Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange accumulation of scans from Korea (KORNET/HANANET)

From: John <johns () TAMPABAY RR COM>
Date: Fri, 9 Mar 2001 09:38:30 -0500
Hello,
  This same network has been scanning my network(s), for about
two weeks now. I have reported every scan, but had no luck in
hearing back from anyone. I have been busy lately, but I am
going to have an associate in Korea call them for me, as I am
located in the states.

"Ralf G. R. Bergs" wrote:


Hi there,

I'm just observing a very strange accumulation of network scans from Korea.

During the last weeks there has only been about 1 scan PER WEEK that
originated from Korea, today I had more than half a dozen of scans in only a
few hours. I'm sure the log snippet you see below DOES constitute a scan
because none of our IPs are visible from outside our LAN (denoted by
111.222.333.0/24 below, the host address (i.e. the last byte) is authentic.)

Maybe there is a serious trojan infection/crack in progress???

I've notified the respective netblock owners and cc'ed the KR CERT.

Ralf

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Mar  9 09:27:52 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.192.37.171:867 111.222.333.17:1542 L=40 S=0x00 I=56742 F=0x0000 T=107 (#
54)
Mar  9 09:30:42 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.216.128.247:867 111.222.333.17:1542 L=40 S=0x00 I=50983 F=0x0000 T=106 (#
54)
Mar  9 10:35:28 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.107.87.190:8086 111.222.333.151:1052 L=40 S=0x00 I=7847 F=0x0000 T=232 (#
54)
Mar  9 12:18:42 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.107.87.190:1976 111.222.333.208:2102 L=40 S=0x00 I=54468 F=0x0000 T=232 (#
54)
Mar  9 12:30:11 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.196.142.23:1225 111.222.333.116:2195 L=40 S=0x00 I=30616 F=0x0000 T=107 (#
54)
Mar  9 12:28:29 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.208.172.152:1225 111.222.333.116:2195 L=40 S=0x00 I=10025 F=0x0000 T=107
(#54)
Mar  9 12:33:02 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.208.172.152:6012 111.222.333.222:1801 L=40 S=0x00 I=40415 F=0x0000 T=107
(#54)
Mar  9 12:41:33 WWW kernel: Packet log: input DENY eth0 PROTO=6
211.178.164.237:7885 111.222.333.48:1652 L=40 S=0x00 I=30316 F=0x0000 T=107 (#
54)

--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^


--
The events which transpired five thousand years ago;
Five years ago or five minutes ago, have determined
what will happen five minutes from now; five years

From now or five thousand years from now.

All history is a current event."

- Dr John Henrik Clake -
Previous By Date Next
Previous By Thread Next

Current thread: