mailing list archives
RE: Serious Offshore Probes Detected & Defeated
From: "Murda Mcloud" <murdamcloud () bigpond com>
Date: Wed, 3 Oct 2007 11:48:28 +1000
Also, could you clarify how you arrived at the coordinates for the Australia
IP Address : 188.8.131.52 [ 184.108.40.206 ]
ISP : CPSOFT
Organization : CPSOFT
Location : AU, Australia
City : -, - -
Latitude : 27°00'00" South
Longitude : 133°00'00" East
That puts it in a pretty remote region of South Australia. Looks like a
mining area. I'm intrigued.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of David J. Bianco
Sent: Tuesday, October 02, 2007 4:49 AM
To: jes1 () comcast net
Cc: security-basics () securityfocus com
Subject: Re: Serious Offshore Probes Detected & Defeated
Hello, Jeffrey. I don't wish to sound too skeptical about your findings,
but I have a few questions about your findings. I have inserted them
into the text below.
jes1 () comcast net wrote:
(1) There are seven active sites in China:
220.127.116.11 - CNCGROUP Heilongjiang province network -Mudanjiang
18.104.22.168 - ChinaNet Guangdong Province Network - Guangzhou
22.214.171.124 - Data Communication Division - Beijing
126.96.36.199 - CNCGROUP Heilongjiang province network - Mudanjiang
188.8.131.52 - CNC Group Hebei province network - Hebei
184.108.40.206 - CHINANET Shanxi(SN) province network - Beijing
220.127.116.11 - Data Communication Division, Network Center of Fast China
Shipbuilding institute - Zhenjiang
Of the seven sites listed above, 18.104.22.168 has attempted the most
intense attack, installing Remote Access Java Scripts as defined in my
previous e-mail on detecting the China attack methods. None of the seven
sites above were successful against Shadow. All probes/attacks were detected
Could you elaborate on the types of attacks you're seeing? "Installing
Remote Access Java Scripts" is not quite as useful without knowing how they
are attempting to do that. Was there a specific exploit they tried to
use to deface your website, or a certain misconfiguration they were
taking advantage of?
(2) Shadow has been detecting and securing our web site/network from 5
simultaneous probes/attacks from China, each from a different city in China.
Sorry, but five doesn't seem to be a very high number. I see lots of
probes every day, much more than five. Also, can I assume that these
look more like automated, mass attacks rather than something more targeted
to the organization?
(3) We have been able to determine, the probes/attacks are evolving to a
very advanced methodology, which no longer depends on a successful ping
(ICMP), and now start with a defined IP address, and cycles through every
possible IP combination within the IP address range. As an example, a probe
starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then
goes to "100.100.100.002", then "100.100.100.003", so forth and so on.
I assume that you're not trying to say that you've just discovered how
port sweeps work. Most mass attack tools work the way you describe.
If this is the state of your art, could that explain the low number for
#2? Or is there something else here that your writeup didn't really
(4) The other probes/attacks were from the following:
22.214.171.124 - Hanaro Telecom Co. - South Korea - Seocho
126.96.36.199 - CPSOFT - Australia - No City Identified
188.8.131.52 - Easynet Belgium, Cypres - Belgium - Brussel
184.108.40.206 - Shaw Communications - Canada - No City Identified
Again, without some information about what probes and attacks you saw
from these addresses, I have no way to evaluate the seriousness of
the activity. Would you care to elaborate?