funsec mailing list archives
Re: Interesting routes, info appreciated....
From: Paul Ferguson <fergdawgster () gmail com>
Date: Mon, 20 Apr 2009 17:17:01 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looks like route leakage in China between CNCGROUP Beijing & Beijing Capital Telecom (where your miscreant is located). TraceRoute to 119.161.130.75 Hop (ms) (ms) (ms) IP Address Host name [snip] 3 17 21 11 4.68.19.12 ae-1-69.edge2.dallas3.level3.net 4 8 7 7 144.232.24.29 sl-st30-dal-0-5-2-0.sprintlink.net 5 15 13 9 144.232.20.253 sl-crs2-fw-0-6-5-0.sprintlink.net 6 52 51 40 144.232.20.131 sl-crs1-ana-0-9-3-0.sprintlink.net 7 40 45 40 144.232.0.37 sl-gw29-ana-0-0-0.sprintlink.net 8 222 218 220 160.81.147.166 sl-china6-1-0.sprintlink.net 9 242 240 241 219.158.3.245 - 10 263 259 259 219.158.4.81 - 11 273 280 280 202.96.12.190 - 12 258 257 257 61.148.155.42 - 13 276 274 282 61.148.146.198 - 14 275 274 274 202.106.203.18 bt-203-018.bta.net.cn 15 279 276 277 61.49.35.202 - 16 294 294 274 61.135.192.114 - 17 Timed out Timed out Timed out - 18 317 317 299 6.6.6.6 - 19 266 266 271 119.161.130.75 - Trace complete inetnum: 119.161.128.0 - 119.161.255.255 netname: BJSKIDC descr: Beijing Capital Telecom Co.,LTD descr: No.B2-2809 Phoenix Town descr: No.5 ShuguangLi. Chaoyang District. Beijing country: CN admin-c: WC889-AP tech-c: HJ811-AP mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-routes: MAINT-CNNIC-AP changed: hm-changed () apnic net 20080226 status: ALLOCATED PORTABLE source: APNIC inetnum: 61.135.0.0 - 61.135.255.255 netname: CNCGROUP-BJ descr: CNCGROUP Beijing province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: SY21-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-BJ mnt-routes: MAINT-CNCGROUP-RR status: ALLOCATED PORTABLE changed: hm-changed () apnic net 20031112 changed: hm-changed () apnic net 20040927 changed: hm-changed () apnic net 20050112 changed: hm-changed () apnic net 20060124 source: APNIC - - ferg On Mon, Apr 20, 2009 at 2:24 PM, Richard Golodner <rgolodner () infratection com> wrote:
I see in my log files that I get probed from 119.161.130.75 on an almost hourly basis (make dumb joke here), udp port scans, brute force password attempts, nothing to out of the ordinary which is why I ask help from the funsec community. Check out this log and tell me what is going on here. Hop 12 is the handoff from Sprint to China net. Hop 22 is a static route provided by GE with an IP of 3.3.3.2 Hop 23 is DoD Experimental IP space Hop 24 is the host harassing me. Why would I see a static route from GE here and then DoD IP space? I am just curious as I think this is a strange path to get to the host that resides at hop 24. Please feel free to chime in with any ideas. I have no clue, again. Thanks, Richard 1 1 ms 1 ms 1 ms 10.10.10.1 2 13 ms 11 ms 10 ms 10.20.0.1 3 7 ms 7 ms 7 ms vl2.aggr1.chgo.il.rcn.net [207.229.191.130] 4 9 ms 7 ms 7 ms tge3-1.border2.eqnx.il.rcn.net [207.172.19.159] 5 10 ms 7 ms 7 ms te-8-3.car3.Chicago1.Level3.net [4.71.101.73] 6 10 ms 11 ms 7 ms ae-1-51.edge3.Chicago3.Level3.net [4.68.101.20] 7 11 ms 8 ms 7 ms sl-st20-chi-5-0.sprintlink.net [144.232.19.173] 8 10 ms 11 ms 12 ms sl-crs2-chi-0-12-2-0.sprintlink.net [144.232.19.145] 9 31 ms 33 ms 30 ms sl-crs1-che-0-0-0-0.sprintlink.net [144.232.20.161] 10 61 ms 58 ms 59 ms sl-crs1-stk-0-0-0-1.sprintlink.net [144.232.20.241] 11 68 ms 60 ms 75 ms sl-crs2-sj-0-14-0-0.sprintlink.net [144.232.24.34] 12 57 ms 59 ms 59 ms sl-st20-sj-13-0-0.sprintlink.net [144.232.9.58] 13 156 ms 154 ms 154 ms sl-china1-7-0.sprintlink.net [144.223.242.126] 14 337 ms 340 ms 339 ms 202.97.51.189 15 352 ms 356 ms 364 ms 202.97.53.37 16 340 ms 340 ms 340 ms 220.181.16.126 17 357 ms 356 ms 355 ms 220.181.17.106 18 354 ms 354 ms 356 ms 220.181.144.33 19 348 ms 347 ms 351 ms 220.181.144.18 20 349 ms 352 ms 351 ms 218.240.7.107 21 349 ms 349 ms 353 ms 219.142.47.74 22 350 ms 353 ms 349 ms n003-000-000-000.static.ge.com [3.3.3.2] 23 * 350 ms 352 ms 6.6.6.6 24 351 ms 356 ms 353 ms 119.161.130.75 _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ7RA/q1pz9mNUZTMRAmvmAKC17i7J0Jj3QxgMpM27E5mO+QFLQgCgk10G skBI93WYzbgOVl3vKBGGpKg= =8Z9s -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Interesting routes, info appreciated.... Richard Golodner (Apr 20)
- Re: Interesting routes, info appreciated.... Paul Ferguson (Apr 20)
- Re: Interesting routes, info appreciated.... Paul Ferguson (Apr 20)
- Re: Interesting routes, info appreciated.... der Mouse (Apr 20)
- Re: Interesting routes, info appreciated.... Kaegler, Mike (Apr 21)