Security Incidents mailing list archives
Re: Korea (was RE: ?)
From: patrick () PINE NL (Patrick Oonk)
Date: Fri, 28 Jan 2000 10:28:20 +0100
On Thu, Jan 27, 2000 at 12:55:05PM -0800, David Brumley wrote:
port 2222 is a rootshell left by the amd exploit. they may be trying to see which exploits succeeded, or just scouring for other hackers boxes.
Another Korean scan. Did anyone EVER get ANY reply to an abuse report from Korea ? Either Koreans cannot read English or they just don't care. 166.104.230.37 > 212.136.77.44 03:00:00.094228 empl.hanyang.ac.kr.850 > www.dje.nl.111: S 511210259:511210259(0) win 32120 (DF) 02:59:29.588554 empl.hanyang.ac.kr.4351 > www.dje.nl.143: S 488179806:488179806(0) win 32120 (DF) 02:59:29.589084 empl.hanyang.ac.kr.4353 > www.dje.nl.111: S 481606656:481606656(0) win 32120 (DF) 02:59:29.589344 empl.hanyang.ac.kr.4354 > www.dje.nl.2766: S 482159600:482159600(0) win 32120 (DF) 02:59:29.590194 empl.hanyang.ac.kr.4357 > www.dje.nl.22: S 480246035:480246035(0) win 32120 (DF) 02:59:29.590441 empl.hanyang.ac.kr.4358 > www.dje.nl.1114: S 482667113:482667113(0) win 32120 (DF) 02:59:29.590657 empl.hanyang.ac.kr.4359 > www.dje.nl.1: S 485237106:485237106(0) win 32120 (DF) 02:59:29.590927 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S 473507868:473507868(0) win 32120 (DF) 02:59:32.589898 empl.hanyang.ac.kr.4353 > www.dje.nl.111: S 481606656:481606656(0) win 32120 (DF) 02:59:32.591126 empl.hanyang.ac.kr.4357 > www.dje.nl.22: S 480246035:480246035(0) win 32120 (DF) 02:59:32.591447 empl.hanyang.ac.kr.4358 > www.dje.nl.1114: S 482667113:482667113(0) win 32120 (DF) 02:59:32.591673 empl.hanyang.ac.kr.4359 > www.dje.nl.1: S 485237106:485237106(0) win 32120 (DF) 02:59:32.591902 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S 473507868:473507868(0) win 32120 (DF) 02:59:38.582343 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S 473507868:473507868(0) win 32120 (DF) 02:59:38.582570 empl.hanyang.ac.kr.4359 > www.dje.nl.1: S 485237106:485237106(0) win 32120 (DF) 02:59:38.583428 empl.hanyang.ac.kr.4358 > www.dje.nl.1114: S 482667113:482667113(0) win 32120 (DF) 02:59:50.584803 empl.hanyang.ac.kr.4360 > www.dje.nl.515: S 473507868:473507868(0) win 32120 (DF) 02:59:56.960683 empl.hanyang.ac.kr.4362 > www.dje.nl.1: S 516838789:516838789(0) win 32120 (DF) 02:59:57.510362 empl.hanyang.ac.kr.4363 > www.dje.nl.139: S 503946867:503946867(0) win 32120 (DF) -- Patrick Oonk - PO1-6BONE - patrick () pine nl - www.pine.nl/~patrick Pine Internet B.V. PINE31337-RIPE PGP key ID BE7497F1 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ ---- Pine Security Digest - http://security.nl/ (Dutch) ---- Excuse of the day: Your excuse is: your keyboard's space bar is generating spurious keycodes. <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: Strange DNS/TCP activity, (continued)
- Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
- Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
- Re: Korea (again) Kim R. Rasmussen (Jan 26)
- Re: Korea (again) zeek (Jan 27)
- Re: Korea (again) Kim Roland Rasmussen (Jan 27)
- Re: Korea (again) Thomas Molina (Jan 27)
- Re: Korea (again) Rob Quinn (Jan 28)
- Re: Korea (again) Granquist, Lamont (Jan 27)
- Re: Korea (was RE: ?) horio shoichi (Jan 26)
- Re: Korea (was RE: ?) David Brumley (Jan 27)
- Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
- Re: Korea (was RE: ?) Arrigo Triulzi (Jan 28)
- Re: Korea (was RE: ?) Dug Song (Jan 28)
- Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
- DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
- Recent Scans Edwin Covert (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)
- Re: Socks port 1080 Randy Mclean (Jan 21)