Re: Increase in RPC Port scans (portmap probes) (fwd)

From: Russell Fulton (r.fultonat_private)
Date: Thu Apr 19 2001 - 14:33:15 PDT

Next message: Mike Tibor: "Re: Weird Broadcast Traffic"

Previous message: Joseph Nicholas Yarbrough: "Re: Increase in Sun RPC Scans"
In reply to: Alfred Huger: "Re: Increase in RPC Port scans (portmap probes) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Heh Heh, Koreans are getting the bad rap.  Almost everytime one of
> our Honeynet systems gets whacked from a Korean site, its actually
> a Eastern European blackhat.  For example, our last Linux honeypot
> that was hit came from an Elementary School based in Korea, however
> they setup an IRC bot and were talking in Romanian.  We have also
> seen the same for Croation and Serbian channels.

This is my impression to.  Most scans come from already compromised
hosts (that's why I bother to report them).  Countries where knowledge
of English (the linga franca of the Internet, whether we like it or
not) have a very hard time of it because they can not understand vital
messages that are sent to them warning them that they have been
compromised.  (Assuming that their contact info was available and up to
date).  It recently occurred to me that the reports I send out must
look just like the spam the pours into my inbox to someone who does not
understand English.  In the case of Korea we have the aggravating factor
that some bureaucrat in the school system decided to install linux
systems in all Korean schools *without* providing any technical support
or follow up.  There must be 1000s of redhat 5.2 systems each with 10
or so well known vulnerabilities.

Before anyone decided to block 210.0.0.0/7 where most of these address
are located I would point out that many other countries share this
block (NZ's largest ISP has most of their dialup addresses in
210.55.0.0\16).

BTW I have also notice an increase in scans from India over the last
couple of weeks, I am also starting to see scans from Indonesia and
and other countries in the Asia Pacific region.  I am guessing that
this is because the Internet is finally penetrating these regions and
we are now seeing new another crop of naive administrators who are
about to learn about security the hard way.  ( I had a response from
one Indian company who said they could not possibly be compromised
because they had a firewall!  I wonder what the salesman told them :(  )


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Next message: Mike Tibor: "Re: Weird Broadcast Traffic"
Previous message: Joseph Nicholas Yarbrough: "Re: Increase in Sun RPC Scans"
In reply to: Alfred Huger: "Re: Increase in RPC Port scans (portmap probes) (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:09:43 PDT