RE: Serious Offshore Probes Detected & Defeated

["William Holmberg" <wholmberg () amdpi com>]

Hi. Please tell us also the ports used for these attacks.
Thanks,
Bill

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jes1 () comcast net
Sent: Monday, October 01, 2007 11:05 AM
To: security-basics () securityfocus com
Subject: Serious Offshore Probes Detected & Defeated

We have had 11 extremely serious probes/attacks in the past 4 days on our "honey pot" and Shadow successfully detected 
and stopped all of the probes/attacks.  


Extremely serious is defined as two conditions; 

(1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each IP address below.

(2) An IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the 
communications, continuously within a 12 hour period.


We have provided information that is very detailed information where we have successfully traced the Point-Of-Origin of 
the probes/attacks from China and other non-US locations


BACKGROUND

We are a Cyber Security Software firm and have been probed by offshore interests quite often since our genesis.  


We have established a honey pot site on the Internet.  


Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have 
successfully detected and stopped the probes/attacks and traced the probes/attacks back to China and other non-US 
locations. 


DETAILS

(1) There are seven active sites in China:


221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang

116.18.161.55  - ChinaNet Guangdong Province Network - Guangzhou

219.148.119.2  - Data Communication Division - Beijing

221.208.208.3  - CNCGROUP Heilongjiang province network - Mudanjiang

121.18.13.107  - CNC Group Hebei province network - Hebei

125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing 

218.3.134.250  - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang


Of the seven sites listed above, 121.18.13.107 has attempted the most intense attack, installing Remote Access Java 
Scripts as defined in my previous e-mail on detecting the China attack methods.  None of the seven sites above were 
successful against Shadow. All probes/attacks were detected and stopped.


(2) Shadow has been detecting and securing our web site/network from 5 simultaneous probes/attacks from China, each 
from a different city in China.


(3) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer 
depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP 
combination within the IP address range.  As an example, a probe starts with "100.100.100.001", launches a UDP packet 
and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.


(4) The other probes/attacks were from the following:


219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho

138.79.215.61  - CPSOFT - Australia - No City Identified

81.188.3.50    - Easynet Belgium, Cypres - Belgium - Brussel

24.64.132.11   - Shaw Communications - Canada - No City Identified



IMMEDIATE RECOMMENDATION

------------------------


1) Immediately block the following IP Addresses within your network firewall(s) (This is a temporary fix since these IP 
addresses will change on a high frequency):


121.18.13.107  <-- Most Dangerous Attack

221.209.110.50

116.18.161.55

219.148.119.2

221.208.208.3


2) If Shadow is not installed on a Microsoft server, turn off (disable) java scripting immediately.



IP ADDRESSES DETECTED


The detailed information on each IP address is below.


---- China, Mudanjiang --------

IP Address   : 221.209.110.50 [ 221.209.110.50 ]

ISP          : CNCGROUP Heilongjiang province network

Organization : Mudanjiang Internet Division

Location     :  CN, China

City         : Mudanjiang, 08 -

Latitude     :  44°58'33" North

Longitude    : 129°60'00" East


---- China, Guangzhou ---------

IP Address   : 116.18.161.55 [ 116.18.161.55 ]

ISP          : -

Organization : ChinaNet Guangdong Province Network

Location     :  CN, China

City         : Guangzhou, 30 -

Latitude     :  23°11'67" North

Longitude    : 113°25'00" East


---- China, Beijing -----------

IP Address   : 219.148.119.2 [ 219.148.119.2 ]

ISP          : Data Communication Division

Organization : CHINANET hebei province network

Location     :  CN, China

City         : Beijing, 22 -

Latitude     :  39°92'89" North

Longitude    : 116°38'83" East


----- China, Harbin -----------

IP Address   : 221.208.208.3 [ 221.208.208.3 ]

ISP          : CNCGROUP Heilongjiang province network

Organization : CNCGROUP Heilongjiang province network

Location     :  CN, China

City         : Harbin, 08 -

Latitude     :  45°75'00" North

Longitude    : 126°65'00" East


-----  China, Hebei -----------

IP Address   : 121.18.13.107 [ 121.18.13.107 ]

ISP          : -

Organization : CNC Group Hebei province network

Location     :  CN, China

City         : Hebei, 10 -

Latitude     :  39°88'97" North

Longitude    : 115°27'50" East


----- China Beijing -------------------

IP Address   : 125.76.238.164 [ 125.76.238.164 ]

ISP          : CHINANET Shanxi(SN) province network

Organization : CHINANET Shanxi(SN) province network

Location     :  CN, China

City         : Beijing, 22 -

Latitude     :  39°92'89" North

Longitude    : 116°38'83" East


---- China, Zhenjiang ------------------------

IP Address   : 218.3.134.250 [ 218.3.134.250 ]

ISP          : Data Communication Division

Organization : Network Center of Fast China Shipbuilding institut

Location     :  CN, China

City         : Zhenjiang, 04 -

Latitude     :  32°20'92" North

Longitude    : 119°43'42" East


----- Korea, Seocho -----------

IP Address   : 219.240.44.147 [ 219.240.44.147 ]

ISP          : Hanaro Telecom Co.

Organization : Ilifezone

Location     :  KR, Korea, Republic of

City         : Seocho, 11 -

Latitude     :  37°48'33" North

Longitude    : 127°01'67" East


------ Australia ------------

IP Address   : 138.79.215.61 [ 138.79.215.61 ]

ISP          : CPSOFT

Organization : CPSOFT

Location     :  AU, Australia

City         : -, - -

Latitude     :  27°00'00" South

Longitude    : 133°00'00" East


----- Belgium Brussels ---------------

IP Address   : 81.188.3.50 [ 81-188-3-50.sdsl.easynet.be ]

ISP          : Easynet Belgium

Organization : Cypres

Location     :  BE, Belgium

City         : Brussel, 11 -

Latitude     :  50°83'33" North

Longitude    :   4°33'33" East


----- Canada -------------------------

IP Address   : 24.64.132.11 [ S010600095b0f1aa1.lb.shawcable.net ]

ISP          : Shaw Communications

Organization : Shaw Communications

Location     :  CA, Canada

City         : -, - -

Latitude     :  60°00'00" North

Longitude    :  95°00'00" West


Sincerely,


Jeff


Jeffrey E. Smith

Black Lab Security Systems, Inc

9250 Bendix Road, North Suite 225

Columbia, MD 21045


Toll Free: 888-352-1119

MD Lab:    410-878-2768

Direct:    301-685-3301

Fax:       410-988-2238

Mobile:    240-498-9043

eMail:     jes () blacklabsecurity com

Web:       www.blacklabsecurity.com