RE: Serious Offshore Probes Detected & Defeated

["Murda Mcloud" <murdamcloud () bigpond com>]

Hi,
Also, could you clarify how you arrived at the coordinates for the Australia
location?
IP Address   : 138.79.215.61 [ 138.79.215.61 ]

ISP          : CPSOFT

Organization : CPSOFT

Location     :  AU, Australia

City         : -, - -

Latitude     :  27°00'00" South

Longitude    : 133°00'00" East

That puts it in a pretty remote region of South Australia. Looks like a
mining area. I'm intrigued.

Thanks

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of David J. Bianco
Sent: Tuesday, October 02, 2007 4:49 AM
To: jes1 () comcast net
Cc: security-basics () securityfocus com
Subject: Re: Serious Offshore Probes Detected & Defeated

Hello, Jeffrey.  I don't wish to sound too skeptical about your findings,
but I have a few questions about your findings.  I have inserted them
into the text below.

jes1 () comcast net wrote:
> DETAILS
> (1) There are seven active sites in China:
>
> 221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang
> 116.18.161.55  - ChinaNet Guangdong Province Network - Guangzhou
> 219.148.119.2  - Data Communication Division - Beijing
> 221.208.208.3  - CNCGROUP Heilongjiang province network - Mudanjiang
> 121.18.13.107  - CNC Group Hebei province network - Hebei
> 125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing 
> 218.3.134.250  - Data Communication Division, Network Center of Fast China
Shipbuilding institute - Zhenjiang
> Of the seven sites listed above, 121.18.13.107 has attempted the most
intense attack, installing Remote Access Java Scripts as defined in my
previous e-mail on detecting the China attack methods.  None of the seven
sites above were successful against Shadow. All probes/attacks were detected
and stopped.
>

Could you elaborate on the types of attacks you're seeing?  "Installing
Remote Access Java Scripts" is not quite as useful without knowing how they
are attempting to do that.  Was there a specific exploit they tried to
use to deface your website, or a certain misconfiguration they were
taking advantage of?

> (2) Shadow has been detecting and securing our web site/network from 5
simultaneous probes/attacks from China, each from a different city in China.

Sorry, but five doesn't seem to be a very high number.  I see lots of
probes every day, much more than five.  Also, can I assume that these
look more like automated, mass attacks rather than something more targeted
to the organization?

> (3) We have been able to determine, the probes/attacks are evolving to a
very advanced methodology, which no longer depends on a successful ping
(ICMP), and now start with a defined IP address, and cycles through every
possible IP combination within the IP address range.  As an example, a probe
starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then
goes to "100.100.100.002", then "100.100.100.003", so forth and so on.

I assume that you're not trying to say that you've just discovered how
port sweeps work.  Most mass attack tools work the way you describe.
If this is the state of your art, could that explain the low number for
#2?  Or is there something else here that your writeup didn't really
make clear?

> (4) The other probes/attacks were from the following:
>
> 219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho
> 138.79.215.61  - CPSOFT - Australia - No City Identified
> 81.188.3.50    - Easynet Belgium, Cypres - Belgium - Brussel
> 24.64.132.11   - Shaw Communications - Canada - No City Identified

Again, without some information about what probes and attacks you saw
from these addresses, I have no way to evaluate the seriousness of
the activity.  Would you care to elaborate?

        David