Security Incidents mailing list archives

Re: Portscanning from 211.42.135.14

From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Tue, 15 Aug 2000 16:40:37 -0400

Korea Network Information Cneter is no more the IP owner that ARIN is for any
Noprth american IP. You need to go to the Korea NIC at whois.nic.or.kr or
whois.krnic.net if it is in a Korean range, This is indicated in the reply you
sent.
That gets


# whois -h whois.nic.or.kr 211.42.135.14

Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 )

query: 211.42.135.14

* ÇÑ±Û ±â°ü¸í¿¡ ´ëÇÑ whois Á¶È¸´Â À¥(http://whois.nic.or.kr)¿¡¼
  ÇÏ½Ã±â ¹Ù¶ø´Ï´Ù.

Á¶È¸ÇÏ½Å ÇØ´ç IPÁÖ¼Ò´Â ¾Æ·¡ÀÇ °¡ÀÔ±â°ü¿¡ ÇÒ´çµÈ ºí·°ÀÔ´Ï´Ù.



# ENGLISH

IP Address     : 211.42.135.0-211.42.135.255
Connect ISP Name   : KOLNET
Connect Date : 2000.02.18
Registration Date: 20000221
Network Name   : SHELLBNET

[ Organization Information ]
Orgnization ID : ORG100731
Name           : SHELLBINET CO. LTD.
State          : SEOUL
Address        : 5F 158-27 TONGGYO-DONG MAPO-GU
Zip Code       : 121-200

[ Admin Contact Information]
Name           : PANWON KIM
Org Name       : SHELLBINET CO. LTD.
State          : SEOUL
Address        : 5F 158-27 TONGGYO-DONG MAPO-GU
Zip Code       : 121-200
Phone          : +82-2-240-7759
Fax            : +82-2-240-7759
E-Mail         : kolnet () hitel net

[ Technical Contact Information ]
Name           : PANWON KIM
Org Name       : SHELLBINET CO. LTD.
Address        : 5F 158-27 TONGGYO-DONG MAPO-GU
Zip Code       : 121-200
Phone          : +82-2-240-7759
Fax            : +82-2-240-7759
E-Mail         : kolnet () hitel net

# KOREAN

IP ÁÖ¼Ò        : 211.42.135.0-211.42.135.255
¿¬°á ISP¸í     : KOLNET
ISP ¿¬°á³¯Â¥   : 2000.02.18
ÇÒ´ç³»¿ª µî·ÏÀÏ: 20000221
³×Æ®¿öÅ© ÀÌ¸§  : SHELLBNET

[ IP »ç¿ë ±â°ü Á¤º¸ ]
±â°ü°íÀ¯¹øÈ£   : ORG100731
±â°ü¸í         : ¼¿ºñ³Ý
½Ãµµ¸í         : ¼¿ï
ÁÖ¼Ò           : ¸¶Æ÷±¸ µ¿±³µ¿ 158-27 5Ãþ

[ °ü¸® Ã¥ÀÓÀÚ ÀÎ¹° Á¤º¸ ]
ÀÌ¸§           : ±èÆÇ¿ø
±â°ü¸í         : ¼¿ºñ³Ý
½Ãµµ¸í         : ¼¿ï
ÁÖ¼Ò           : ¸¶Æ÷±¸ µ¿±³µ¿ 158-27 5Ãþ
ÀüÈ ¹øÈ£      : +82-2-240-7759
Fax            : +82-2-240-7759
ÀüÀÚ ¿ìÆí      : kolnet () hitel net

[ ½Ç¹« Ã¥ÀÓÀÚ ÀÎ¹° Á¤º¸ ]
ÀÌ¸§           : ±èÆÇ¿ø
±â°ü¸í         : ¼¿ºñ³Ý
½Ãµµ¸í         : ¼¿ï
ÁÖ¼Ò           : ¸¶Æ÷±¸ µ¿±³µ¿ 158-27 5Ãþ
ÀüÈ ¹øÈ£      : +82-2-240-7759
Fax            : +82-2-240-7759
ÀüÀÚ ¿ìÆí      : kolnet () hitel net





Patrick Oonk <patrick () pine nl> on 08/14/2000 01:47:12 PM

Please respond to patrick () pine nl



 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)



 Subject: Re: Portscanning from 211.42.135.14


On Mon, Aug 14, 2000 at 09:51:25AM -0400, Ben Ostrowsky wrote:

The following attempts appeared in our syslog recently:

