Security Incidents mailing list archives

dos from .kr, plus some classic .kr irresponsibility

From: Jason Storm <sec () ORGONE NEGATION NET>
Date: Fri, 4 Aug 2000 17:11:42 -0700

Around 4:12 pm PST Friday afternoon, one of my hosts received the
following DoS:

16:12:10.343933 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply
16:12:10.344762 zenon.hanyang.ac.kr > [deleted]: icmp: echo request
16:12:10.345121 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply
16:12:10.346720 zenon.hanyang.ac.kr > [deleted]: icmp: echo request
16:12:10.347080 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply
16:12:10.348603 zenon.hanyang.ac.kr > [deleted]: icmp: echo request
16:12:10.348950 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply

etc etc etc.

The attacking box is linux, without even the vaguest effort to disable
standard services, at least two of which appear to be script kiddie-able,
and has a few strange priv'd ports open.

The reason you are reading this right now:

Arin whois reports:

Hanyang University (NET-HY-NET)
          Computer Center
          17 Haengdang-dong, Sungdong-gu
          Seoul, 133-791
          Korea

          Netname: HY-NET
          Netnumber: 166.104.0.0

          Coordinator:
             Chung, Yongki  (YC3-ARIN)  ykjung () HYUEE HANYANG AC KR
             +82-2-290-1416

          Domain System inverse mapping provided by:

          HYNETM.HANYANG.AC.KR         166.104.105.38

          Record last updated on 12-Jun-1995.
          Database last updated on 4-Aug-2000 06:53:19 EDT.

the punchline:


   ----- The following addresses had permanent fatal errors -----
<ykjung () hyuee hanyang ac kr>
   ----- Transcript of session follows -----
... while talking to hyuee.hanyang.ac.kr.:

RCPT To:<ykjung () hyuee hanyang ac kr>

<<< 550 <ykjung () hyuee hanyang ac kr>... User unknown
550 <ykjung () hyuee hanyang ac kr>... User unknown


I can forgive people for admin'ing rootable boxes.  I can forgive people
for letting their boxes be involved in attacks.  But what type of
clownshow cant even maintain an ARIN contact?


I mean really; for a long time I thought the whole .kr security fiasco was
just growing pains over there, but does anyone else get the uneasy
suspicion that they just dont take this shit seriously?



-Jason Storm
 negation industries

Current thread:

HELO/EHLP attack?. Lic. Rodolfo Gonzalez Gonzalez (Aug 03)
- Re: HELO/EHLP attack?. Ryan Yagatich (Aug 04)
  - Re: HELO/EHLP attack?. Valdis Kletnieks (Aug 07)
  - Re: HELO/EHLP attack?. Michal Zalewski (Aug 07)
  - dos from .kr, plus some classic .kr irresponsibility Jason Storm (Aug 07)
    - Re: dos from .kr, plus some classic .kr irresponsibility Russell Fulton (Aug 08)
    - Re: dos from .kr, plus some classic .kr irresponsibility Maddy (Aug 09)
    - Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 09)
    - Re: dos from .kr, plus some classic .kr irresponsibility Jose Nazario (Aug 10)
    - Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
    - Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
- <Possible follow-ups>
- Re: HELO/EHLP attack?. Michal 'CeFeK' Nazarewicz (Aug 08)