Security Basics mailing list archives
RE: Serious Offshore Probes Detected & Defeated
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Wed, 3 Oct 2007 11:48:28 +1000
Hi, Also, could you clarify how you arrived at the coordinates for the Australia location? IP Address : 138.79.215.61 [ 138.79.215.61 ] ISP : CPSOFT Organization : CPSOFT Location : AU, Australia City : -, - - Latitude : 27°00'00" South Longitude : 133°00'00" East That puts it in a pretty remote region of South Australia. Looks like a mining area. I'm intrigued. Thanks -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David J. Bianco Sent: Tuesday, October 02, 2007 4:49 AM To: jes1 () comcast net Cc: security-basics () securityfocus com Subject: Re: Serious Offshore Probes Detected & Defeated Hello, Jeffrey. I don't wish to sound too skeptical about your findings, but I have a few questions about your findings. I have inserted them into the text below. jes1 () comcast net wrote:
DETAILS (1) There are seven active sites in China: 221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang 116.18.161.55 - ChinaNet Guangdong Province Network - Guangzhou 219.148.119.2 - Data Communication Division - Beijing 221.208.208.3 - CNCGROUP Heilongjiang province network - Mudanjiang 121.18.13.107 - CNC Group Hebei province network - Hebei 125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing 218.3.134.250 - Data Communication Division, Network Center of Fast China
Shipbuilding institute - Zhenjiang
Of the seven sites listed above, 121.18.13.107 has attempted the most
intense attack, installing Remote Access Java Scripts as defined in my previous e-mail on detecting the China attack methods. None of the seven sites above were successful against Shadow. All probes/attacks were detected and stopped.
Could you elaborate on the types of attacks you're seeing? "Installing Remote Access Java Scripts" is not quite as useful without knowing how they are attempting to do that. Was there a specific exploit they tried to use to deface your website, or a certain misconfiguration they were taking advantage of?
(2) Shadow has been detecting and securing our web site/network from 5
simultaneous probes/attacks from China, each from a different city in China. Sorry, but five doesn't seem to be a very high number. I see lots of probes every day, much more than five. Also, can I assume that these look more like automated, mass attacks rather than something more targeted to the organization?
(3) We have been able to determine, the probes/attacks are evolving to a
very advanced methodology, which no longer depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on. I assume that you're not trying to say that you've just discovered how port sweeps work. Most mass attack tools work the way you describe. If this is the state of your art, could that explain the low number for #2? Or is there something else here that your writeup didn't really make clear?
(4) The other probes/attacks were from the following: 219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho 138.79.215.61 - CPSOFT - Australia - No City Identified 81.188.3.50 - Easynet Belgium, Cypres - Belgium - Brussel 24.64.132.11 - Shaw Communications - Canada - No City Identified
Again, without some information about what probes and attacks you saw from these addresses, I have no way to evaluate the seriousness of the activity. Would you care to elaborate? David
Current thread:
- Serious Offshore Probes Detected & Defeated jes1 (Oct 01)
- RE: Serious Offshore Probes Detected & Defeated William Holmberg (Oct 01)
- Re: Serious Offshore Probes Detected & Defeated David J. Bianco (Oct 01)
- RE: Serious Offshore Probes Detected & Defeated Murda Mcloud (Oct 03)