Incidents: 02-17-02.01
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb 17 14:57:51 greatwall snort: [1:0:0] TCP to 22 ssh {TCP}
210.97.51.3:4076 -> 12.82.132.164:22
Feb 17 14:57:54 greatwall snort: [1:0:0] TCP to 22 ssh {TCP}
210.97.51.3:4076 -> 12.82.132.164:22
Feb 17 14:57:51 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
210.97.51.3:4076 12.82.132.164:22 L=60 S=0x00 I=65038 F=0x4000 T=43 SYN (#64)
Feb 17 14:57:54 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
210.97.51.3:4076 12.82.132.164:22 L=60 S=0x00 I=150 F=0x4000 T=43 SYN (#64)
Sun Feb 17 14:57:51 2002 210.97.51.3 [22 hops]: Linux 2.2.9 - 2.2.18
+ 210.97.51.3:4076 -> 12.82.132.164:22 (timestamp: 128464290 @1013986671)
Sun Feb 17 14:57:54 2002 210.97.51.3 [22 hops]: Linux 2.2.9 - 2.2.18
+ 210.97.51.3:4076 -> 12.82.132.164:22 (timestamp: 128464590 @1013986674)
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net)
inetnum: 210.96.0.0 - 210.97.191.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
# ENGLISH
IP Address : 210.97.51.0-210.97.51.255
Network Name : SUSONG-DISTRICT
Connect ISP Name : PUBNET
Connect Date : 980807
Registration Date : 19980810
[ Organization Information ]
Orgnization ID : ORG30540
Org Name : Susong District of Taegu
State : TAEGU
Address : 238-3 Bomo1-dong Susong-gu
Zip Code : 706-011
[ Admin Contact Information]
Name : Taekun Lee
Org Name : Susong District of Taegu
State : TAEGU
Address : 238-3 Bomo1-dong Susong-gu
Zip Code : 706-011
Phone : 053-740-0300
Fax : 053-756-6791
E-Mail : taekun@gu.susong.taegu.kr
[ Technical Contact Information ]
Name : Taekun Lee
Org Name : Susong District of Taegu
State : TAEGU
Address : 238-3 Bomo1-dong Susong-gu
Zip Code : 706-011
Phone : 053-740-0300
Fax : 053-756-6791
E-Mail : taekun@gu.susong.taegu.kr
Feb 17 15:00:18 greatwall snort: [1:0:0] UDP to 137 netBIOS ns {UDP}
204.118.20.101:137 -> 12.82.132.164:137
Feb 17 15:00:21 greatwall last message repeated 2 times
Feb 17 15:00:18 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
204.118.20.101:137 12.82.132.164:137 L=78 S=0x00 I=6234 F=0x0000 T=114 (#26)
Feb 17 15:00:20 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
204.118.20.101:137 12.82.132.164:137 L=78 S=0x00 I=6252 F=0x0000 T=115 (#26)
Feb 17 15:00:21 greatwall kernel: Packet log: input DENY ppp0 PROTO=17
204.118.20.101:137 12.82.132.164:137 L=78 S=0x00 I=6270 F=0x0000 T=115 (#26)
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 204.118.20.101
connecting to whois.arin.net [192.149.252.22:43] ...
US Sprint (NETBLK-SPRINT-BLKB)
13221 Woodland Pk. Rd
Herndon, VA 22071
US
Netname: SPRINT-BLKB
Netblock: 204.117.0.0 - 204.120.255.255
Maintainer: SPRN
Coordinator:
Sprintlink (Sprint) (SPRINT-NOC-ARIN) NOC@SPRINT.NET
800-232-6895
Domain System inverse mapping provided by:
NS1-AUTH.SPRINTLINK.NET206.228.179.10
NS2-AUTH.SPRINTLINK.NET144.228.254.10
NS3-AUTH.SPRINTLINK.NET144.228.255.10
Feb 17 15:01:53 greatwall snort: [1:0:0] TCP to 515 lpr {TCP}
64.238.109.77:3615 -> 12.82.132.164:515
Feb 17 15:01:53 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
64.238.109.77:3615 12.82.132.164:515 L=60 S=0x00 I=10087 F=0x4000 T=47 SYN (#64)
Sun Feb 17 15:01:53 2002 64.238.109.77 [18 hops]: Linux 2.2.9 - 2.2.18
+ 64.238.109.77:3615 -> 12.82.132.164:515 (timestamp: 52808515 @1013986913)
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 64.238.109.77
connecting to whois.arin.net [192.149.252.22:43] ...
Cbeyond Communications (NETBLK-CBEY-64-238-96-0)
320 Interstate Parkway
Atlanta, GA 30339
US
Netname: CBEY-64-238-96-0
Netblock: 64.238.96.0 - 64.238.127.255
Maintainer: CBEY
Coordinator:
Dimayuga, Miguel (MD911-ARIN) miguel.dimayuga@cbeyond.net
678.424.2400 +63 2 635-5601 ext. 5250 (FAX) 678.424.2513
Domain System inverse mapping provided by:
TO.CBEYOND.NET64.213.152.24
INFINITY.CBEYOND.NET63.104.33.19
http to 64.238.109.77:
"Test Page
This page is used to test the proper operation of the Apache Web server after
it has been installed. If you can read this page, it means that the Apache
Web server installed at this site is working properly."
So this guy's been cracked, and his box is doing tcp:515 probes for a fairly common lpr vulnerability...
Note that this is the same IP address as the probe to tcp 22 ssh, above, except that now he's playing around on tcp:111 sunrpc ;-)
Feb 17 15:02:35 greatwall snort: [1:0:0] TCP to 111 sunrpc {TCP}
210.97.51.3:3139 -> 12.82.132.164:111
Feb 17 15:02:35 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
210.97.51.3:3139 12.82.132.164:111 L=60 S=0x00 I=31762 F=0x4000 T=43 SYN (#64)
Sun Feb 17 15:02:35 2002 210.97.51.3 [22 hops]: Linux 2.2.9 - 2.2.18
+ 210.97.51.3:3139 -> 12.82.132.164:111 (timestamp: 128492676 @1013986955)
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Request: 210.97.51.3
connecting to whois.arin.net [63.146.182.182:43] ...
connecting to WHOIS.APNIC.NET [202.12.29.13:43] ...
% Rights restricted by copyright. See http://www.apnic.net/db/dbcopyright.html
% (whois7.apnic.net)
inetnum: 210.96.0.0 - 210.97.191.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
# ENGLISH
IP Address : 210.97.51.0-210.97.51.255
Network Name : SUSONG-DISTRICT
Connect ISP Name : PUBNET
Connect Date : 980807
Registration Date : 19980810
[ Organization Information ]
Orgnization ID : ORG30540
Org Name : Susong District of Taegu
State : TAEGU
Address : 238-3 Bomo1-dong Susong-gu
Zip Code : 706-011
[ Admin Contact Information]
Name : Taekun Lee
Org Name : Susong District of Taegu
State : TAEGU
Address : 238-3 Bomo1-dong Susong-gu
Zip Code : 706-011
Phone : 053-740-0300
Fax : 053-756-6791
E-Mail : taekun@gu.susong.taegu.kr
[ Technical Contact Information ]
Name : Taekun Lee
Org Name : Susong District of Taegu
State : TAEGU
Address : 238-3 Bomo1-dong Susong-gu
Zip Code : 706-011
Phone : 053-740-0300
Fax : 053-756-6791
E-Mail : taekun@gu.susong.taegu.kr
This page last preened by Webmaster jsage@finchhaven.com on:
Last modified: Mon Feb 18 08:53:27 2002