Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Serious Offshore Probes Detected & Defeated

From: jes1 () comcast net
Date: 1 Oct 2007 16:05:00 -0000
We have had 11 extremely serious probes/attacks in the past 4 days on our "honey pot" and Shadow successfully detected 
and stopped all of the probes/attacks.  

Extremely serious is defined as two conditions; 
(1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each IP address below.
(2) An IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the 
communications, continuously within a 12 hour period.

We have provided information that is very detailed information where we have successfully traced the Point-Of-Origin of 
the probes/attacks from China and other non-US locations

BACKGROUND
We are a Cyber Security Software firm and have been probed by offshore interests quite often since our genesis.  

We have established a honey pot site on the Internet.  

Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have 
successfully detected and stopped the probes/attacks and traced the probes/attacks back to China and other non-US 
locations. 

DETAILS
(1) There are seven active sites in China:

221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang
116.18.161.55  - ChinaNet Guangdong Province Network - Guangzhou
219.148.119.2  - Data Communication Division - Beijing
221.208.208.3  - CNCGROUP Heilongjiang province network - Mudanjiang
121.18.13.107  - CNC Group Hebei province network - Hebei
125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing 
218.3.134.250  - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang

Of the seven sites listed above, 121.18.13.107 has attempted the most intense attack, installing Remote Access Java 
Scripts as defined in my previous e-mail on detecting the China attack methods.  None of the seven sites above were 
successful against Shadow. All probes/attacks were detected and stopped.

(2) Shadow has been detecting and securing our web site/network from 5 simultaneous probes/attacks from China, each 
from a different city in China.

(3) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer 
depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP 
combination within the IP address range.  As an example, a probe starts with "100.100.100.001", launches a UDP packet 
and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.

(4) The other probes/attacks were from the following:

219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho
138.79.215.61  - CPSOFT - Australia - No City Identified
81.188.3.50    - Easynet Belgium, Cypres - Belgium - Brussel
24.64.132.11   - Shaw Communications - Canada - No City Identified


IMMEDIATE RECOMMENDATION
------------------------

1) Immediately block the following IP Addresses within your network firewall(s) (This is a temporary fix since these IP 
addresses will change on a high frequency):

121.18.13.107  <-- Most Dangerous Attack
221.209.110.50
116.18.161.55
219.148.119.2
221.208.208.3

2) If Shadow is not installed on a Microsoft server, turn off (disable) java scripting immediately.


IP ADDRESSES DETECTED

The detailed information on each IP address is below.

---- China, Mudanjiang --------
IP Address   : 221.209.110.50 [ 221.209.110.50 ]
ISP          : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location     :  CN, China
City         : Mudanjiang, 08 -
Latitude     :  44°58'33" North
Longitude    : 129°60'00" East

---- China, Guangzhou ---------
IP Address   : 116.18.161.55 [ 116.18.161.55 ]
ISP          : -
Organization : ChinaNet Guangdong Province Network
Location     :  CN, China
City         : Guangzhou, 30 -
Latitude     :  23°11'67" North
Longitude    : 113°25'00" East

---- China, Beijing -----------
IP Address   : 219.148.119.2 [ 219.148.119.2 ]
ISP          : Data Communication Division
Organization : CHINANET hebei province network
Location     :  CN, China
City         : Beijing, 22 -
Latitude     :  39°92'89" North
Longitude    : 116°38'83" East

----- China, Harbin -----------
IP Address   : 221.208.208.3 [ 221.208.208.3 ]
ISP          : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location     :  CN, China
City         : Harbin, 08 -
Latitude     :  45°75'00" North
Longitude    : 126°65'00" East

-----  China, Hebei -----------
IP Address   : 121.18.13.107 [ 121.18.13.107 ]
ISP          : -
Organization : CNC Group Hebei province network
Location     :  CN, China
City         : Hebei, 10 -
Latitude     :  39°88'97" North
Longitude    : 115°27'50" East

----- China Beijing -------------------
IP Address   : 125.76.238.164 [ 125.76.238.164 ]
ISP          : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location     :  CN, China
City         : Beijing, 22 -
Latitude     :  39°92'89" North
Longitude    : 116°38'83" East

---- China, Zhenjiang ------------------------
IP Address   : 218.3.134.250 [ 218.3.134.250 ]
ISP          : Data Communication Division
Organization : Network Center of Fast China Shipbuilding institut
Location     :  CN, China
City         : Zhenjiang, 04 -
Latitude     :  32°20'92" North
Longitude    : 119°43'42" East

----- Korea, Seocho -----------
IP Address   : 219.240.44.147 [ 219.240.44.147 ]
ISP          : Hanaro Telecom Co.
Organization : Ilifezone
Location     :  KR, Korea, Republic of
City         : Seocho, 11 -
Latitude     :  37°48'33" North
Longitude    : 127°01'67" East

------ Australia ------------
IP Address   : 138.79.215.61 [ 138.79.215.61 ]
ISP          : CPSOFT
Organization : CPSOFT
Location     :  AU, Australia
City         : -, - -
Latitude     :  27°00'00" South
Longitude    : 133°00'00" East

----- Belgium Brussels ---------------
IP Address   : 81.188.3.50 [ 81-188-3-50.sdsl.easynet.be ]
ISP          : Easynet Belgium
Organization : Cypres
Location     :  BE, Belgium
City         : Brussel, 11 -
Latitude     :  50°83'33" North
Longitude    :   4°33'33" East

----- Canada -------------------------
IP Address   : 24.64.132.11 [ S010600095b0f1aa1.lb.shawcable.net ]
ISP          : Shaw Communications
Organization : Shaw Communications
Location     :  CA, Canada
City         : -, - -
Latitude     :  60°00'00" North
Longitude    :  95°00'00" West

Sincerely,

Jeff

Jeffrey E. Smith
Black Lab Security Systems, Inc
9250 Bendix Road, North Suite 225
Columbia, MD 21045

Toll Free: 888-352-1119
MD Lab:    410-878-2768
Direct:    301-685-3301
Fax:       410-988-2238
Mobile:    240-498-9043
eMail:     jes () blacklabsecurity com
Web:       www.blacklabsecurity.com
Previous By Date Next
Previous By Thread Next

Current thread: