Security Incidents mailing list archives
Strange accumulation of scans from Korea (KORNET/HANANET)
From: "Ralf G. R. Bergs" <rabe () RWTH-Aachen DE>
Date: Fri, 9 Mar 2001 13:42:50 +0100
Hi there, I'm just observing a very strange accumulation of network scans from Korea. During the last weeks there has only been about 1 scan PER WEEK that originated from Korea, today I had more than half a dozen of scans in only a few hours. I'm sure the log snippet you see below DOES constitute a scan because none of our IPs are visible from outside our LAN (denoted by 111.222.333.0/24 below, the host address (i.e. the last byte) is authentic.) Maybe there is a serious trojan infection/crack in progress??? I've notified the respective netblock owners and cc'ed the KR CERT. Ralf -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Mar 9 09:27:52 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.192.37.171:867 111.222.333.17:1542 L=40 S=0x00 I=56742 F=0x0000 T=107 (# 54) Mar 9 09:30:42 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.216.128.247:867 111.222.333.17:1542 L=40 S=0x00 I=50983 F=0x0000 T=106 (# 54) Mar 9 10:35:28 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.107.87.190:8086 111.222.333.151:1052 L=40 S=0x00 I=7847 F=0x0000 T=232 (# 54) Mar 9 12:18:42 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.107.87.190:1976 111.222.333.208:2102 L=40 S=0x00 I=54468 F=0x0000 T=232 (# 54) Mar 9 12:30:11 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.196.142.23:1225 111.222.333.116:2195 L=40 S=0x00 I=30616 F=0x0000 T=107 (# 54) Mar 9 12:28:29 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.208.172.152:1225 111.222.333.116:2195 L=40 S=0x00 I=10025 F=0x0000 T=107 (#54) Mar 9 12:33:02 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.208.172.152:6012 111.222.333.222:1801 L=40 S=0x00 I=40415 F=0x0000 T=107 (#54) Mar 9 12:41:33 WWW kernel: Packet log: input DENY eth0 PROTO=6 211.178.164.237:7885 111.222.333.48:1652 L=40 S=0x00 I=30316 F=0x0000 T=107 (# 54) -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/ The Choice /V\ of a GNU /( )\ Generation ^^-^^
Current thread:
- Strange accumulation of scans from Korea (KORNET/HANANET) Ralf G. R. Bergs (Mar 09)
- Re: Strange accumulation of scans from Korea (KORNET/HANANET) John (Mar 09)
- Re: Strange accumulation of scans from Korea (KORNET/HANANET) Ralf G. R. Bergs (Mar 14)
- Aggresive RPC & DNS scans from Korean hosts Joseph Nicholas Yarbrough (Mar 20)
- Re: Aggresive RPC & DNS scans from Korean hosts dano (Mar 20)
- Re: Aggresive RPC & DNS scans from Korean hosts Matt W. (Mar 20)
- Re: Strange accumulation of scans from Korea (KORNET/HANANET) Ralf G. R. Bergs (Mar 14)
- Re: Strange accumulation of scans from Korea (KORNET/HANANET) John (Mar 09)