Home page logo

nanog logo nanog mailing list archives

Re: black hat .cn networks
From: "Justin Hinderliter" <justin () interaccess com>
Date: Tue, 8 May 2001 17:13:03 -0500

RE: black hat .cn networksNo, and I stated as much in my original post,
despite the angst.  One of the attacks planted worm shich in turn planted a
series of indexes claiming to be part of the Chinese offensive.  It affects
HTML and ASP files.  The original connection attempt on that box came from a
Czechoslovakian host, and the tftp host that the worm grabbed the scripts
from was actually in Canada.  Othere hosts that were attacked in the same
timeframe came from Mapquest, rutgers,edu, and a non-DNS-qualified APNIC
host.  This doesn't "prove" or disprove anything.  Could be Czechs, could be
Americans, could be Chinese, could be anyone.   I'm not necessarily a
proponent of blocking netblocks or blackholing them from a routing
perspective on a large network, but I am more than happy to block the
offending hosts personally from my internal networks, and do.

The tftp server that was serving up the scripts for the NT worm was FYI.

The linux exploit (different hosts and exploits altogether from the NT
hacks, obviously) seemed to have gotten in on htdig package (3.1.5-6mdk),
not apache as I originally expected.  I haven't found the script/kit yet,
but I did find out that something fully opened up UDP port 4265.  Since
she's unplugged, I can't grok what was listening on that port at the moment.
I'm highly tempted to try to hook it back up after some tweaking and let it
run as a honeypot for a few days or until I can nail down what is lurking on
there and watch how they're doing their work & see if I can grab more goods
on who they are and where their backdoor connects to.

More in a bit.

Justin Hinderliter

----- Original Message -----

From: Paul Lantinga
To: 'Justin Hinderliter'
Cc: nanog () merit edu
Sent: Tuesday, May 08, 2001 12:39 AM
Subject: RE: black hat .cn networks

-----Original Message-----
From: Justin Hinderliter
The past week i've seen attacks increase 5-fold, mostly
111/udp attacks
Justin, et al, do you have any *proof* that these attacks are coming from
Chinese attackers on Chinese >machines?  If so, look for commonalities
amongst the attacks such as common netblocks etc.  If not, the hype >could
probably be routed into the round file.  Attacks happen all the time to the
good and the bad.  We still need >good documentation and due diligence.
Until then, join "North America Nonblocking Oriental Groups"
-Paul Lantinga
Pretty much guaranteed that these are solely my opinions

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]