-----Original Message----- From: Justin Hinderliter
The past week i've seen attacks increase 5-fold, mostly 111/udp attacks [snip] Justin, et al, do you have any *proof* that these attacks are coming from Chinese attackers on Chinese >machines? If so, look for commonalities amongst the attacks such as common netblocks etc. If not, the hype >could
RE: black hat .cn networksNo, and I stated as much in my original post, despite the angst. One of the attacks planted worm shich in turn planted a series of indexes claiming to be part of the Chinese offensive. It affects HTML and ASP files. The original connection attempt on that box came from a Czechoslovakian host, and the tftp host that the worm grabbed the scripts from was actually in Canada. Othere hosts that were attacked in the same timeframe came from Mapquest, rutgers,edu, and a non-DNS-qualified APNIC host. This doesn't "prove" or disprove anything. Could be Czechs, could be Americans, could be Chinese, could be anyone. I'm not necessarily a proponent of blocking netblocks or blackholing them from a routing perspective on a large network, but I am more than happy to block the offending hosts personally from my internal networks, and do. The tftp server that was serving up the scripts for the NT worm was 205.205.117.6 FYI. The linux exploit (different hosts and exploits altogether from the NT hacks, obviously) seemed to have gotten in on htdig package (3.1.5-6mdk), not apache as I originally expected. I haven't found the script/kit yet, but I did find out that something fully opened up UDP port 4265. Since she's unplugged, I can't grok what was listening on that port at the moment. I'm highly tempted to try to hook it back up after some tweaking and let it run as a honeypot for a few days or until I can nail down what is lurking on there and watch how they're doing their work & see if I can grab more goods on who they are and where their backdoor connects to. More in a bit. Justin Hinderliter ----- Original Message ----- From: Paul Lantinga To: 'Justin Hinderliter' Cc: nanog@merit.edu Sent: Tuesday, May 08, 2001 12:39 AM Subject: RE: black hat .cn networks probably be routed into the round file. Attacks happen all the time to the good and the bad. We still need >good documentation and due diligence. Until then, join "North America Nonblocking Oriental Groups"
-Paul Lantinga -- Pretty much guaranteed that these are solely my opinions
participants (1)
-
Justin Hinderliter