: owner-nanogmerit.edu [mailto:owner-nanogmerit.edu] On  
> Behalf Of
> Chris Jester
> Sent: Sunday, October 29, 2006 11:29 AM
> To: nanognanog.org
> Cc: abusesagonet.com
> Subject: Sagonet - Failing miserably with network
security Someone  
> needs
> to handle this.
>
>
> 65.110.62.120
>
> Sagonet,
>
> We have a serious hacker here who is ACTIVLY engaged in
logins on our
> network (have him in a honeypot at the moment). He is
running exploits
> from your network and also I have been hearing from
others that you  
> have
> been notified of this a few times yet have done nothing
about it.  Can
> we get someone to handle this immediately please?
>
> This hacker has rooted at least 35 servers on a friends
network
> (friendly
> competitor) and now hes scanning ours...
>
> This is what was said by my friend after contacting you
guys about  
> this:
> "Good... They will not listen... I have provided
them logs, screen
> shots, etc..."
>
> Additionally, I would LOVE to know what is on that
server... this  
> guy is
> not to be taken lightly, he is VERY methodical and
patient. He's
> problably owning your network too.
>
> [rootmail /home]# netstat -an
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address               Foreign
Address
>
>  State
> tcp        0      0 0.0.0.0:21                 
0.0.0.0
>
>  LISTEN
> tcp        0      0 :::38300                    ::
>
>  LISTEN
> tcp        0      0 ::ffff:66.11.112.15:38300
> ::ffff:65.110.62.120:59979
>  ESTABLISHED
>  ESTABLISHED
>
>
>

Customer has been nuked.

--
Jordan Medlen
Sago Networks

On Oct 30, 2006, at 11:54 AM, Lasher, Donn wrote:

>
>
> Not that this is his real name, or business, but a
whois on the IP
> yields:
>
> [whois.arin.net]
> Sago Networks SAGO-20030401 (NET-65-110-32-0-1)
>                                   65.110.32.0 -
65.110.63.255
> Anton Tenev SAGO-65-110-62-120 (NET-65-110-62-120-1)
>                                   65.110.62.120 -
65.110.62.129
>
>
>
> -----Original Message-----
> From: owner-nanogmerit.edu [mailto:owner-nanogmerit.edu] On  
> Behalf Of
> Chris Jester
> Sent: Sunday, October 29, 2006 11:29 AM
> To: nanognanog.org
> Cc: abusesagonet.com
> Subject: Sagonet - Failing miserably with network
security Someone  
> needs
> to handle this.
>
>
> 65.110.62.120
>
> Sagonet,
>
> We have a serious hacker here who is ACTIVLY engaged in
logins on our
> network (have him in a honeypot at the moment). He is
running exploits
> from your network and also I have been hearing from
others that you  
> have
> been notified of this a few times yet have done nothing
about it.  Can
> we get someone to handle this immediately please?
>
> This hacker has rooted at least 35 servers on a friends
network
> (friendly
> competitor) and now hes scanning ours...
>
> This is what was said by my friend after contacting you
guys about  
> this:
> "Good... They will not listen... I have provided
them logs, screen
> shots, etc..."
>
> Additionally, I would LOVE to know what is on that
server... this  
> guy is
> not to be taken lightly, he is VERY methodical and
patient. He's
> problably owning your network too.
>
> [rootmail /home]# netstat -an
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address               Foreign
Address
>
>  State
> tcp        0      0 0.0.0.0:21                 
0.0.0.0
>
>  LISTEN
> tcp        0      0 :::38300                    ::
>
>  LISTEN
> tcp        0      0 ::ffff:66.11.112.15:38300
> ::ffff:65.110.62.120:59979
>  ESTABLISHED
>  ESTABLISHED
>
>
>

On Mon, 30 Oct 2006, Jordan Medlen wrote:
> 
> Customer has been nuked.

This is the time to mention that unlike a couple of years
ago, Sagonet is
very responsive to C&C reports, and deals with them very
efficiently and
quickly.

Sagonet is a pleasure to work with on botnet abuse issues.

	Gadi.

> 
> --
> Jordan Medlen
> Sago Networks

On Mon, 30 Oct 2006, Jordan Medlen wrote:
> 
> Customer has been nuked.

This is the time to mention that unlike a couple of years
ago, Sagonet is
very responsive to C&C reports, and deals with them very
efficiently and
quickly.

Sagonet is a pleasure to work with on botnet abuse issues.

	Gadi.

> 
> --
> Jordan Medlen
> Sago Networks