Strange network activity

["Roach4" <ml () undergroundportal com>]

Hi,

Yesterday we noticed some strange traffic from some internal machines
trying to contact Japan IP addresses on the port 54875 like 300 times a
second. We left the office without worrying too much and we came back this
morning to see that there was external Japan IP addresses which was
querying internal machines for the RPC vulnerability.

This kind of activity has now spread in various sites (worldwide) of our
company.

Here is a log sample from one of our router:

tcp xxx.xxx.xxx.xxx:4364     10.136.11.218:4364    133.41.133.109:54875 
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4365     10.136.11.218:4365    133.41.133.109:54875 
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4366     10.136.11.218:4366    133.41.133.109:54875 
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4368     10.136.11.218:4368    133.41.133.109:54875 
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4369     10.136.11.218:4369    133.41.133.109:54875 
133.41.133.109:54875
tcp xxx.xxx.xxx.xxx:4370     10.136.11.218:4370    133.41.133.109:54875 
133.41.133.109:54875

This IP address resolves to whyme.geol.sci.hiroshima-u.ac.jp

Now, trying to connect to this ip address on the port 80 you get to the
Department of Earth and Planetary Systems Science Graduate School of
Science
at Hiroshima University webpage ... trying to connect to 133.41.133.109 on
the port 6667 it gets to an IRC server: irc.foonet.com. But the MOTD is
stating this:
*** Welcome to the ROXnet IRC Network
Also, *** There are 41 users and 864 invisible on 1 servers.
I did a /list and I get only two channels. On #R0S3s there are a couple of
bots that doesn't look like something legitimate.


That is kinda strange, isn't? Anyways, do any of you have an idea of what
is going on?


Thanks,

Roach4

---------------------------------------------------------------------------
----------------------------------------------------------------------------