Security Incidents mailing list archives
Re: Portscanning from 211.42.135.14
From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Tue, 15 Aug 2000 16:40:37 -0400
Korea Network Information Cneter is no more the IP owner that ARIN is for any Noprth american IP. You need to go to the Korea NIC at whois.nic.or.kr or whois.krnic.net if it is in a Korean range, This is indicated in the reply you sent. That gets # whois -h whois.nic.or.kr 211.42.135.14 Korea Internet Information Service V1.0 ( created by KRNIC, 1999.6 ) query: 211.42.135.14 * ÇÑ±Û ±â°ü¸í¿¡ ´ëÇÑ whois Á¶È¸´Â À¥(http://whois.nic.or.kr)¿¡¼ ÇϽñ⠹ٶø´Ï´Ù. Á¶È¸ÇϽŠÇØ´ç IPÁÖ¼Ò´Â ¾Æ·¡ÀÇ °¡ÀÔ±â°ü¿¡ ÇÒ´çµÈ ºí·°ÀÔ´Ï´Ù. # ENGLISH IP Address : 211.42.135.0-211.42.135.255 Connect ISP Name : KOLNET Connect Date : 2000.02.18 Registration Date: 20000221 Network Name : SHELLBNET [ Organization Information ] Orgnization ID : ORG100731 Name : SHELLBINET CO. LTD. State : SEOUL Address : 5F 158-27 TONGGYO-DONG MAPO-GU Zip Code : 121-200 [ Admin Contact Information] Name : PANWON KIM Org Name : SHELLBINET CO. LTD. State : SEOUL Address : 5F 158-27 TONGGYO-DONG MAPO-GU Zip Code : 121-200 Phone : +82-2-240-7759 Fax : +82-2-240-7759 E-Mail : kolnet () hitel net [ Technical Contact Information ] Name : PANWON KIM Org Name : SHELLBINET CO. LTD. Address : 5F 158-27 TONGGYO-DONG MAPO-GU Zip Code : 121-200 Phone : +82-2-240-7759 Fax : +82-2-240-7759 E-Mail : kolnet () hitel net # KOREAN IP ÁÖ¼Ò : 211.42.135.0-211.42.135.255 ¿¬°á ISP¸í : KOLNET ISP ¿¬°á³¯Â¥ : 2000.02.18 ÇÒ´ç³»¿ª µî·ÏÀÏ: 20000221 ³×Æ®¿öÅ© À̸§ : SHELLBNET [ IP »ç¿ë ±â°ü Á¤º¸ ] ±â°ü°íÀ¯¹øÈ£ : ORG100731 ±â°ü¸í : ¼¿ºñ³Ý ½Ãµµ¸í : ¼¿ï ÁÖ¼Ò : ¸¶Æ÷±¸ µ¿±³µ¿ 158-27 5Ãþ [ °ü¸® Ã¥ÀÓÀÚ Àι° Á¤º¸ ] À̸§ : ±èÆÇ¿ø ±â°ü¸í : ¼¿ºñ³Ý ½Ãµµ¸í : ¼¿ï ÁÖ¼Ò : ¸¶Æ÷±¸ µ¿±³µ¿ 158-27 5Ãþ ÀüÈ ¹øÈ£ : +82-2-240-7759 Fax : +82-2-240-7759 ÀüÀÚ ¿ìÆí : kolnet () hitel net [ ½Ç¹« Ã¥ÀÓÀÚ Àι° Á¤º¸ ] À̸§ : ±èÆÇ¿ø ±â°ü¸í : ¼¿ºñ³Ý ½Ãµµ¸í : ¼¿ï ÁÖ¼Ò : ¸¶Æ÷±¸ µ¿±³µ¿ 158-27 5Ãþ ÀüÈ ¹øÈ£ : +82-2-240-7759 Fax : +82-2-240-7759 ÀüÀÚ ¿ìÆí : kolnet () hitel net Patrick Oonk <patrick () pine nl> on 08/14/2000 01:47:12 PM Please respond to patrick () pine nl To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Re: Portscanning from 211.42.135.14
On Mon, Aug 14, 2000 at 09:51:25AM -0400, Ben Ostrowsky wrote:
The following attempts appeared in our syslog recently:Aug 12 04:00:25 snoopy sshd[25585]: log: Connection from 211.42.135.14 port 1339 Aug 12 04:00:25 snoopy sshd[25585]: log: Could not reverse map address 211.42.135.14. Aug 12 04:00:25 snoopy sshd[25585]: fatal: Did not receive ident string. Aug 12 04:00:36 snoopy sshd[25592]: log: Connection from 211.42.135.14 port 1349 Aug 12 04:00:36 snoopy sshd[25592]: log: Could not reverse map address 211.42.135.14. Aug 12 04:01:48 snoopy ftpd[25598]: lost connection to 211.42.135.14 [211.42.135.14] Aug 12 04:01:48 snoopy sshd[25592]: fatal: Did not receive ident string. Aug 12 04:00:19 snoopy imapd[25582]: connect from 211.42.135.14 Aug 12 04:00:25 snoopy imapd[25586]: connect from 211.42.135.14 Aug 12 04:00:25 snoopy in.ftpd[25588]: connect from 211.42.135.14 Aug 12 04:00:27 snoopy in.telnetd[25591]: warning: can't get client address: Connection reset by peer Aug 12 04:01:01 snoopy in.ftpd[25598]: connect from 211.42.135.14 Aug 12 04:01:52 snoopy in.telnetd[25711]: warning: can't get