Security Basics mailing list archives
RE: Serious Offshore Probes Detected & Defeated
From: "William Holmberg" <wholmberg () amdpi com>
Date: Mon, 1 Oct 2007 13:40:11 -0500
Hi. Please tell us also the ports used for these attacks. Thanks, Bill -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jes1 () comcast net Sent: Monday, October 01, 2007 11:05 AM To: security-basics () securityfocus com Subject: Serious Offshore Probes Detected & Defeated We have had 11 extremely serious probes/attacks in the past 4 days on our "honey pot" and Shadow successfully detected and stopped all of the probes/attacks. Extremely serious is defined as two conditions; (1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each IP address below. (2) An IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the communications, continuously within a 12 hour period. We have provided information that is very detailed information where we have successfully traced the Point-Of-Origin of the probes/attacks from China and other non-US locations BACKGROUND We are a Cyber Security Software firm and have been probed by offshore interests quite often since our genesis. We have established a honey pot site on the Internet. Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have successfully detected and stopped the probes/attacks and traced the probes/attacks back to China and other non-US locations. DETAILS (1) There are seven active sites in China: 221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang 116.18.161.55 - ChinaNet Guangdong Province Network - Guangzhou 219.148.119.2 - Data Communication Division - Beijing 221.208.208.3 - CNCGROUP Heilongjiang province network - Mudanjiang 121.18.13.107 - CNC Group Hebei province network - Hebei 125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing 218.3.134.250 - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang Of the seven sites listed above, 121.18.13.107 has attempted the most intense attack, installing Remote Access Java Scripts as defined in my previous e-mail on detecting the China attack methods. None of the seven sites above were successful against Shadow. All probes/attacks were detected and stopped. (2) Shadow has been detecting and securing our web site/network from 5 simultaneous probes/attacks from China, each from a different city in China. (3) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on. (4) The other probes/attacks were from the following: 219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho 138.79.215.61 - CPSOFT - Australia - No City Identified 81.188.3.50 - Easynet Belgium, Cypres - Belgium - Brussel 24.64.132.11 - Shaw Communications - Canada - No City Identified IMMEDIATE RECOMMENDATION ------------------------ 1) Immediately block the following IP Addresses within your network firewall(s) (This is a temporary fix since these IP addresses will change on a high frequency): 121.18.13.107 <-- Most Dangerous Attack 221.209.110.50 116.18.161.55 219.148.119.2 221.208.208.3 2) If Shadow is not installed on a Microsoft server, turn off (disable) java scripting immediately. IP ADDRESSES DETECTED The detailed information on each IP address is below. ---- China, Mudanjiang -------- IP Address : 221.209.110.50 [ 221.209.110.50 ] ISP : CNCGROUP Heilongjiang province network Organization : Mudanjiang Internet Division Location : CN, China City : Mudanjiang, 08 - Latitude : 44°58'33" North Longitude : 129°60'00" East ---- China, Guangzhou --------- IP Address : 116.18.161.55 [ 116.18.161.55 ] ISP : - Organization : ChinaNet Guangdong Province Network Location : CN, China City : Guangzhou, 30 - Latitude : 23°11'67" North Longitude : 113°25'00" East ---- China, Beijing ----------- IP Address : 219.148.119.2 [ 219.148.119.2 ] ISP : Data Communication Division Organization : CHINANET hebei province network Location : CN, China City : Beijing, 22 - Latitude : 39°92'89" North Longitude : 116°38'83" East ----- China, Harbin ----------- IP Address : 221.208.208.3 [ 221.208.208.3 ] ISP : CNCGROUP Heilongjiang province network Organization : CNCGROUP Heilongjiang province network Location : CN, China City : Harbin, 08 - Latitude : 45°75'00" North Longitude : 126°65'00" East ----- China, Hebei ----------- IP Address : 121.18.13.107 [ 121.18.13.107 ] ISP : - Organization : CNC Group Hebei province network Location : CN, China City : Hebei, 10 - Latitude : 39°88'97" North Longitude : 115°27'50" East ----- China Beijing ------------------- IP Address : 125.76.238.164 [ 125.76.238.164 ] ISP : CHINANET Shanxi(SN) province network Organization : CHINANET Shanxi(SN) province network Location : CN, China City : Beijing, 22 - Latitude : 39°92'89" North Longitude : 116°38'83" East ---- China, Zhenjiang ------------------------ IP Address : 218.3.134.250 [ 218.3.134.250 ] ISP : Data Communication Division Organization : Network Center of Fast China Shipbuilding institut Location : CN, China City : Zhenjiang, 04 - Latitude : 32°20'92" North Longitude : 119°43'42" East ----- Korea, Seocho ----------- IP Address : 219.240.44.147 [ 219.240.44.147 ] ISP : Hanaro Telecom Co. Organization : Ilifezone Location : KR, Korea, Republic of City : Seocho, 11 - Latitude : 37°48'33" North Longitude : 127°01'67" East ------ Australia ------------ IP Address : 138.79.215.61 [ 138.79.215.61 ] ISP : CPSOFT Organization : CPSOFT Location : AU, Australia City : -, - - Latitude : 27°00'00" South Longitude : 133°00'00" East ----- Belgium Brussels --------------- IP Address : 81.188.3.50 [ 81-188-3-50.sdsl.easynet.be ] ISP : Easynet Belgium Organization : Cypres Location : BE, Belgium City : Brussel, 11 - Latitude : 50°83'33" North Longitude : 4°33'33" East ----- Canada ------------------------- IP Address : 24.64.132.11 [ S010600095b0f1aa1.lb.shawcable.net ] ISP : Shaw Communications Organization : Shaw Communications Location : CA, Canada City : -, - - Latitude : 60°00'00" North Longitude : 95°00'00" West Sincerely, Jeff Jeffrey E. Smith Black Lab Security Systems, Inc 9250 Bendix Road, North Suite 225 Columbia, MD 21045 Toll Free: 888-352-1119 MD Lab: 410-878-2768 Direct: 301-685-3301 Fax: 410-988-2238 Mobile: 240-498-9043 eMail: jes () blacklabsecurity com Web: www.blacklabsecurity.com
Current thread:
- Serious Offshore Probes Detected & Defeated jes1 (Oct 01)
- RE: Serious Offshore Probes Detected & Defeated William Holmberg (Oct 01)
- Re: Serious Offshore Probes Detected & Defeated David J. Bianco (Oct 01)
- RE: Serious Offshore Probes Detected & Defeated Murda Mcloud (Oct 03)