mailing list archives
Re: black hat .cn networks
From: "Justin Hinderliter" <justin () interaccess com>
Date: Tue, 8 May 2001 17:13:03 -0500
RE: black hat .cn networksNo, and I stated as much in my original post,
despite the angst. One of the attacks planted worm shich in turn planted a
series of indexes claiming to be part of the Chinese offensive. It affects
HTML and ASP files. The original connection attempt on that box came from a
Czechoslovakian host, and the tftp host that the worm grabbed the scripts
from was actually in Canada. Othere hosts that were attacked in the same
timeframe came from Mapquest, rutgers,edu, and a non-DNS-qualified APNIC
host. This doesn't "prove" or disprove anything. Could be Czechs, could be
Americans, could be Chinese, could be anyone. I'm not necessarily a
proponent of blocking netblocks or blackholing them from a routing
perspective on a large network, but I am more than happy to block the
offending hosts personally from my internal networks, and do.
The tftp server that was serving up the scripts for the NT worm was
The linux exploit (different hosts and exploits altogether from the NT
hacks, obviously) seemed to have gotten in on htdig package (3.1.5-6mdk),
not apache as I originally expected. I haven't found the script/kit yet,
but I did find out that something fully opened up UDP port 4265. Since
she's unplugged, I can't grok what was listening on that port at the moment.
I'm highly tempted to try to hook it back up after some tweaking and let it
run as a honeypot for a few days or until I can nail down what is lurking on
there and watch how they're doing their work & see if I can grab more goods
on who they are and where their backdoor connects to.
More in a bit.
----- Original Message -----
From: Paul Lantinga
To: 'Justin Hinderliter'
Cc: nanog () merit edu
Sent: Tuesday, May 08, 2001 12:39 AM
Subject: RE: black hat .cn networks
From: Justin Hinderliter
The past week i've seen attacks increase 5-fold, mostly
Justin, et al, do you have any *proof* that these attacks are coming from
Chinese attackers on Chinese >machines? If so, look for commonalities
amongst the attacks such as common netblocks etc. If not, the hype >could
probably be routed into the round file. Attacks happen all the time to the
good and the bad. We still need >good documentation and due diligence.
Until then, join "North America Nonblocking Oriental Groups"
Pretty much guaranteed that these are solely my opinions
Re: black hat .cn networks Dan Hollis (May 08)
RE: black hat .cn networks Paul Lantinga (May 08)
RE: black hat .cn networks Rowland, Alan D (May 08)
RE: black hat .cn networks Roeland Meyer (May 08)
Re: black hat .cn networks Justin Hinderliter (May 09)
Re: black hat .cn networks David Lesher (May 10)