Home page logo
/

basics logo Security Basics mailing list archives

Re: Serious Offshore Probes Detected & Defeated
From: "David J. Bianco" <david () vorant com>
Date: Mon, 01 Oct 2007 14:49:01 -0400

Hello, Jeffrey.  I don't wish to sound too skeptical about your findings,
but I have a few questions about your findings.  I have inserted them
into the text below.

jes1 () comcast net wrote:
DETAILS
(1) There are seven active sites in China:

221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang
116.18.161.55  - ChinaNet Guangdong Province Network - Guangzhou
219.148.119.2  - Data Communication Division - Beijing
221.208.208.3  - CNCGROUP Heilongjiang province network - Mudanjiang
121.18.13.107  - CNC Group Hebei province network - Hebei
125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing 
218.3.134.250  - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang

Of the seven sites listed above, 121.18.13.107 has attempted the most intense attack, installing Remote Access Java 
Scripts as defined in my previous e-mail on detecting the China attack methods.  None of the seven sites above were 
successful against Shadow. All probes/attacks were detected and stopped.


Could you elaborate on the types of attacks you're seeing?  "Installing
Remote Access Java Scripts" is not quite as useful without knowing how they
are attempting to do that.  Was there a specific exploit they tried to
use to deface your website, or a certain misconfiguration they were
taking advantage of?

(2) Shadow has been detecting and securing our web site/network from 5 simultaneous probes/attacks from China, each 
from a different city in China.

Sorry, but five doesn't seem to be a very high number.  I see lots of
probes every day, much more than five.  Also, can I assume that these
look more like automated, mass attacks rather than something more targeted
to the organization?


(3) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer 
depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP 
combination within the IP address range.  As an example, a probe starts with "100.100.100.001", launches a UDP packet 
and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.

I assume that you're not trying to say that you've just discovered how
port sweeps work.  Most mass attack tools work the way you describe.
If this is the state of your art, could that explain the low number for
#2?  Or is there something else here that your writeup didn't really
make clear?


(4) The other probes/attacks were from the following:

219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho
138.79.215.61  - CPSOFT - Australia - No City Identified
81.188.3.50    - Easynet Belgium, Cypres - Belgium - Brussel
24.64.132.11   - Shaw Communications - Canada - No City Identified


Again, without some information about what probes and attacks you saw
from these addresses, I have no way to evaluate the seriousness of
the activity.  Would you care to elaborate?

        David




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]