> Heh Heh, Koreans are getting the bad rap. Almost everytime one of > our Honeynet systems gets whacked from a Korean site, its actually > a Eastern European blackhat. For example, our last Linux honeypot > that was hit came from an Elementary School based in Korea, however > they setup an IRC bot and were talking in Romanian. We have also > seen the same for Croation and Serbian channels. This is my impression to. Most scans come from already compromised hosts (that's why I bother to report them). Countries where knowledge of English (the linga franca of the Internet, whether we like it or not) have a very hard time of it because they can not understand vital messages that are sent to them warning them that they have been compromised. (Assuming that their contact info was available and up to date). It recently occurred to me that the reports I send out must look just like the spam the pours into my inbox to someone who does not understand English. In the case of Korea we have the aggravating factor that some bureaucrat in the school system decided to install linux systems in all Korean schools *without* providing any technical support or follow up. There must be 1000s of redhat 5.2 systems each with 10 or so well known vulnerabilities. Before anyone decided to block 210.0.0.0/7 where most of these address are located I would point out that many other countries share this block (NZ's largest ISP has most of their dialup addresses in 210.55.0.0\16). BTW I have also notice an increase in scans from India over the last couple of weeks, I am also starting to see scans from Indonesia and and other countries in the Asia Pacific region. I am guessing that this is because the Internet is finally penetrating these regions and we are now seeing new another crop of naive administrators who are about to learn about security the hard way. ( I had a response from one Indian company who said they could not possibly be compromised because they had a firewall! I wonder what the salesman told them :( ) Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 10:09:43 PDT