Serious Offshore Probes Detected & Defeated



We have had 11 extremely serious probes/attacks in the past 4 days on our "honey pot" and Shadow successfully detected and stopped all of the probes/attacks.

Extremely serious is defined as two conditions;
(1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each IP address below.
(2) An IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the communications, continuously within a 12 hour period.

We have provided information that is very detailed information where we have successfully traced the Point-Of-Origin of the probes/attacks from China and other non-US locations

BACKGROUND
We are a Cyber Security Software firm and have been probed by offshore interests quite often since our genesis.

We have established a honey pot site on the Internet.

Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have successfully detected and stopped the probes/attacks and traced the probes/attacks back to China and other non-US locations.

DETAILS
(1) There are seven active sites in China:

221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang
116.18.161.55 - ChinaNet Guangdong Province Network - Guangzhou
219.148.119.2 - Data Communication Division - Beijing
221.208.208.3 - CNCGROUP Heilongjiang province network - Mudanjiang
121.18.13.107 - CNC Group Hebei province network - Hebei
125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing
218.3.134.250 - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang

Of the seven sites listed above, 121.18.13.107 has attempted the most intense attack, installing Remote Access Java Scripts as defined in my previous e-mail on detecting the China attack methods. None of the seven sites above were successful against Shadow. All probes/attacks were detected and stopped.

(2) Shadow has been detecting and securing our web site/network from 5 simultaneous probes/attacks from China, each from a different city in China.

(3) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.

(4) The other probes/attacks were from the following:

219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho
138.79.215.61 - CPSOFT - Australia - No City Identified
81.188.3.50 - Easynet Belgium, Cypres - Belgium - Brussel
24.64.132.11 - Shaw Communications - Canada - No City Identified


IMMEDIATE RECOMMENDATION
------------------------

1) Immediately block the following IP Addresses within your network firewall(s) (This is a temporary fix since these IP addresses will change on a high frequency):

121.18.13.107 <-- Most Dangerous Attack
221.209.110.50
116.18.161.55
219.148.119.2
221.208.208.3

2) If Shadow is not installed on a Microsoft server, turn off (disable) java scripting immediately.


IP ADDRESSES DETECTED

The detailed information on each IP address is below.

---- China, Mudanjiang --------
IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

---- China, Guangzhou ---------
IP Address : 116.18.161.55 [ 116.18.161.55 ]
ISP : -
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East

---- China, Beijing -----------
IP Address : 219.148.119.2 [ 219.148.119.2 ]
ISP : Data Communication Division
Organization : CHINANET hebei province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----- China, Harbin -----------
IP Address : 221.208.208.3 [ 221.208.208.3 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

----- China, Hebei -----------
IP Address : 121.18.13.107 [ 121.18.13.107 ]
ISP : -
Organization : CNC Group Hebei province network
Location : CN, China
City : Hebei, 10 -
Latitude : 39°88'97" North
Longitude : 115°27'50" East

----- China Beijing -------------------
IP Address : 125.76.238.164 [ 125.76.238.164 ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

---- China, Zhenjiang ------------------------
IP Address : 218.3.134.250 [ 218.3.134.250 ]
ISP : Data Communication Division
Organization : Network Center of Fast China Shipbuilding institut
Location : CN, China
City : Zhenjiang, 04 -
Latitude : 32°20'92" North
Longitude : 119°43'42" East

----- Korea, Seocho -----------
IP Address : 219.240.44.147 [ 219.240.44.147 ]
ISP : Hanaro Telecom Co.
Organization : Ilifezone
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

------ Australia ------------
IP Address : 138.79.215.61 [ 138.79.215.61 ]
ISP : CPSOFT
Organization : CPSOFT
Location : AU, Australia
City : -, - -
Latitude : 27°00'00" South
Longitude : 133°00'00" East

----- Belgium Brussels ---------------
IP Address : 81.188.3.50 [ 81-188-3-50.sdsl.easynet.be ]
ISP : Easynet Belgium
Organization : Cypres
Location : BE, Belgium
City : Brussel, 11 -
Latitude : 50°83'33" North
Longitude : 4°33'33" East

----- Canada -------------------------
IP Address : 24.64.132.11 [ S010600095b0f1aa1.lb.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

Sincerely,

Jeff

Jeffrey E. Smith
Black Lab Security Systems, Inc
9250 Bendix Road, North Suite 225
Columbia, MD 21045

Toll Free: 888-352-1119
MD Lab: 410-878-2768
Direct: 301-685-3301
Fax: 410-988-2238
Mobile: 240-498-9043
eMail: jes@xxxxxxxxxxxxxxxxxxxx
Web: www.blacklabsecurity.com