Security Incidents mailing list archives

Re: Korea (was RE: ?)

From: do.geun.jo () KR ARTHURANDERSEN COM (Douglas Cho)
Date: Tue, 8 Feb 2000 21:00:22 +0900


I've just talked to a CERT-KR team member who is in-charge of the incident
below.
He already analyzed the attack and issued guidelines to the administrators in
'hanyang.ac.kr' domain.
The analysis and guidelines were sent on January 29, 2000 (local time).

The incident was originally reported to CERT-KR by the owner of the box,
himself.
The host was taken down from network.  Security maintenance is being done.

I heard that log analysis showed several intrusion activities from the states,
Malaysia and Netherlands.
Some of them are thought to be 'friendly scanning' from those administrators who
had tried to help(?) or prevent any further attacks from the host to other
destinations.

I know that people are talking about whether they can do such friendly probe or
not.
I would firmly say that you shouldn't.  Keep the scene as it is.
That's why crime scene is cordoned off.   Your scanning will just add
unnecessary fingerprints.

If you have incidents, report it to your local CERT or 'cert () certcc or kr'.
You can get a public key from http://www.certcc.or.kr/.
I think they are doing their best to cope with security incidents.
Please do not let them down with harsh words.

Regards,

DG Jo - Manager
CPA, CISA, MCSE, CCNA
Arthur Andersen, Computer Risk Management

To: Incidents
Subject: Re: Korea (was RE: ?)
Date: Fri Jan 28 2000 02:28:20
Author: Patrick Oonk
Message-ID: <20000128102820.K513 () pine nl>

On Thu, Jan 27, 2000 at 12:55:05PM -0800, David Brumley wrote:

port 2222 is a rootshell left by the amd exploit. they may be trying to
see which exploits succeeded, or just scouring for other hackers boxes.


Another Korean scan. Did anyone EVER get ANY reply to an abuse report
from Korea ? Either Koreans cannot read English or they just don't care.

166.104.230.37 > 212.136.77.44
03:00:00.094228 empl.hanyang.ac.kr.850 > www.dje.nl.111: S
511210259:511210259(0) win 32120  (DF)
02:59:29.588554 empl.hanyang.ac.kr.4351 > www.dje.nl.143: S
488179806:488179806(0) win 32120  (DF)
02:59:29.589084 empl.hanyang.ac.kr.4353 > www.dje.nl.111: S
481606656:481606656(0) win 32120  (DF)
02:59:29.589344 empl.hanyang.ac.kr.4354 > www.dje.nl.2766: S
482159600:482159600(0) win 32120  (DF)
02:59:29.590194 empl.hanyang.ac.kr.4357 > www.dje.nl.22: S
480246035:480246035(0) win 32120  (DF)
02:59:29.590441 empl.hanyang.ac.kr.4358 > www.dje.nl.1114: S
482667113:482667113(0) win 32120  (DF)
02:59:29.590657 empl.hanyang.ac.kr.4359 > www.dje.nl.1: S 485237106:485237106(0)
 win 32120  (DF)
02:59:29.590927 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S
473507868:473507868(0) win 32120  (DF)
02:59:32.589898 empl.hanyang.ac.kr.4353 > www.dje.nl.111: S
481606656:481606656(0) win 32120  (DF)
02:59:32.591126 empl.hanyang.ac.kr.4357 > www.dje.nl.22: S
480246035:480246035(0) win 32120  (DF)
02:59:32.591447 empl.hanyang.ac.kr.4358 > www.dje.nl.1114: S
482667113:482667113(0) win 32120  (DF)
02:59:32.591673 empl.hanyang.ac.kr.4359 > www.dje.nl.1: S 485237106:485237106(0)
 win 32120  (DF)
02:59:32.591902 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S
473507868:473507868(0) win 32120  (DF)
02:59:38.582343 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S
473507868:473507868(0) win 32120  (DF)
02:59:38.582570 empl.hanyang.ac.kr.4359 > www.dje.nl.1: S 485237106:485237106(0)
 win 32120  (DF)
02:59:38.583428 empl.hanyang.ac.kr.4358 > www.dje.nl.1114: S
482667113:482667113(0) win 32120  (DF)
02:59:50.584803 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S
473507868:473507868(0) win 32120  (DF)
02:59:56.960683 empl.hanyang.ac.kr.4362 > www.dje.nl.1: S 516838789:516838789(0)
 win 32120  (DF)
02:59:57.510362 empl.hanyang.ac.kr.4363 > www.dje.nl.139: S
503946867:503946867(0) win 32120  (DF)

To: Incidents
Subject: Re: Korea (was RE: ?)
Date: Fri Jan 28 2000 14:15:51
Author: Patrick Oonk
Message-ID: <20000128221551.V513 () pine nl>

On Fri, Jan 28, 2000 at 04:02:33PM -0500, Dug Song wrote:

and just a suggestion, but you may want to raise your alert threshold -
and if a forgeable TCP SYN portscan is enough to raise your hackles on a
public mailing list, you'll be tearing your hair out when a single script
kid goes at you with nmap -D...


Actually I don't bother at all, but after checking out
the offending hosts it was clear they were hijacked
and used as an attack base. As such they are a menace
to the net as a whole. I also found it said for they owners
but they don't seem to care.

*******************Internet Email Confidentiality Footer*******************
Privileged/Confidential Information may be contained in this message. If you are
not the addressee indicated in this message (or responsible for delivery of the
message to such person), you may not copy or deliver this message to anyone. In
such case, you should destroy this message, and notify us immediately. If you or
your employer does not consent to Internet email messages of this kind, please
advise us immediately. Opinions, conclusions and other information expressed in
this message are not given or endorsed by my firm or employer unless otherwise
indicated by an authorized representative independent of this message.

Current thread:

Re: Korea (was RE: ?) Russell Fulton (Jan 31)
- <Possible follow-ups>
- Re: Korea (was RE: ?) Jon Lewis (Jan 31)
  - Re: Korea (was RE: ?) Joe User (Feb 01)
  - R: Re: Korea (was RE: ?) Raistlin (Feb 03)
    - Re: R: Re: Korea (was RE: ?) CyberPsychotic (Feb 05)
- Re: Korea (was RE: ?) Paul Kincaid (Feb 01)
- Re: Korea (was RE: ?) Douglas Cho (Feb 08)