Re: Korea (was RE: ?)

[r.fulton () AUCKLAND AC NZ (Russell Fulton)]

On Fri, 28 Jan 2000 19:54:55 +0000 Arrigo Triulzi <arrigo () ALBOURNE COM>
wrote:

> Patrick Oonk scripsit:
> |Another Korean scan. Did anyone EVER get ANY reply to an abuse report
> |from Korea ? Either Koreans cannot read English or they just don't care.
>
> I think you'll find that the korean NIC are swamped with security
> issues at the moment.  KRNIC-CERT took the pain to reply to a couple
> of requests sent from SANS analysts (see http://www.sans.org/giac.htm)
> regarding scans over New Year's night.
>
> There is definitely an issue with machines in Korea being an easy
> target, mainly Linux boxes without any security patches installed and
> left wide open.
>
> Please do try to write to KRNIC, they might not reply but perhaps they
> need to see the breadth of the problem regarding their networks.

I second this.  I have spoken to people from CCERT-KR (Korean Cert) at
the FIRST meeting in Bribsane (june '99) about the number of scans we
were seeing then from the .kr domain.  They were aware of the problem
and asked me to cc reports to them so they could translate them and
send them on to the sites.

They suggested that language problems were a big factor in non response
to incident reports.  I suspect that they are now run off their feet
now and that is why I nolonger get responses to my reports.

It is my personal opinion that most of the scans that we are seeing
from the .kr domain are from machines that have been compromised by
people working from elsewhere in the world.  Most systems seem to be
old Linux boxes which have heaps of known problems unless someone has
applied a lot of patches.

Cheers, Russell.