Security Incidents mailing list archives
Sub-Seven and NetBus port scans from HK and KR
From: "Ralf G. R. Bergs" <rabe () RWTH-Aachen DE>
Date: Sat, 24 Feb 2001 09:03:38 +0100
Hi there, I just noticed port scans for trojans from HK and KR on two different hosts on the same class C: Feb 24 03:27:12 WWW kernel: Packet log: input DENY eth0 PROTO=6 208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=9335 F=0x4000 T=105 SYN (# 53) Feb 24 03:27:15 WWW kernel: Packet log: input DENY eth0 PROTO=6 208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=12919 F=0x4000 T=105 SYN (# 53) Feb 24 03:27:15 WWW kernel: Packet log: input DENY eth0 PROTO=6 208.167.251.64:4579 <my host>:27374 L=48 S=0x00 I=13943 F=0x4000 T=105 SYN (# 53) Feb 24 03:27:21 WWW kernel: Packet log: input DENY eth0 PROTO=6 208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=25463 F=0x4000 T=105 SYN (# 53) Feb 24 03:27:21 WWW kernel: Packet log: input DENY eth0 PROTO=6 208.167.251.64:4579 <my host>:27374 L=48 S=0x00 I=25719 F=0x4000 T=105 SYN (# 53) Feb 24 03:27:33 WWW kernel: Packet log: input DENY eth0 PROTO=6 208.167.251.64:4580 <my host>:12345 L=48 S=0x00 I=49783 F=0x4000 T=105 SYN (# 53) Feb 24 03:27:33 WWW kernel: Packet log: input DENY eth0 PROTO=6 208.167.251.64:4579 <my host>:27374 L=48 S=0x00 I=50039 F=0x4000 T=105 SYN (# 53) HONG KONG TELECOM IMS LTD (NETBLK-CW-208-167-224) 22/F, TOWER II, GRAND CENTRAL PLAZA SHATIN, N.T., HK Netname: CW-208-167-224 Netblock: 208.167.224.0 - 208.167.255.255 Coordinator: Chan, Selleck (SC18-ARIN) selleck () NETVIGATOR COM 28837164 Feb 24 07:12:49 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=42958 F=0x4000 T=105 SYN (# 53) Feb 24 07:12:49 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=43214 F=0x4000 T=105 SYN (# 53) Feb 24 07:12:52 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=48846 F=0x4000 T=105 SYN (# 53) Feb 24 07:12:52 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=49358 F=0x4000 T=105 SYN (# 53) Feb 24 07:12:58 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=60110 F=0x4000 T=105 SYN (# 53) Feb 24 07:12:58 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=60366 F=0x4000 T=105 SYN (# 53) Feb 24 07:13:10 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3895 <my host 2>:27374 L=48 S=0x00 I=22991 F=0x4000 T=105 SYN (# 53) Feb 24 07:13:10 WWW kernel: Packet log: input DENY eth0 PROTO=6 165.229.79.22:3896 <my host 2>:12345 L=48 S=0x00 I=23247 F=0x4000 T=105 SYN (# 53) Yeungnam University (NET-YNUNET-B) Computer Center 214, Dae-dong, Kyungsan-si Kyungsangpook-do, 712-749 Korea Netname: YNUNET-B Netblock: 165.229.0.0 - 165.229.255.255 Coordinator: ChulGu, Kang (KC12-ARIN) [No mailbox] +82-53-810-3661 I've reported the incidents to the coordinators and the KR CERT. Ralf -- Sign the EU petition against SPAM: L I N U X .~. http://www.politik-digital.de/spam/ The Choice /V\ of a GNU /( )\ Generation ^^-^^
Current thread:
- Sub-Seven and NetBus port scans from HK and KR Ralf G. R. Bergs (Feb 24)
- <Possible follow-ups>
- Re: Sub-Seven and NetBus port scans from HK and KR Malcolm White (Feb 26)