Security Incidents mailing list archives

RE: Kuang2 strikes again, is it just me?

From: "Trevor Metzger" <trevor () e-oasis com>
Date: Sun, 16 Feb 2003 16:28:36 -0700

Ditto here.  I'm on AT&T Broadband.  Several different source addresses.
Here's a couple copies of the logged events:

[00182] 2003-02-15 14:02:26 system-notification-00257(traffic):
start_time="2003-02-15 14:02:26" duration=0 policy_id=320001
service=tcp/port:17300 proto=6 src zone=Null dst zone=Null action=Deny
sent=0 rcvd=48 src=24.165.244.146 dst=12.253.xx.xx
[00188] 2003-02-15 14:07:07 system-notification-00257(traffic):
start_time="2003-02-15 14:07:07" duration=0 policy_id=320001
service=tcp/port:17300 proto=6 src zone=Null dst zone=Null action=Deny
sent=0 rcvd=48 src=61.38.172.217 dst=12.253.xx.xx
[00192] 2003-02-15 14:09:01 system-notification-00257(traffic):
start_time="2003-02-15 14:09:01" duration=0 policy_id=320001
service=tcp/port:17300 proto=6 src zone=Null dst zone=Null action=Deny
sent=0 rcvd=48 src=61.85.80.162 dst=12.253.xx.xx

Trevor Metzger, GCIH
E-Oasis Consulting

-----Original Message-----
From: Jeff [mailto:spam-fighter () bigfoot com]
Sent: Sunday, February 16, 2003 10:39 AM
To: Jeff Kell; Incidents
Subject: Re: Kuang2 strikes again, is it just me?


"Jeff Kell" <jeff-kell () utc edu> wrote to <incidents () securityfocus com> on
Sat, 15 Feb 2003 at 20:35:02 -0500:

Last Sunday (Feb 9) I reported a sudden flurry of scans on tcp/17300
(the Kuang2 backdoor).  I had 9 hits in an hour on a cable modem, and
18 in all in the next 6 hours, then they stopped.  Nothing appeared
on my radar screen at work where I monitor a /18, a /22, and a /24
address block.

Today looks like a revisit of similar probing.  Home cable modem
reports (timezone EST, GMT-05:00), all directed at my tcp/17300:

8<

No, it's not just you.  I have seen (via Symantec Desktop Firewall) the
following smilar tcp/17300 hits on my home cable modem since 10/12/2002
12:51:51 (most recent first, timezone EST, GMT-05:00, condensed):

