Sorry if this is a dumb question, but my firewall log is slowly filling up with attempts to connect using UDP fform the following:

Search results for: 193.193.92.13


OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net:43

Is this genuine or something I should worry about (or not cos at least my firewall is blocking it)

Mark

Sorry if this is a dumb question, but my firewall log is slowly filling up with attempts to connect using UDP fform the following:

Search results for: 193.193.92.13




whois 193.193.92.13
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Whois secondary server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 193.193.88.0 - 193.193.95.255
netname: TCIG-2
descr: The Tarnow Center of Economic Information
descr: state and selfgovernment administration,
descr: universities, and other educational institutions, hospitals
descr: state and private owned enterprises.
descr: Main Internet gateway in Tarnow state
country: PL
admin-c: RAG1-RIPE
tech-c: OGON-RIPE
rev-srv: infos.tcig.tarnow.pl
rev-srv: info.cyf-kr.edu.pl
status: ASSIGNED PA
notify: Jerzy.Pawlus@cyf-kr.edu.pl
mnt-by: AS8323-MNT
changed: bogdan@stream.pl 20011207
changed: ripe-dbm@ripe.net 20040429
source: RIPE

route: 193.193.64.0/19
descr: CYFRONET
origin: AS8323
mnt-by: AS8323-MNT
changed: szary@nask.pl 19970627
changed: Jerzy.Pawlus@cyf-kr.edu.pl 19990624
source: RIPE

person: Roza Alicja Graczyk
address: The Tarnow Center of Economic Information
address: ul Pilsudzkiego 8
address: 33-100 Tarnow
address: Poland
phone: +48 14 6211101
e-mail: roza@tcig.tarnow.pl
nic-hdl: RAG1-RIPE
changed: bogdan@stream.pl 20011207
source: RIPE

person: Pawel Ogonowski
address: Domena A
address: ul. Kolberga 12
address: 33-100 Tarnow
address: Poland
phone: +48 12 6211101
e-mail: cyborg@da.pl
nic-hdl: OGON-RIPE
changed: bogdan@stream.pl 20011207
source: RIPE



it seems to be a polish University somewhere in Tarnow or even some other computer from Tarnow.
If it goes on, you can write an abuse e-mail to one of the guys above and notify them. Save the logs as evidence.

drop all packets coming from 193.193.88.0 - 193.193.95.255 would that work for you? I have done that in the past when I see in my logs the same ip is continually hitting me. I usually just drop the ip itself first then if others come from it I goto like the 193.193.88.xxx then keep going from there. I figure that in the meantime if I actually need to access something from in those ip ranges I can unblock them.

hope this helps

Thanks for the advice spie34.

And thanks for a good question marks_linux...I always enjoy reading and learning from these posts. I just installed firestarter and am getting lots of hits here too.

ilja: I wonder if the e-mails do any good or if it just lets the perpetrator know how much they are annoying someone? Probably worth a try anyway.

Thanks to all

why an email?

At least in Europe breaking into others people computers is a crime. And als to try it is a crime. And it is no fun at all, especially if someone earns money with the computer or has secrets on it. So *serious* provider might/should close the account of someone who does things like this. Or at least write him/her and say, that he wasn't unnoticed and the next time there might be more consequences.

Sorry if this is a dumb question, but my firewall log is slowly filling up with attempts to connect using UDP fform the following:

Search results for: 193.193.92.13


OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net:43

Is this genuine or something I should worry about (or not cos at least my firewall is blocking it)

Mark

Try running snort,
Also there are a few other addons that might help
Distributed Intrusion Detection System (http://www.dshield.org/)
MyNetWatchman (http://www.mynetwatchman.com/)

Or you could just run another older computer as a dedicated firewall and the other newer systems as your services machines SmoothWall Express (http://www.smoothwall.org/) <---which has snort running and a few other easy addon MODS to increase network security by leaps and bounds

Hope this helps

Brian
AwPhuch

ilja: makes sense...crimes ignored are crimes endorsed.

I have never kept anything that I value on a system that is connected to the internet due to security concerns, however until fairly recently I only used ms operating systems. I'm hoping that through open source software and my growing knowledge of it my systems will become much more secure.

Thanks for the comments.