Aug 12 04:00:25 snoopy sshd[25585]: log: Connection from 211.42.135.14
port 1339
Aug 12 04:00:25 snoopy sshd[25585]: log: Could not reverse map address
211.42.135.14.
Aug 12 04:00:25 snoopy sshd[25585]: fatal: Did not receive ident string.
Aug 12 04:00:36 snoopy sshd[25592]: log: Connection from 211.42.135.14
port 1349
Aug 12 04:00:36 snoopy sshd[25592]: log: Could not reverse map address
211.42.135.14.
Aug 12 04:01:48 snoopy ftpd[25598]: lost connection to 211.42.135.14
[211.42.135.14]
Aug 12 04:01:48 snoopy sshd[25592]: fatal: Did not receive ident string.
Aug 12 04:00:19 snoopy imapd[25582]: connect from 211.42.135.14
Aug 12 04:00:25 snoopy imapd[25586]: connect from 211.42.135.14
Aug 12 04:00:25 snoopy in.ftpd[25588]: connect from 211.42.135.14
Aug 12 04:00:27 snoopy in.telnetd[25591]: warning: can't get client
address: Connection reset by peer
Aug 12 04:01:01 snoopy in.ftpd[25598]: connect from 211.42.135.14
Aug 12 04:01:52 snoopy in.telnetd[25711]: warning: can't get client
address: Connection reset by peer
Aug 12 04:00:21 snoopy imapd[25582]: command stream end of file, while
reading line user=??? host=[211.42.135.14]
Aug 12 04:00:24 snoopy ipop3d[25583]: Command stream end of file while
reading line user=??? host=[211.42.135.14]
Aug 12 04:00:25 snoopy imapd[25586]: command stream end of file, while
reading line user=??? host=[211.42.135.14]


I tried 'dig -x 211.42.135.14 soa' but got no useful information.  I'm
curious: does anyone know who just portscanned us?  Does the pattern look
familiar?

--
Ben Ostrowsky, Automation Services Technologist
Tampa Bay Library Consortium - http://www.tblc.org/


(patrick@atro /~) whois 211.42.135.14

% Rights restricted by copyright. See
% http://www.apnic.net/db/dbcopyright.html

inetnum:     211.42.0.0 - 211.51.255.255
netname:     KRNIC-KR-23
descr:       KRNIC
descr:       Korea Network Information Center
country:     KR
admin-c:     WK1-AP
tech-c:      SL119-AP
remarks:     KRNIC Allocation Block
remarks:     Authoritative Information regarding assignments and
remarks:     allocations made from within this block can also be
remarks:     queried at whois.nic.or.kr
mnt-by:      APNIC-HM
mnt-lower:   MNT-KRNIC-AP
changed:     hostmaster () apnic net 19991118
source:      APNIC

person:      Weon Kim
address:     Korea Network Information Center (KRNIC)
address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
address:     Seoul, 137-070, Republic of Korea
address:     **************** Important Notice **********************
address:     KRNIC is the National Internet Registry.
address:     If you want to find detail assignment information
address:     about above IP address, please use http://ipwhois.nic.or.kr
address:     or "whois -h whois.nic.or.kr <ip address>"
address:     *****************************************************
phone:       +82-2-2186-4502
fax-no:      +82-2-2186-4496
country:     KR
e-mail:      wkim () nic or kr
nic-hdl:     WK1-AP
mnt-by:      MNT-KRNIC-AP
changed:     seungmin () nic or kr 20000222
source:      APNIC

person:      Seung-Min Lee
address:     Korea Network Information Center (KRNIC)
address:     Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku
address:     Seoul, 137-070, Republic of Korea
address:     **************** Important Notice **********************
address:     KRNIC is the National Internet Registry
address:     If you want to find detail assignment information
address:     about above IP address, please use http://ipwhois.nic.or.kr
address:     or "whois -h whois.nic.or.kr <ip address>"
address:     *****************************************************
phone:       +82-2-2186-4506
fax-no:      +82-2-2186-4496
country:     KR
e-mail:      seungmin () krnic net
nic-hdl:     SL119-AP
mnt-by:      MNT-KRNIC-AP
changed:     seungmin () nic or kr 20000222
source:      APNIC


--
 Patrick Oonk -  PO1-6BONE -  patrick () pine nl -  www.pine.nl/~patrick
 Pine Internet - PAT31337-RIPE - PGPkeyID BE7497F1 - XOIP+31208723350
 Tel: +31-70-3111010  -   Fax: +31-70-3111011   -  http://security.nl
 PGP   fingerprint   A6 12 66 7F 22 84 1B E5  73 8C 99 F7 17 7B A3 98
 Excuse of the day: Route flapping at the NAP.

Current thread:

Portscanning from 211.42.135.14 Ben Ostrowsky (Aug 14)
- Re: Portscanning from 211.42.135.14 Max Gribov (Aug 15)
- Re: Portscanning from 211.42.135.14 Patrick Oonk (Aug 15)
- <Possible follow-ups>
- Re: Portscanning from 211.42.135.14 玉造光緒 (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Hayes (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Royds (Aug 18)