Re: Linuxconf scanning

[James Hoagland <hoagland () SILICONDEFENSE COM>]

We saw a scan like that too from the same host (211.169.82.130) at
05:54 PDT on Aug 5th.

APNIC was having connection problems yesterday but I managed to get
through to find out it was a Korean address and got
b0048228 () users bora net as the contact adress from KRNIC.  The IP
seems to be part of BORANET in Kyongnam, Korea.  I also e-mailed
abuse () bora net.  I haven't gotten any replies but haven't gotten any
bounces either.

Hope this helps,

  Jim

At 11:09 AM -0700 8/7/00, Ian Eure wrote:
> saw some linuxconf scanning this weekend...
>
> -- snip --
> Aug  5 15:29:33 spindle kernel: Packet log: ltraf REJECT eth0 PROTO=6
> 211.169.82.130:4450 aaa.bbb.ccc.ddd:98 L=60 S=0x00 I=16301 F=0x4000 T=43
> SYN (#11)
> Aug  5 15:29:33 spindle kernel: Packet log: ltraf REJECT eth0 PROTO=6
> 211.169.82.130:4450 aaa.bbb.ccc.ddd:98 L=60 S=0x00 I=16301 F=0x4000 T=43
> SYN (#11)
> -- snip --
> $ grep 98\/tcp /etc/services
> linuxconf       98/tcp                          # LinuxConf
> $
>
> a quick whois shows the 210/8 & 211/8 subnets as delegated to the
> asia-pacific region. queries to whois.apnic.net were butt-slow and didn't
> respond.
>
> did anyone else see this over the weekend?
>
> --
>  ______________________________________________
> | "the whole scale of cosmic dimensions are falling from my mouth
> | in the description of a kiss of the interimlovers"
> |   - einsturzende neubaten, "interim"

--
|*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
|*               hoagland () SiliconDefense com                *|
|*  Voice: (707) 445-4355 x13          Fax: (707) 826-7571  *|