Security Incidents mailing list archives

Re: Portscanning from 211.42.135.14

From: Patrick Oonk <patrick () pine nl>
Date: Mon, 14 Aug 2000 19:47:12 +0200

On Mon, Aug 14, 2000 at 09:51:25AM -0400, Ben Ostrowsky wrote:

The following attempts appeared in our syslog recently:

Aug 12 04:00:25 snoopy sshd[25585]: log: Connection from 211.42.135.14
port 1339
Aug 12 04:00:25 snoopy sshd[25585]: log: Could not reverse map address
211.42.135.14.
Aug 12 04:00:25 snoopy sshd[25585]: fatal: Did not receive ident string.
Aug 12 04:00:36 snoopy sshd[25592]: log: Connection from 211.42.135.14
port 1349
Aug 12 04:00:36 snoopy sshd[25592]: log: Could not reverse map address
211.42.135.14.
Aug 12 04:01:48 snoopy ftpd[25598]: lost connection to 211.42.135.14
[211.42.135.14]
Aug 12 04:01:48 snoopy sshd[25592]: fatal: Did not receive ident string.
Aug 12 04:00:19 snoopy imapd[25582]: connect from 211.42.135.14
Aug 12 04:00:25 snoopy imapd[25586]: connect from 211.42.135.14
Aug 12 04:00:25 snoopy in.ftpd[25588]: connect from 211.42.135.14
Aug 12 04:00:27 snoopy in.telnetd[25591]: warning: can't get client
address: Connection reset by peer
Aug 12 04:01:01 snoopy in.ftpd[25598]: connect from 211.42.135.14
Aug 12 04:01:52 snoopy in.telnetd[25711]: warning: can't get client
address: Connection reset by peer
Aug 12 04:00:21 snoopy imapd[25582]: command stream end of file, while
reading line user=??? host=[211.42.135.14]
Aug 12 04:00:24 snoopy ipop3d[25583]: Command stream end of file while
reading line user=??? host=[211.42.135.14]
Aug 12 04:00:25 snoopy imapd[25586]: command stream end of file, while
reading line user=??? host=[211.42.135.14]


I tried 'dig -x 211.42.135.14 soa' but got no useful information.  I'm
curious: does anyone know who just portscanned us?  Does the pattern look
familiar?

--
Ben Ostrowsky, Automation Services Technologist
Tampa Bay Library Consortium - http://www.tblc.org/


(patrick@atro /~) whois 211.42.135.14

% Rights restricted by copyright. See
% http://www.apnic.net/db/dbcopyright.html

inetnum:     211.42.0.0 - 211.51.255.255
netname:     KRNIC-KR-23
descr:       KRNIC
descr:       Korea Network Information Center
country:     KR
admin-c:     WK1-AP
tech-c:      SL119-AP
remarks:     KRNIC Allocation Block
remarks:     Authoritative Information regarding assignments and
remarks:     allocations made from within this block can also be
remarks:     queried at whois.nic.or.kr
mnt-by:      APNIC-HM
mnt-lower:   MNT-KRNIC-AP
changed:     hostmaster () apnic net 19991118
source:      APNIC

person:      Weon Kim
address:     Korea Network Information Center (KRNIC)
address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
address:     Seoul, 137-070, Republic of Korea
address:     **************** Important Notice **********************
address:     KRNIC is the National Internet Registry.
address:     If you want to find detail assignment information
address:     about above IP address, please use http://ipwhois.nic.or.kr
address:     or "whois -h whois.nic.or.kr <ip address>"
address:     *****************************************************
phone:       +82-2-2186-4502
fax-no:      +82-2-2186-4496
country:     KR
e-mail:      wkim () nic or kr
nic-hdl:     WK1-AP
mnt-by:      MNT-KRNIC-AP
changed:     seungmin () nic or kr 20000222
source:      APNIC

person:      Seung-Min Lee
address:     Korea Network Information Center (KRNIC)
address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
address:     Seoul, 137-070, Republic of Korea
address:     **************** Important Notice **********************
address:     KRNIC is the National Internet Registry
address:     If you want to find detail assignment information
address:     about above IP address, please use http://ipwhois.nic.or.kr
address:     or "whois -h whois.nic.or.kr <ip address>"
address:     *****************************************************
phone:       +82-2-2186-4506
fax-no:      +82-2-2186-4496
country:     KR
e-mail:      seungmin () krnic net
nic-hdl:     SL119-AP
mnt-by:      MNT-KRNIC-AP
changed:     seungmin () nic or kr 20000222
source:      APNIC


--
 Patrick Oonk -  PO1-6BONE -  patrick () pine nl -  www.pine.nl/~patrick
 Pine Internet - PAT31337-RIPE - PGPkeyID BE7497F1 - XOIP+31208723350
 Tel: +31-70-3111010  -   Fax: +31-70-3111011   -  http://security.nl
 PGP   fingerprint   A6 12 66 7F 22 84 1B E5  73 8C 99 F7 17 7B A3 98
 Excuse of the day: Route flapping at the NAP.

Current thread:

Portscanning from 211.42.135.14 Ben Ostrowsky (Aug 14)
- Re: Portscanning from 211.42.135.14 Max Gribov (Aug 15)
- Re: Portscanning from 211.42.135.14 Patrick Oonk (Aug 15)
- <Possible follow-ups>
- Re: Portscanning from 211.42.135.14 玉造光緒 (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Hayes (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Royds (Aug 18)