Re: Kuang2 strikes again, is it just me?

From: Jeff (spam-fighter@bigfoot.com)
Date: 02/16/03

  • Next message: Scott Harris: "Re: ano@ano.com ftpd dip.t-dialin.net"
    From: "Jeff" <spam-fighter@bigfoot.com>
    To: "Jeff Kell" <jeff-kell@utc.edu>, "Incidents" <incidents@securityfocus.com>
    Date: Sun, 16 Feb 2003 12:39:10 -0500
    
    

    "Jeff Kell" <jeff-kell@utc.edu> wrote to <incidents@securityfocus.com> on
    Sat, 15 Feb 2003 at 20:35:02 -0500:

    > Last Sunday (Feb 9) I reported a sudden flurry of scans on tcp/17300
    > (the Kuang2 backdoor). I had 9 hits in an hour on a cable modem, and
    > 18 in all in the next 6 hours, then they stopped. Nothing appeared
    > on my radar screen at work where I monitor a /18, a /22, and a /24
    > address block.
    >
    > Today looks like a revisit of similar probing. Home cable modem
    > reports (timezone EST, GMT-05:00), all directed at my tcp/17300:
    8<

    No, it's not just you. I have seen (via Symantec Desktop Firewall) the
    following smilar tcp/17300 hits on my home cable modem since 10/12/2002
    12:51:51 (most recent first, timezone EST, GMT-05:00, condensed):

