Re: Interesting routes, info appreciated....

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like route leakage in China between  CNCGROUP Beijing & Beijing
Capital Telecom (where your miscreant is located).

TraceRoute to 119.161.130.75

Hop     (ms)    (ms)    (ms)            IP Address      Host name

[snip]

3       17      21      11              4.68.19.12      ae-1-69.edge2.dallas3.level3.net
4       8       7       7               144.232.24.29   sl-st30-dal-0-5-2-0.sprintlink.net
5       15      13      9               144.232.20.253  sl-crs2-fw-0-6-5-0.sprintlink.net
6       52      51      40              144.232.20.131  sl-crs1-ana-0-9-3-0.sprintlink.net
7       40      45      40              144.232.0.37    sl-gw29-ana-0-0-0.sprintlink.net
8       222     218     220             160.81.147.166  sl-china6-1-0.sprintlink.net
9       242     240     241             219.158.3.245   -
10      263     259     259             219.158.4.81    -
11      273     280     280             202.96.12.190   -
12      258     257     257             61.148.155.42   -
13      276     274     282             61.148.146.198  -
14      275     274     274             202.106.203.18  bt-203-018.bta.net.cn
15      279     276     277             61.49.35.202    -
16      294     294     274             61.135.192.114  -
17      Timed out       Timed out       Timed out                       -
18      317     317     299             6.6.6.6 -
19      266     266     271             119.161.130.75  -

Trace complete


inetnum: 119.161.128.0 - 119.161.255.255
netname: BJSKIDC
descr: Beijing Capital Telecom Co.,LTD
descr: No.B2-2809 Phoenix Town
descr: No.5 ShuguangLi. Chaoyang District. Beijing
country: CN
admin-c: WC889-AP
tech-c: HJ811-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: hm-changed () apnic net 20080226
status: ALLOCATED PORTABLE
source: APNIC

inetnum: 61.135.0.0 - 61.135.255.255
netname: CNCGROUP-BJ
descr: CNCGROUP Beijing province network
descr: China Network Communications Group Corporation
descr: No.156,Fu-Xing-Men-Nei Street,
descr: Beijing 100031
country: CN
admin-c: CH455-AP
tech-c: SY21-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-BJ
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
changed: hm-changed () apnic net 20031112
changed: hm-changed () apnic net 20040927
changed: hm-changed () apnic net 20050112
changed: hm-changed () apnic net 20060124
source: APNIC

- - ferg




On Mon, Apr 20, 2009 at 2:24 PM, Richard Golodner
<rgolodner () infratection com> wrote:

>                 I see in my log files that I get probed from
> 119.161.130.75 on an almost hourly basis (make dumb joke here), udp port
> scans, brute force password attempts, nothing to out of the ordinary
> which is why I ask help from the funsec community. Check out this log and
> tell me what is going on here.
>
> Hop 12 is the handoff from Sprint to China net.
>
> Hop 22 is a static route provided by GE with an IP of 3.3.3.2
>
> Hop 23 is DoD Experimental IP space
>
> Hop 24 is the host harassing me.
>
>                 Why would I see a static route from GE here and then DoD
> IP space? I am just curious as I think this is a strange path to get to
> the host that resides at hop 24.
>
>                 Please feel free to chime in with any ideas.  I have no
> clue, again.
>
> Thanks, Richard
>
>
>
>
>
> 1     1 ms     1 ms     1 ms  10.10.10.1
>
>   2    13 ms    11 ms    10 ms  10.20.0.1
>
>   3     7 ms     7 ms     7 ms  vl2.aggr1.chgo.il.rcn.net
> [207.229.191.130]
>
>   4     9 ms     7 ms     7 ms  tge3-1.border2.eqnx.il.rcn.net
> [207.172.19.159]
>
>   5    10 ms     7 ms     7 ms  te-8-3.car3.Chicago1.Level3.net
> [4.71.101.73]
>
>   6    10 ms    11 ms     7 ms  ae-1-51.edge3.Chicago3.Level3.net
> [4.68.101.20]
>
>   7    11 ms     8 ms     7 ms  sl-st20-chi-5-0.sprintlink.net
> [144.232.19.173]
>
>   8    10 ms    11 ms    12 ms  sl-crs2-chi-0-12-2-0.sprintlink.net
> [144.232.19.145]
>
>   9    31 ms    33 ms    30 ms  sl-crs1-che-0-0-0-0.sprintlink.net
> [144.232.20.161]
>
>  10    61 ms    58 ms    59 ms  sl-crs1-stk-0-0-0-1.sprintlink.net
> [144.232.20.241]
>
>  11    68 ms    60 ms    75 ms  sl-crs2-sj-0-14-0-0.sprintlink.net
> [144.232.24.34]
>
>  12    57 ms    59 ms    59 ms  sl-st20-sj-13-0-0.sprintlink.net
> [144.232.9.58]
>
>  13   156 ms   154 ms   154 ms  sl-china1-7-0.sprintlink.net
> [144.223.242.126]
>
>  14   337 ms   340 ms   339 ms  202.97.51.189
>
>  15   352 ms   356 ms   364 ms  202.97.53.37
>
>  16   340 ms   340 ms   340 ms  220.181.16.126
>
>  17   357 ms   356 ms   355 ms  220.181.17.106
>
>  18   354 ms   354 ms   356 ms  220.181.144.33
>
>  19   348 ms   347 ms   351 ms  220.181.144.18
>
>  20   349 ms   352 ms   351 ms  218.240.7.107
>
>  21   349 ms   349 ms   353 ms  219.142.47.74
>
>  22   350 ms   353 ms   349 ms  n003-000-000-000.static.ge.com [3.3.3.2]
>
>  23     *      350 ms   352 ms  6.6.6.6
>
>  24   351 ms   356 ms   353 ms  119.161.130.75
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFJ7RA/q1pz9mNUZTMRAmvmAKC17i7J0Jj3QxgMpM27E5mO+QFLQgCgk10G
skBI93WYzbgOVl3vKBGGpKg=
=8Z9s
-----END PGP SIGNATURE-----




-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.