Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Sub-Seven and NetBus port scans from HK and KR

From: "Ralf G. R. Bergs" <rabe () RWTH-Aachen DE>
Date: Sat, 24 Feb 2001 09:03:38 +0100
Hi there,

I just noticed port scans for trojans from HK and KR on two different hosts on
the same class C:

Feb 24 03:27:12 WWW kernel: Packet log: input DENY eth0 PROTO=6
208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=9335 F=0x4000 T=105 SYN (#
53)
Feb 24 03:27:15 WWW kernel: Packet log: input DENY eth0 PROTO=6
208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=12919 F=0x4000 T=105 SYN (#
53)
Feb 24 03:27:15 WWW kernel: Packet log: input DENY eth0 PROTO=6
208.167.251.64:4579 <my host>:27374 L=48 S=0x00 I=13943 F=0x4000 T=105 SYN (#
53)
Feb 24 03:27:21 WWW kernel: Packet log: input DENY eth0 PROTO=6
208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=25463 F=0x4000 T=105 SYN (#
53)
Feb 24 03:27:21 WWW kernel: Packet log: input DENY eth0 PROTO=6
208.167.251.64:4579 <my host>:27374 L=48 S=0x00 I=25719 F=0x4000 T=105 SYN (#
53)
Feb 24 03:27:33 WWW kernel: Packet log: input DENY eth0 PROTO=6
208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=49783 F=0x4000 T=105 SYN (#
53)
Feb 24 03:27:33 WWW kernel: Packet log: input DENY eth0 PROTO=6
208.167.251.64:4579 <my host>:27374 L=48 S=0x00 I=50039 F=0x4000 T=105 SYN (#
53)

HONG KONG TELECOM IMS LTD (NETBLK-CW-208-167-224)
   22/F, TOWER II, GRAND CENTRAL PLAZA
   SHATIN, N.T.,
   HK

   Netname: CW-208-167-224
   Netblock: 208.167.224.0 - 208.167.255.255

   Coordinator:
      Chan, Selleck  (SC18-ARIN)  selleck () NETVIGATOR COM
      28837164




Feb 24 07:12:49 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=42958 F=0x4000 T=105 SYN (#
53)
Feb 24 07:12:49 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=43214 F=0x4000 T=105 SYN (#
53)
Feb 24 07:12:52 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=48846 F=0x4000 T=105 SYN (#
53)
Feb 24 07:12:52 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=49358 F=0x4000 T=105 SYN (#
53)
Feb 24 07:12:58 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=60110 F=0x4000 T=105 SYN (#
53)
Feb 24 07:12:58 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=60366 F=0x4000 T=105 SYN (#
53)
Feb 24 07:13:10 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=22991 F=0x4000 T=105 SYN (#
53)
Feb 24 07:13:10 WWW kernel: Packet log: input DENY eth0 PROTO=6
165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=23247 F=0x4000 T=105 SYN (#
53)

Yeungnam University (NET-YNUNET-B)
   Computer Center
   214, Dae-dong, Kyungsan-si
   Kyungsangpook-do, 712-749
   Korea

   Netname: YNUNET-B
   Netblock: 165.229.0.0 - 165.229.255.255

   Coordinator:
      ChulGu, Kang  (KC12-ARIN)  [No mailbox]
      +82-53-810-3661

I've reported the incidents to the coordinators and the KR CERT.

Ralf


--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^
Previous By Date Next
Previous By Thread Next

Current thread: