Another incident of hack attempts from a Chinese host

From: Eric Kimminau (ericat_private)
Date: Mon Apr 23 2001 - 15:01:35 PDT

  • Next message: John Oliver: "Re: Another incident of hack attempts from a Chinese host" 

    I don't want to hear any of this stuff about "we just register the
netblock. We don't have anything to do with administering that host",
whioch is what I have gotten the last 4 reported hack incidents I have
reported.

It appears that a romanian based hacker has compromised this host and
is currently logged in as "operator"

> finger @202.100.13.34
[202.100.13.34]
Login     Name       Tty   Idle  Login Time   Office     Office Phone
operator  operator   /2          Apr 24 03:36 (12dial134.xnet.ro)

> finger operatorat_private
[202.100.13.34]
Login: operator                         Name: operator
Directory: /root                        Shell: /bin/sh
On since Tue Apr 24 03:36 (CST) on pts/2 from 12dial134.xnet.ro
   13 seconds idle
No mail.
No Plan.

Apr 23 16:11:02 1E:dns snort[228859]: spp_portscan: PORTSCAN DETECTED
from 202.100.13.34 (THRESHOLD 3 connections exceeded in 4 seconds)
Apr 23 16:14:50 1E:dns snort[228859]: spp_portscan: portscan status
from 202.100.13.34: 4 connections across 4 hosts: TCP(4), UDP(0)
Apr 23 16:15:01 1E:dns snort[228859]: spp_portscan: End of portscan
from 202.100.13.34: TOTAL time(4s) hosts(4) TCP(4) UDP(0)

[**] spp_portscan: PORTSCAN DETECTED from 202.100.13.34 (THRESHOLD 3
connections exceeded in 4 seconds) [**]
[**] spp_portscan: portscan status from 202.100.13.34: 4 connections
across 4 hosts: TCP(4), UDP(0) [**]
[**] spp_portscan: End of portscan from 202.100.13.34: TOTAL time(4s)
hosts(4) TCP(4) UDP(0) [**]

Apr 23 16:10:58 202.100.13.34:4032 -> 207.158.140.5:555 SYN ******S*
Apr 23 16:10:59 202.100.13.34:4029 -> 207.158.140.2:555 SYN ******S*
Apr 23 16:10:59 202.100.13.34:4031 -> 207.158.140.4:555 SYN ******S*
Apr 23 16:11:02 202.100.13.34:4030 -> 207.158.140.3:555 SYN ******S*

# traceroute 202.100.13.34
traceroute to 202.100.13.34 (202.100.13.34), 30 hops max, 40 byte
packets
 1  gateway (207.158.140.1)  3 ms (ttl=64!)  3 ms (ttl=64!)  3 ms
(ttl=64!)
 2  annex-0-5.pntc.coast.net (206.84.176.75)  30 ms  49 ms  123 ms
 3  cartman.pntc.coast.net (206.84.176.12)  30 ms  30 ms  30 ms
 4  at-0-2-147.uschcg-j20c.savvis.net (209.176.95.69)  45 ms
(ttl=251!)  88 ms (ttl=251!)  60 ms (ttl=251!)
 5  santaclara-mesh.savvis.net (64.242.22.122)  100 ms  100 ms  99 ms
 6  above-savvis-45Mbps.sjc.above.net (209.133.31.193)  117 ms
(ttl=245!)  152 ms (ttl=245!)  117 ms (ttl=245!)
 7  core5-core2-oc3.sjc1.above.net (216.200.0.118)  117 ms (ttl=246!)
114 ms (ttl=246!)  123 ms (ttl=246!)
 8  core3-sjc1-oc48.sjc2.above.net (208.184.102.206)  124 ms
(ttl=247!)  115 ms (ttl=247!)  121 ms (ttl=247!)
 9  pao1-sjc2-oc48.pao1.above.net (208.184.233.142)  123 ms
(ttl=246!)  123 ms (ttl=246!)  122 ms (ttl=246!)
10  208.184.129.244.cmnetcom.com.hk (208.184.129.244)  99 ms
(ttl=245!)  147 ms (ttl=245!)  118 ms (ttl=245!)
11  202.0.170.21 (202.0.170.21)  1395 ms (ttl=241!)  1404 ms
(ttl=241!) *
12  202.97.10.62 (202.97.10.62)  1529 ms (ttl=242!) * *
13  * 202.97.9.145 (202.97.9.145)  1510 ms (ttl=241!)  1527 ms
(ttl=241!)
14  202.97.9.142 (202.97.9.142)  1189 ms (ttl=243!)  1139 ms
(ttl=243!) *
15  202.97.10.122 (202.97.10.122)  1421 ms (ttl=242!) * *
16  * * 61.134.0.121 (61.134.0.121)  1338 ms (ttl=241!)
17  * * 61.134.0.2 (61.134.0.2)  1172 ms (ttl=240!)
18  * 202.100.0.2 (202.100.0.2)  1610 ms (ttl=239!)  1607 ms
(ttl=239!)
19  61.134.10.1 (61.134.10.1)  1607 ms (ttl=238!) * *
20  * * 202.100.11.45 (202.100.11.45)  1745 ms (ttl=237!)
21  202.100.13.34 (202.100.13.34)  1342 ms (ttl=236!)  1332 ms
(ttl=236!)  1375 ms (ttl=236!)

