Security Incidents mailing list archives
dos from .kr, plus some classic .kr irresponsibility
From: Jason Storm <sec () ORGONE NEGATION NET>
Date: Fri, 4 Aug 2000 17:11:42 -0700
Around 4:12 pm PST Friday afternoon, one of my hosts received the following DoS: 16:12:10.343933 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply 16:12:10.344762 zenon.hanyang.ac.kr > [deleted]: icmp: echo request 16:12:10.345121 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply 16:12:10.346720 zenon.hanyang.ac.kr > [deleted]: icmp: echo request 16:12:10.347080 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply 16:12:10.348603 zenon.hanyang.ac.kr > [deleted]: icmp: echo request 16:12:10.348950 [deleted] > zenon.hanyang.ac.kr: icmp: echo reply etc etc etc. The attacking box is linux, without even the vaguest effort to disable standard services, at least two of which appear to be script kiddie-able, and has a few strange priv'd ports open. The reason you are reading this right now: Arin whois reports: Hanyang University (NET-HY-NET) Computer Center 17 Haengdang-dong, Sungdong-gu Seoul, 133-791 Korea Netname: HY-NET Netnumber: 166.104.0.0 Coordinator: Chung, Yongki (YC3-ARIN) ykjung () HYUEE HANYANG AC KR +82-2-290-1416 Domain System inverse mapping provided by: HYNETM.HANYANG.AC.KR 166.104.105.38 Record last updated on 12-Jun-1995. Database last updated on 4-Aug-2000 06:53:19 EDT. the punchline: ----- The following addresses had permanent fatal errors ----- <ykjung () hyuee hanyang ac kr> ----- Transcript of session follows ----- ... while talking to hyuee.hanyang.ac.kr.:
RCPT To:<ykjung () hyuee hanyang ac kr>
<<< 550 <ykjung () hyuee hanyang ac kr>... User unknown 550 <ykjung () hyuee hanyang ac kr>... User unknown I can forgive people for admin'ing rootable boxes. I can forgive people for letting their boxes be involved in attacks. But what type of clownshow cant even maintain an ARIN contact? I mean really; for a long time I thought the whole .kr security fiasco was just growing pains over there, but does anyone else get the uneasy suspicion that they just dont take this shit seriously? -Jason Storm negation industries
Current thread:
- HELO/EHLP attack?. Lic. Rodolfo Gonzalez Gonzalez (Aug 03)
- Re: HELO/EHLP attack?. Ryan Yagatich (Aug 04)
- Re: HELO/EHLP attack?. Valdis Kletnieks (Aug 07)
- Re: HELO/EHLP attack?. Michal Zalewski (Aug 07)
- dos from .kr, plus some classic .kr irresponsibility Jason Storm (Aug 07)
- Re: dos from .kr, plus some classic .kr irresponsibility Russell Fulton (Aug 08)
- Re: dos from .kr, plus some classic .kr irresponsibility Maddy (Aug 09)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 09)
- Re: dos from .kr, plus some classic .kr irresponsibility Jose Nazario (Aug 10)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
- Re: dos from .kr, plus some classic .kr irresponsibility Dan Hollis (Aug 10)
- Re: HELO/EHLP attack?. Ryan Yagatich (Aug 04)
- <Possible follow-ups>
- Re: HELO/EHLP attack?. Michal 'CeFeK' Nazarewicz (Aug 08)