RE: Kuang2 strikes again, is it just me?

From: Rob Shein (shoten@starpower.net)
Date: 02/16/03

  • Next message: Johannes Ullrich: "Re: Kuang2 strikes again, is it just me?"
    From: "Rob Shein" <shoten@starpower.net>
    To: "'Jeff Kell'" <jeff-kell@utc.edu>, "'Incidents'" <incidents@securityfocus.com>
    Date: Sat, 15 Feb 2003 23:02:48 -0500
    
    

    Ah, a honeypot...a good question comes to mind. Does anyone have any info
    on what a Kuang2 backdoor looks like to a scanner? I'd rather not install
    one myself and work to figure it out if anyone else has done the work
    already...

    > -----Original Message-----
    > From: Jeff Kell [mailto:jeff-kell@utc.edu]
    > Sent: Saturday, February 15, 2003 8:35 PM
    > To: Incidents
    > Subject: Kuang2 strikes again, is it just me?
    >
    >
    > Last Sunday (Feb 9) I reported a sudden flurry of scans on
    > tcp/17300 (the Kuang2 backdoor). I had 9 hits in an hour on
    > a cable modem, and 18 in all in the next 6 hours, then they
    > stopped. Nothing appeared on my radar screen at work where I
    > monitor a /18, a /22, and a /24
    > address block.
    >
    > Today looks like a revisit of similar probing. Home cable modem
    > reports (timezone EST, GMT-05:00), all directed at my tcp/17300:
    >
    > 2003/02/15 16:47:35 81.65.242.15:3149 (m15.net81-65-242.noos.fr)
    > 2003/02/15 16:47:35 211.28.41.112:4970
    > (c17758.rivrw1.nsw.optusnet.com.au)
    > 2003/02/15 17:02:25 213.226.66.79:3222
    > (hd5e2424f.gavlegardarna.gavle.to)
    > 2003/02/15 17:04:45 213.98.218.209:3702
    > (213-98-218-209.uc.nombres.ttd.es)
    > 2003/02/15 17:17:42 62.178.112.57:4835
    > (chello062178112057.10.12.vie.surfer.at)
    > 2003/02/15 17:29:07 212.181.67.244:4285 (sagan-67-244.ip-pluggen.com)
    > 2003/02/15 17:30:54 213.46.66.21:3842 (d66021.upc-d.chello.nl)
    > 2003/02/15 17:50:30 213.200.153.133:3882
    > (c213-200-153-133.cm-upc.chello.se)
    > 2003/02/15 17:51:44 212.187.116.244:3343
    > (c116244.upc-c.chello.nl) 2003/02/15 17:54:41
    > 212.114.214.226:3020 (DSL01-214226.NEFkom.net)
    > 2003/02/15 17:54:49 213.10.93.27:1321 (ipd50a5d1b.speed.planet.nl)
    > 2003/02/15 18:04:49 80.38.58.157:2900
    > (157.Red-80-38-58.pooles.rima-tde.net)
    > 2003/02/15 18:30:53 217.215.175.113:1768
    > (as11-4-4.ehn.lk.bonet.se) 2003/02/15 18:38:30 211.222.249.106:4230
    > 2003/02/15 19:02:57 213.67.117.218:2436 (h218n1fls13o893.telia.com)
    > 2003/02/15 19:22:48 66.72.61.20:4358
    > (adsl-66-72-61-20.dsl.gdrpmi.ameritech.net)
    > 2003/02/15 19:25:08 24.185.30.193:1829
    > (ool-18b91ec1.dyn.optonline.net)
    > 2003/02/15 19:35:22 213.66.82.38:4059 (h38n1fls33o863.telia.com)
    >
    > But once again, no sign of it at the office. Very strange.
    > Since the connection is never established, I don't know the
    > payload they are
    > trying to deliver. Will try to setup a honeypot on the port
    > and see what comes up.
    >
    > Jeff
    >
    > --------------------------------------------------------------
    > --------------
    > This list is provided by the SecurityFocus ARIS analyzer
    > service. For more information on this free incident handling,
    > management
    > and tracking system please see: http://aris.securityfocus.com
    >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com



    Relevant Pages

    • RE: A small quandary
      ... This list is provided by the SecurityFocus ARIS analyzer service. ... and tracking system please see: http://aris.securityfocus.com ... For more information on this free incident handling, management ...
      (Incidents)
    • RE: Anyone seen this before?
      ... The answer to this is, in task manager, you can right click on any app ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: fbi.gov weirdness?
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: Code Red - A Possible Origin?
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)
    • Re: Code Red - A Possible Origin?
      ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
      (Incidents)