02/15/2003 16:40:59 (213.184.160.172)
02/15/2003 14:36:14 (81.57.159.25)
02/15/2003 14:36:11 (81.57.159.25)
02/15/2003 13:54:04 (61.33.72.42)
02/15/2003 13:53:58 (61.33.72.42)
02/15/2003 13:53:55 (61.33.72.42)
02/15/2003 13:30:50 (200.55.24.138)
02/10/2003 7:25:20 (218.232.246.195)
02/10/2003 7:25:08 (218.232.246.195)
02/10/2003 7:25:02 (218.232.246.195)
02/10/2003 7:24:59 (218.232.246.195)
02/10/2003 7:11:51 (211.176.22.64)
02/10/2003 7:11:39 (211.176.22.64)
02/10/2003 7:11:33 (211.176.22.64)
02/10/2003 7:11:30 (211.176.22.64)
02/10/2003 7:08:22 (211.201.204.187)
02/10/2003 7:08:16 (211.201.204.187)
02/10/2003 7:08:13 (211.201.204.187)
02/09/2003 9:58:18 (211.55.119.44)
02/09/2003 9:58:13 (211.55.119.44)
02/09/2003 9:58:09 (211.55.119.44)
02/08/2003 7:51:24 (213.184.160.172)
02/06/2003 7:00:19 (211.207.166.94)
02/06/2003 7:00:07 (211.207.166.94)
02/06/2003 7:00:01 (211.207.166.94)
02/06/2003 6:59:58 (211.207.166.94)
02/06/2003 6:21:58 (61.35.47.225)
02/06/2003 6:21:52 (61.35.47.225)
02/06/2003 6:21:49 (61.35.47.225)
02/06/2003 6:13:09 (211.222.26.227)
02/06/2003 6:12:57 (211.222.26.227)
02/06/2003 6:12:51 (211.222.26.227)
02/06/2003 6:12:48 (211.222.26.227)
02/06/2003 6:12:17 (211.106.246.62)
02/06/2003 6:12:14 (211.106.246.62)
02/06/2003 5:50:18 (211.106.40.36)
02/06/2003 5:50:12 (211.106.40.36)
02/06/2003 5:50:09 (211.106.40.36)
02/06/2003 5:43:01 (211.58.244.150)
02/06/2003 5:42:55 (211.58.244.150)
02/06/2003 5:42:52 (211.58.244.150)
02/06/2003 5:40:03 (61.79.241.80)
02/06/2003 5:39:57 (61.79.241.80)
02/06/2003 5:39:54 (61.79.241.80)
02/06/2003 5:35:11 (211.186.81.192)
02/06/2003 5:34:59 (211.186.81.192)
02/06/2003 5:34:53 (211.186.81.192)
02/06/2003 5:34:50 (211.186.81.192)
02/06/2003 5:10:04 (211.234.39.53)
02/06/2003 5:09:58 (211.234.39.53)
02/06/2003 5:09:55 (211.234.39.53)
02/06/2003 4:28:49 (211.213.165.235)
02/06/2003 4:28:37 (211.213.165.235)
02/06/2003 4:28:31 (211.213.165.235)
02/06/2003 4:28:28 (211.213.165.235)
02/06/2003 4:14:54 (211.222.187.63)
02/06/2003 4:14:48 (211.222.187.63)
02/06/2003 4:14:45 (211.222.187.63)
02/06/2003 4:10:36 (211.220.207.13)
02/06/2003 4:10:24 (211.220.207.13)
02/06/2003 4:10:18 (211.220.207.13)
02/06/2003 4:10:15 (211.220.207.13)
02/06/2003 3:47:17 (218.154.30.144)
02/06/2003 3:47:05 (218.154.30.144)
02/06/2003 3:46:59 (218.154.30.144)
02/06/2003 3:46:56 (218.154.30.144)
02/06/2003 3:42:50 (220.76.249.203)
02/06/2003 3:42:47 (220.76.249.203)
02/06/2003 3:14:08 (61.98.108.76)
02/06/2003 3:14:01 (61.98.108.76)
02/06/2003 3:13:59 (61.98.108.76)
02/01/2003 18:54:26 (68.112.103.237)
02/01/2003 18:54:23 (68.112.103.237)
01/20/2003 16:12:44 (217.80.153.166)
01/20/2003 3:09:59 (24.94.62.222)
01/20/2003 3:09:56 (24.94.62.222)
01/15/2003 0:03:54 (66.91.171.247)
01/15/2003 0:03:51 (66.91.171.247)
01/13/2003 3:50:03 (68.3.34.97)
01/12/2003 22:02:13 (80.126.111.197)
01/07/2003 7:36:33 (80.142.73.163)
12/29/2002 11:15:11 (213.184.160.172)
12/28/2002 14:56:11 (61.77.197.107)
12/28/2002 14:56:05 (61.77.197.107)
12/28/2002 14:56:02 (61.77.197.107)
12/28/2002 14:48:23 (211.224.214.124)
12/28/2002 14:48:11 (211.224.214.124)
12/28/2002 14:48:05 (211.224.214.124)
12/28/2002 14:48:02 (211.224.214.124)
12/28/2002 14:46:08 (24.161.249.48)
12/28/2002 14:45:56 (24.161.249.48)
12/28/2002 14:45:50 (24.161.249.48)
12/28/2002 14:45:47 (24.161.249.48)
12/25/2002 21:07:03 (211.219.255.124)
12/25/2002 21:06:51 (211.219.255.124)
12/25/2002 21:06:45 (211.219.255.124)
12/25/2002 21:06:42 (211.219.255.124)
12/25/2002 17:24:12 (12.222.124.74)
12/20/2002 2:37:03 (12.222.124.74)
11/30/2002 19:53:06 (217.164.248.210)
11/30/2002 19:53:03 (217.164.248.210)
11/24/2002 20:43:55 (24.226.43.249)
11/24/2002 20:43:55 (24.90.170.100)
11/23/2002 9:41:52 (213.184.177.137)
11/13/2002 5:21:27 (213.238.30.7)
11/12/2002 6:40:47 (61.81.148.119)
11/12/2002 6:40:41 (61.81.148.119)
11/12/2002 6:40:39 (61.81.148.119)
11/02/2002 3:19:35 (24.200.137.81)
10/31/2002 2:22:42 (213.184.169.65)
10/20/2002 10:15:08 (212.118.139.227)

I have condensed "Unused port blocking has blocked communications.  Details:
Inbound TCP connection
Remote address,local service is" and ",17300" from each line.

Best Regards,  Jeff.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Kuang2 strikes again, is it just me? Jeff Kell (Feb 15)
- RE: Kuang2 strikes again, is it just me? Rob Shein (Feb 16)
  - Re: Kuang2 strikes again, is it just me? Paul Dokas (Feb 17)
- Re: Kuang2 strikes again, is it just me? Johannes Ullrich (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jasmine (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jeff (Feb 16)
  - RE: Kuang2 strikes again, is it just me? Trevor Metzger (Feb 16)
    - RE: Kuang2 strikes again, is it just me? Tim Heagarty (Feb 17)
  - mIRC Trojan Variant - port 445 worm/Trojan kyle (Feb 17)
- <Possible follow-ups>
- Re: Kuang2 strikes again, is it just me? Kevin Patz (Feb 18)