RE: Kuang2 strikes again, is it just me?
From: Rob Shein (shoten@starpower.net)
Date: 02/16/03
- Previous message: Jeff Kell: "Kuang2 strikes again, is it just me?"
- In reply to: Jeff Kell: "Kuang2 strikes again, is it just me?"
- Next in thread: Paul Dokas: "Re: Kuang2 strikes again, is it just me?"
- Reply: Paul Dokas: "Re: Kuang2 strikes again, is it just me?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rob Shein" <shoten@starpower.net> To: "'Jeff Kell'" <jeff-kell@utc.edu>, "'Incidents'" <incidents@securityfocus.com> Date: Sat, 15 Feb 2003 23:02:48 -0500
Ah, a honeypot...a good question comes to mind. Does anyone have any info
on what a Kuang2 backdoor looks like to a scanner? I'd rather not install
one myself and work to figure it out if anyone else has done the work
already...
> -----Original Message-----
> From: Jeff Kell [mailto:jeff-kell@utc.edu]
> Sent: Saturday, February 15, 2003 8:35 PM
> To: Incidents
> Subject: Kuang2 strikes again, is it just me?
>
>
> Last Sunday (Feb 9) I reported a sudden flurry of scans on
> tcp/17300 (the Kuang2 backdoor). I had 9 hits in an hour on
> a cable modem, and 18 in all in the next 6 hours, then they
> stopped. Nothing appeared on my radar screen at work where I
> monitor a /18, a /22, and a /24
> address block.
>
> Today looks like a revisit of similar probing. Home cable modem
> reports (timezone EST, GMT-05:00), all directed at my tcp/17300:
>
> 2003/02/15 16:47:35 81.65.242.15:3149 (m15.net81-65-242.noos.fr)
> 2003/02/15 16:47:35 211.28.41.112:4970
> (c17758.rivrw1.nsw.optusnet.com.au)
> 2003/02/15 17:02:25 213.226.66.79:3222
> (hd5e2424f.gavlegardarna.gavle.to)
> 2003/02/15 17:04:45 213.98.218.209:3702
> (213-98-218-209.uc.nombres.ttd.es)
> 2003/02/15 17:17:42 62.178.112.57:4835
> (chello062178112057.10.12.vie.surfer.at)
> 2003/02/15 17:29:07 212.181.67.244:4285 (sagan-67-244.ip-pluggen.com)
> 2003/02/15 17:30:54 213.46.66.21:3842 (d66021.upc-d.chello.nl)
> 2003/02/15 17:50:30 213.200.153.133:3882
> (c213-200-153-133.cm-upc.chello.se)
> 2003/02/15 17:51:44 212.187.116.244:3343
> (c116244.upc-c.chello.nl) 2003/02/15 17:54:41
> 212.114.214.226:3020 (DSL01-214226.NEFkom.net)
> 2003/02/15 17:54:49 213.10.93.27:1321 (ipd50a5d1b.speed.planet.nl)
> 2003/02/15 18:04:49 80.38.58.157:2900
> (157.Red-80-38-58.pooles.rima-tde.net)
> 2003/02/15 18:30:53 217.215.175.113:1768
> (as11-4-4.ehn.lk.bonet.se) 2003/02/15 18:38:30 211.222.249.106:4230
> 2003/02/15 19:02:57 213.67.117.218:2436 (h218n1fls13o893.telia.com)
> 2003/02/15 19:22:48 66.72.61.20:4358
> (adsl-66-72-61-20.dsl.gdrpmi.ameritech.net)
> 2003/02/15 19:25:08 24.185.30.193:1829
> (ool-18b91ec1.dyn.optonline.net)
> 2003/02/15 19:35:22 213.66.82.38:4059 (h38n1fls33o863.telia.com)
>
> But once again, no sign of it at the office. Very strange.
> Since the connection is never established, I don't know the
> payload they are
> trying to deliver. Will try to setup a honeypot on the port
> and see what comes up.
>
> Jeff
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer
> service. For more information on this free incident handling,
> management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Johannes Ullrich: "Re: Kuang2 strikes again, is it just me?"
- Previous message: Jeff Kell: "Kuang2 strikes again, is it just me?"
- In reply to: Jeff Kell: "Kuang2 strikes again, is it just me?"
- Next in thread: Paul Dokas: "Re: Kuang2 strikes again, is it just me?"
- Reply: Paul Dokas: "Re: Kuang2 strikes again, is it just me?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
