Security Incidents mailing list archives

Re: Kuang2 strikes again, is it just me?

From: Jasmine <jasmine.chua () securecirt com>
Date: Sun, 16 Feb 2003 22:00:48 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well looks like they are just scanning and attempting to compromise your 
network. If you have that Kuang2 trojan installed on your machines I think 
you do not have it, you shld be safe. Yeah they may be back again! :-( 

On Sunday 16 February 2003 09:35, Jeff Kell wrote:

Last Sunday (Feb 9) I reported a sudden flurry of scans on tcp/17300
(the Kuang2 backdoor).  I had 9 hits in an hour on a cable modem, and
18 in all in the next 6 hours, then they stopped.  Nothing appeared
on my radar screen at work where I monitor a /18, a /22, and a /24
address block.

Today looks like a revisit of similar probing.  Home cable modem
reports (timezone EST, GMT-05:00), all directed at my tcp/17300:

2003/02/15 16:47:35    81.65.242.15:3149 (m15.net81-65-242.noos.fr)
2003/02/15 16:47:35   211.28.41.112:4970
(c17758.rivrw1.nsw.optusnet.com.au) 2003/02/15 17:02:25  
213.226.66.79:3222 (hd5e2424f.gavlegardarna.gavle.to) 2003/02/15 17:04:45 
213.98.218.209:3702 (213-98-218-209.uc.nombres.ttd.es) 2003/02/15 17:17:42 
 62.178.112.57:4835 (chello062178112057.10.12.vie.surfer.at) 2003/02/15
17:29:07  212.181.67.244:4285 (sagan-67-244.ip-pluggen.com) 2003/02/15
17:30:54    213.46.66.21:3842 (d66021.upc-d.chello.nl)
2003/02/15 17:50:30 213.200.153.133:3882
(c213-200-153-133.cm-upc.chello.se) 2003/02/15 17:51:44
212.187.116.244:3343 (c116244.upc-c.chello.nl) 2003/02/15 17:54:41
212.114.214.226:3020 (DSL01-214226.NEFkom.net) 2003/02/15 17:54:49   
213.10.93.27:1321 (ipd50a5d1b.speed.planet.nl) 2003/02/15 18:04:49   
80.38.58.157:2900 (157.Red-80-38-58.pooles.rima-tde.net) 2003/02/15
18:30:53 217.215.175.113:1768 (as11-4-4.ehn.lk.bonet.se) 2003/02/15
18:38:30 211.222.249.106:4230
2003/02/15 19:02:57  213.67.117.218:2436 (h218n1fls13o893.telia.com)
2003/02/15 19:22:48     66.72.61.20:4358
(adsl-66-72-61-20.dsl.gdrpmi.ameritech.net) 2003/02/15 19:25:08  
24.185.30.193:1829 (ool-18b91ec1.dyn.optonline.net) 2003/02/15 19:35:22   
213.66.82.38:4059 (h38n1fls33o863.telia.com)

But once again, no sign of it at the office.  Very strange.  Since the
connection is never established, I don't know the payload they are
trying to deliver.  Will try to setup a honeypot on the port and see
what comes up.

Jeff

---------------------------------------------------------------------------
- This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


- -- 
Jasmine Chua
Security Engineer

SecureCiRT Pte Ltd
Blk 750C Chai Chee Road
#04-01 Technopark@ChaiChee
Singapore 469003
Tel: 6243 6800 DID: 6243 6802
Fax: 6441 5119
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+T5mQNgvTa7Hj2AURAr6sAJ0SjbUnusW9m2xmpVS8qzYihf+avgCZASOl
pBBKn1SBSKL33nn4XyA3Pxo=
=Mmgv
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Kuang2 strikes again, is it just me? Jeff Kell (Feb 15)
- RE: Kuang2 strikes again, is it just me? Rob Shein (Feb 16)
  - Re: Kuang2 strikes again, is it just me? Paul Dokas (Feb 17)
- Re: Kuang2 strikes again, is it just me? Johannes Ullrich (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jasmine (Feb 16)
- Re: Kuang2 strikes again, is it just me? Jeff (Feb 16)
  - RE: Kuang2 strikes again, is it just me? Trevor Metzger (Feb 16)
    - RE: Kuang2 strikes again, is it just me? Tim Heagarty (Feb 17)
  - mIRC Trojan Variant - port 445 worm/Trojan kyle (Feb 17)
- <Possible follow-ups>
- Re: Kuang2 strikes again, is it just me? Kevin Patz (Feb 18)