Security Incidents mailing list archives

Re: Scans(?) 500->500 from China

From: Max <max0r () digitalsamurai org>
Date: Sat, 2 Sep 2000 15:28:39 +0000

Just  a though, not sure if it effects all OS'
http://www.openbsd.org/errata.html

"(009: SECURITY FIX: June 9, 2000
A serious bug in isakmpd(8) policy handling wherein policy verification could
be completely bypassed in isakmpd.)"


-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Ralf G. R. Bergs
Sent: Friday, September 01, 2000 9:55 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Scans(?) 500->500 from China

Hi there,

can anybody shed some light on what appears to be a scan to me?

Sep  1 11:13:55 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30431 F=0x0000 T=105 (#53)
Sep  1 11:13:56 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30439 F=0x0000 T=105 (#53)
Sep  1 11:13:58 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30447 F=0x0000 T=105 (#53)
Sep  1 11:14:02 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30470 F=0x0000 T=105 (#53)
Sep  1 11:14:10 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30515 F=0x0000 T=105 (#53)
Sep  1 11:14:26 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30603 F=0x0000 T=105 (#53)
Sep  1 11:14:53 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=84 S=0x00 I=30719 F=0x0000 T=105 (#53)

I couldn't find any meaningful info about port 500 (meaningful to me, that
is, since "isakmp" doesn't ring a bell...)

A whois query gives me the following:

$ whois 61.141.79.3

% Rights restricted by copyright. See
http://www.apnic.net/db/dbcopyright.html

inetnum:     61.140.0.0 - 61.143.255.255
netname:     CHINANET-GD
descr:       CHINANET Guangdong province network
descr:       Data Communication Division
descr:       China Telecom
country:     CN
admin-c:     CH93-AP
tech-c:      WM12-AP
mnt-by:      MAINT-CHINANET
mnt-lower:   MAINT-CHINANET-GD
changed:     hostmaster () ns chinanet cn net 20000601
source:      APNIC

person:      Chinanet Hostmaster
address:     A12,Xin-Jie-Kou-Wai Street
phone:       +86-10-62370437
fax-no:      +86-10-62053995
country:     CN
e-mail:      hostmaster () ns chinanet cn net
nic-hdl:     CH93-AP
mnt-by:      MAINT-CHINANET
changed:     hostmaster () ns chinanet cn net 20000101
source:      APNIC

person:      WU MIAN
address:     RO.2 ZHONGSHAN,GUANGZHOU,GUANGDONG,
address:     510080,CHINA
phone:       +086-20-87619051
fax-no:      +86-20-87619799
country:     CN
e-mail:      wumian () gdnmc guangzhou gd cn
nic-hdl:     WM12-AP
mnt-by:      MAINT-CHINANET-GD
changed:     wumian () gdnmc guangzhou gd cn 19990615
source:      APNIC

I guess even if it was a hostile scan, complaining to people in China
doesn't stop these things, does it?

Thanks,

Ralf

--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^


--
[FCS] Yea, We Regulate [FCS]

Current thread:

Scans(?) 500->500 from China Ralf G. R. Bergs (Sep 01)
- Re: Scans(?) 500->500 from China azimuth (Sep 02)
- Re: Scans(?) 500->500 from China Magus Ba'al (Sep 02)
  - Re: Scans(?) 500->500 from China Max (Sep 03)
- Re: Scans(?) 500->500 from China H D Moore (Sep 03)