    02/15/2003 16:40:59 (213.184.160.172)
    02/15/2003 14:36:14 (81.57.159.25)
    02/15/2003 14:36:11 (81.57.159.25)
    02/15/2003 13:54:04 (61.33.72.42)
    02/15/2003 13:53:58 (61.33.72.42)
    02/15/2003 13:53:55 (61.33.72.42)
    02/15/2003 13:30:50 (200.55.24.138)
    02/10/2003 7:25:20 (218.232.246.195)
    02/10/2003 7:25:08 (218.232.246.195)
    02/10/2003 7:25:02 (218.232.246.195)
    02/10/2003 7:24:59 (218.232.246.195)
    02/10/2003 7:11:51 (211.176.22.64)
    02/10/2003 7:11:39 (211.176.22.64)
    02/10/2003 7:11:33 (211.176.22.64)
    02/10/2003 7:11:30 (211.176.22.64)
    02/10/2003 7:08:22 (211.201.204.187)
    02/10/2003 7:08:16 (211.201.204.187)
    02/10/2003 7:08:13 (211.201.204.187)
    02/09/2003 9:58:18 (211.55.119.44)
    02/09/2003 9:58:13 (211.55.119.44)
    02/09/2003 9:58:09 (211.55.119.44)
    02/08/2003 7:51:24 (213.184.160.172)
    02/06/2003 7:00:19 (211.207.166.94)
    02/06/2003 7:00:07 (211.207.166.94)
    02/06/2003 7:00:01 (211.207.166.94)
    02/06/2003 6:59:58 (211.207.166.94)
    02/06/2003 6:21:58 (61.35.47.225)
    02/06/2003 6:21:52 (61.35.47.225)
    02/06/2003 6:21:49 (61.35.47.225)
    02/06/2003 6:13:09 (211.222.26.227)
    02/06/2003 6:12:57 (211.222.26.227)
    02/06/2003 6:12:51 (211.222.26.227)
    02/06/2003 6:12:48 (211.222.26.227)
    02/06/2003 6:12:17 (211.106.246.62)
    02/06/2003 6:12:14 (211.106.246.62)
    02/06/2003 5:50:18 (211.106.40.36)
    02/06/2003 5:50:12 (211.106.40.36)
    02/06/2003 5:50:09 (211.106.40.36)
    02/06/2003 5:43:01 (211.58.244.150)
    02/06/2003 5:42:55 (211.58.244.150)
    02/06/2003 5:42:52 (211.58.244.150)
    02/06/2003 5:40:03 (61.79.241.80)
    02/06/2003 5:39:57 (61.79.241.80)
    02/06/2003 5:39:54 (61.79.241.80)
    02/06/2003 5:35:11 (211.186.81.192)
    02/06/2003 5:34:59 (211.186.81.192)
    02/06/2003 5:34:53 (211.186.81.192)
    02/06/2003 5:34:50 (211.186.81.192)
    02/06/2003 5:10:04 (211.234.39.53)
    02/06/2003 5:09:58 (211.234.39.53)
    02/06/2003 5:09:55 (211.234.39.53)
    02/06/2003 4:28:49 (211.213.165.235)
    02/06/2003 4:28:37 (211.213.165.235)
    02/06/2003 4:28:31 (211.213.165.235)
    02/06/2003 4:28:28 (211.213.165.235)
    02/06/2003 4:14:54 (211.222.187.63)
    02/06/2003 4:14:48 (211.222.187.63)
    02/06/2003 4:14:45 (211.222.187.63)
    02/06/2003 4:10:36 (211.220.207.13)
    02/06/2003 4:10:24 (211.220.207.13)
    02/06/2003 4:10:18 (211.220.207.13)
    02/06/2003 4:10:15 (211.220.207.13)
    02/06/2003 3:47:17 (218.154.30.144)
    02/06/2003 3:47:05 (218.154.30.144)
    02/06/2003 3:46:59 (218.154.30.144)
    02/06/2003 3:46:56 (218.154.30.144)
    02/06/2003 3:42:50 (220.76.249.203)
    02/06/2003 3:42:47 (220.76.249.203)
    02/06/2003 3:14:08 (61.98.108.76)
    02/06/2003 3:14:01 (61.98.108.76)
    02/06/2003 3:13:59 (61.98.108.76)
    02/01/2003 18:54:26 (68.112.103.237)
    02/01/2003 18:54:23 (68.112.103.237)
    01/20/2003 16:12:44 (217.80.153.166)
    01/20/2003 3:09:59 (24.94.62.222)
    01/20/2003 3:09:56 (24.94.62.222)
    01/15/2003 0:03:54 (66.91.171.247)
    01/15/2003 0:03:51 (66.91.171.247)
    01/13/2003 3:50:03 (68.3.34.97)
    01/12/2003 22:02:13 (80.126.111.197)
    01/07/2003 7:36:33 (80.142.73.163)
    12/29/2002 11:15:11 (213.184.160.172)
    12/28/2002 14:56:11 (61.77.197.107)
    12/28/2002 14:56:05 (61.77.197.107)
    12/28/2002 14:56:02 (61.77.197.107)
    12/28/2002 14:48:23 (211.224.214.124)
    12/28/2002 14:48:11 (211.224.214.124)
    12/28/2002 14:48:05 (211.224.214.124)
    12/28/2002 14:48:02 (211.224.214.124)
    12/28/2002 14:46:08 (24.161.249.48)
    12/28/2002 14:45:56 (24.161.249.48)
    12/28/2002 14:45:50 (24.161.249.48)
    12/28/2002 14:45:47 (24.161.249.48)
    12/25/2002 21:07:03 (211.219.255.124)
    12/25/2002 21:06:51 (211.219.255.124)
    12/25/2002 21:06:45 (211.219.255.124)
    12/25/2002 21:06:42 (211.219.255.124)
    12/25/2002 17:24:12 (12.222.124.74)
    12/20/2002 2:37:03 (12.222.124.74)
    11/30/2002 19:53:06 (217.164.248.210)
    11/30/2002 19:53:03 (217.164.248.210)
    11/24/2002 20:43:55 (24.226.43.249)
    11/24/2002 20:43:55 (24.90.170.100)
    11/23/2002 9:41:52 (213.184.177.137)
    11/13/2002 5:21:27 (213.238.30.7)
    11/12/2002 6:40:47 (61.81.148.119)
    11/12/2002 6:40:41 (61.81.148.119)
    11/12/2002 6:40:39 (61.81.148.119)
    11/02/2002 3:19:35 (24.200.137.81)
    10/31/2002 2:22:42 (213.184.169.65)
    10/20/2002 10:15:08 (212.118.139.227)

    I have condensed "Unused port blocking has blocked communications. Details:
    Inbound TCP connection
    Remote address,local service is" and ",17300" from each line.

    Best Regards, Jeff.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com