Re: Increase in RPC Port scans (portmap probes) (fwd)

From: Russell Fulton (r.fultonat_private)
Date: Thu Apr 19 2001 - 14:33:15 PDT

  • Next message: Mike Tibor: "Re: Weird Broadcast Traffic"

    > Heh Heh, Koreans are getting the bad rap.  Almost everytime one of
    > our Honeynet systems gets whacked from a Korean site, its actually
    > a Eastern European blackhat.  For example, our last Linux honeypot
    > that was hit came from an Elementary School based in Korea, however
    > they setup an IRC bot and were talking in Romanian.  We have also
    > seen the same for Croation and Serbian channels.
    
    This is my impression to.  Most scans come from already compromised
    hosts (that's why I bother to report them).  Countries where knowledge
    of English (the linga franca of the Internet, whether we like it or
    not) have a very hard time of it because they can not understand vital
    messages that are sent to them warning them that they have been
    compromised.  (Assuming that their contact info was available and up to
    date).  It recently occurred to me that the reports I send out must
    look just like the spam the pours into my inbox to someone who does not
    understand English.  In the case of Korea we have the aggravating factor
    that some bureaucrat in the school system decided to install linux
    systems in all Korean schools *without* providing any technical support
    or follow up.  There must be 1000s of redhat 5.2 systems each with 10
    or so well known vulnerabilities.
    
    Before anyone decided to block 210.0.0.0/7 where most of these address
    are located I would point out that many other countries share this
    block (NZ's largest ISP has most of their dialup addresses in
    210.55.0.0\16).
    
    BTW I have also notice an increase in scans from India over the last
    couple of weeks, I am also starting to see scans from Indonesia and
    and other countries in the Asia Pacific region.  I am guessing that
    this is because the Internet is finally penetrating these regions and
    we are now seeing new another crop of naive administrators who are
    about to learn about security the hard way.  ( I had a response from
    one Indian company who said they could not possibly be compromised
    because they had a firewall!  I wonder what the salesman told them :(  )
    
    
    Russell Fulton, Computer and Network Security Officer
    The University of Auckland,  New Zealand
    



    This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:09:43 PDT