Security Incidents mailing list archives
Re: Kuang2 strikes again, is it just me?
From: Jasmine <jasmine.chua () securecirt com>
Date: Sun, 16 Feb 2003 22:00:48 +0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well looks like they are just scanning and attempting to compromise your network. If you have that Kuang2 trojan installed on your machines I think you do not have it, you shld be safe. Yeah they may be back again! :-( On Sunday 16 February 2003 09:35, Jeff Kell wrote:
Last Sunday (Feb 9) I reported a sudden flurry of scans on tcp/17300 (the Kuang2 backdoor). I had 9 hits in an hour on a cable modem, and 18 in all in the next 6 hours, then they stopped. Nothing appeared on my radar screen at work where I monitor a /18, a /22, and a /24 address block. Today looks like a revisit of similar probing. Home cable modem reports (timezone EST, GMT-05:00), all directed at my tcp/17300: 2003/02/15 16:47:35 81.65.242.15:3149 (m15.net81-65-242.noos.fr) 2003/02/15 16:47:35 211.28.41.112:4970 (c17758.rivrw1.nsw.optusnet.com.au) 2003/02/15 17:02:25 213.226.66.79:3222 (hd5e2424f.gavlegardarna.gavle.to) 2003/02/15 17:04:45 213.98.218.209:3702 (213-98-218-209.uc.nombres.ttd.es) 2003/02/15 17:17:42 62.178.112.57:4835 (chello062178112057.10.12.vie.surfer.at) 2003/02/15 17:29:07 212.181.67.244:4285 (sagan-67-244.ip-pluggen.com) 2003/02/15 17:30:54 213.46.66.21:3842 (d66021.upc-d.chello.nl) 2003/02/15 17:50:30 213.200.153.133:3882 (c213-200-153-133.cm-upc.chello.se) 2003/02/15 17:51:44 212.187.116.244:3343 (c116244.upc-c.chello.nl) 2003/02/15 17:54:41 212.114.214.226:3020 (DSL01-214226.NEFkom.net) 2003/02/15 17:54:49 213.10.93.27:1321 (ipd50a5d1b.speed.planet.nl) 2003/02/15 18:04:49 80.38.58.157:2900 (157.Red-80-38-58.pooles.rima-tde.net) 2003/02/15 18:30:53 217.215.175.113:1768 (as11-4-4.ehn.lk.bonet.se) 2003/02/15 18:38:30 211.222.249.106:4230 2003/02/15 19:02:57 213.67.117.218:2436 (h218n1fls13o893.telia.com) 2003/02/15 19:22:48 66.72.61.20:4358 (adsl-66-72-61-20.dsl.gdrpmi.ameritech.net) 2003/02/15 19:25:08 24.185.30.193:1829 (ool-18b91ec1.dyn.optonline.net) 2003/02/15 19:35:22 213.66.82.38:4059 (h38n1fls33o863.telia.com) But once again, no sign of it at the office. Very strange. Since the connection is never established, I don't know the payload they are trying to deliver. Will try to setup a honeypot on the port and see what comes up. Jeff --------------------------------------------------------------------------- - This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- -- Jasmine Chua Security Engineer SecureCiRT Pte Ltd Blk 750C Chai Chee Road #04-01 Technopark@ChaiChee Singapore 469003 Tel: 6243 6800 DID: 6243 6802 Fax: 6441 5119 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+T5mQNgvTa7Hj2AURAr6sAJ0SjbUnusW9m2xmpVS8qzYihf+avgCZASOl pBBKn1SBSKL33nn4XyA3Pxo= =Mmgv -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Kuang2 strikes again, is it just me? Jeff Kell (Feb 15)
- RE: Kuang2 strikes again, is it just me? Rob Shein (Feb 16)
- Re: Kuang2 strikes again, is it just me? Paul Dokas (Feb 17)
- Re: Kuang2 strikes again, is it just me? Johannes Ullrich (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jasmine (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jeff (Feb 16)
- RE: Kuang2 strikes again, is it just me? Trevor Metzger (Feb 16)
- RE: Kuang2 strikes again, is it just me? Tim Heagarty (Feb 17)
- mIRC Trojan Variant - port 445 worm/Trojan kyle (Feb 17)
- RE: Kuang2 strikes again, is it just me? Trevor Metzger (Feb 16)
- <Possible follow-ups>
- Re: Kuang2 strikes again, is it just me? Kevin Patz (Feb 18)
- RE: Kuang2 strikes again, is it just me? Rob Shein (Feb 16)