client address: Connection reset by peer Aug 12 04:00:21 snoopy imapd[25582]: command stream end of file, while reading line user=??? host=[211.42.135.14] Aug 12 04:00:24 snoopy ipop3d[25583]: Command stream end of file while reading line user=??? host=[211.42.135.14] Aug 12 04:00:25 snoopy imapd[25586]: command stream end of file, while reading line user=??? host=[211.42.135.14]I tried 'dig -x 211.42.135.14 soa' but got no useful information. I'm curious: does anyone know who just portscanned us? Does the pattern look familiar? -- Ben Ostrowsky, Automation Services Technologist Tampa Bay Library Consortium - http://www.tblc.org/
(patrick@atro /~) whois 211.42.135.14 % Rights restricted by copyright. See % http://www.apnic.net/db/dbcopyright.html inetnum: 211.42.0.0 - 211.51.255.255 netname: KRNIC-KR-23 descr: KRNIC descr: Korea Network Information Center country: KR admin-c: WK1-AP tech-c: SL119-AP remarks: KRNIC Allocation Block remarks: Authoritative Information regarding assignments and remarks: allocations made from within this block can also be remarks: queried at whois.nic.or.kr mnt-by: APNIC-HM mnt-lower: MNT-KRNIC-AP changed: hostmaster () apnic net 19991118 source: APNIC person: Weon Kim address: Korea Network Information Center (KRNIC) address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku address: Seoul, 137-070, Republic of Korea address: **************** Important Notice ********************** address: KRNIC is the National Internet Registry. address: If you want to find detail assignment information address: about above IP address, please use http://ipwhois.nic.or.kr address: or "whois -h whois.nic.or.kr <ip address>" address: ***************************************************** phone: +82-2-2186-4502 fax-no: +82-2-2186-4496 country: KR e-mail: wkim () nic or kr nic-hdl: WK1-AP mnt-by: MNT-KRNIC-AP changed: seungmin () nic or kr 20000222 source: APNIC person: Seung-Min Lee address: Korea Network Information Center (KRNIC) address: Narajongkeum B/D 14F, 1328-3, Seocho-dong, Seocho-Ku address: Seoul, 137-070, Republic of Korea address: **************** Important Notice ********************** address: KRNIC is the National Internet Registry address: If you want to find detail assignment information address: about above IP address, please use http://ipwhois.nic.or.kr address: or "whois -h whois.nic.or.kr <ip address>" address: ***************************************************** phone: +82-2-2186-4506 fax-no: +82-2-2186-4496 country: KR e-mail: seungmin () krnic net nic-hdl: SL119-AP mnt-by: MNT-KRNIC-AP changed: seungmin () nic or kr 20000222 source: APNIC -- Patrick Oonk - PO1-6BONE - patrick () pine nl - www.pine.nl/~patrick Pine Internet - PAT31337-RIPE - PGPkeyID BE7497F1 - XOIP+31208723350 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://security.nl PGP fingerprint A6 12 66 7F 22 84 1B E5 73 8C 99 F7 17 7B A3 98 Excuse of the day: Route flapping at the NAP.
Current thread:
- Portscanning from 211.42.135.14 Ben Ostrowsky (Aug 14)
- Re: Portscanning from 211.42.135.14 Max Gribov (Aug 15)
- Re: Portscanning from 211.42.135.14 Patrick Oonk (Aug 15)
- <Possible follow-ups>
- Re: Portscanning from 211.42.135.14 玉造 光緒 (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Hayes (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Royds (Aug 18)