inetnum:     202.100.13.0 - 202.100.13.255
netname:     SNNIC
descr:       SHAANXI COMPUTER NETWORK INFORMATION CENTER
descr:       185# ZHUQUE ROAD
descr:       XI'AN city, shaanxi 710061
country:     CN
admin-c:     XC10-AP
tech-c:      XC10-AP
remarks:     customer
changed:     sxicat_private 981109
source:      APNIC

person:      Xianghong Cao
address:     Shaanxi province data communication Bureau
address:     8# guangde Road west development zone
address:     Xi'an city, Shanxi province 710075
address:     CN
phone:       +8629-837-1049
fax-no:      +8629-837-1049
e-mail:      caoxhat_private
nic-hdl:     XC10-AP
mnt-by:      MAINT-CHINANET-SHAANXI
changed:     caoxhat_private 20000329
source:      APNIC
=======================================================
inetnum:     202.100.0.0 - 202.100.28.255
netname:     SNXIAN
descr:       xi'an data branch,XIAN CITY SHAANXI PROVINCE
country:     CN
admin-c:     WWN1-AP
tech-c:      WWN1-AP
mnt-by:      MAINT-CHINANET-SHAANXI
mnt-lower:   MAINT-CN-SNXIAN
changed:     ipadmat_private 20010309
source:      APNIC

person:      WANG WEI NA
address:     Xi Xin street 90# XIAN
phone:       +8629-724-1554
fax-no:      +8629-324-4305
country:     CN
e-mail:      xaipadmat_private
nic-hdl:     WWN1-AP
mnt-by:      MAINT-CN-SNXIAN
changed:     wwnat_private 20001127
source:      APNIC
========================================================
# whois SNNIC
Query:     snnic
Registry:  whois.networksolutions.com
Results:

snnic (QINLONG-DOM)
QINLONG.COM
snnic.net  -   Wang John (SNNIC6-DOM)
SNNIC.NET
========================================================
# whois QINLONG-DOM
Query:     qinlong-dom
Registry:  whois.networksolutions.com
Results:
Registrant:
snnic (QINLONG-DOM)
   No.185 zhuque Road xi'an Shaanxi China
   xi'an, Shaanxi 710061
   CN

   Domain Name: QINLONG.COM

   Administrative Contact, Technical Contact:
      xiao, Jia  (JX76)  sxicat_private
      Shaanxi Qinlong Electric Power Co.ltd
      No.319 Dongxin Road East Building xi'an
      People's Hotel
      xi'an, shaanxi 710004
      CN
      86-029-7215111-3334 (FAX) 86-029-7285091
   Billing Contact:
      cao, xianghong  (XC78)  sxicat_private
      Shaaxi Internet Network Information Center
      Fl.5 No.8 bldg guangde rdXIANSN710075
      xi'an
      SN
      710075
      CN
      86-029-8371049 (FAX) 86-029-8371049

   Record last updated on 16-Aug-2000.
   Record expires on 04-Aug-2001.
   Record created on 04-Aug-1998.
   Database last updated on 23-Apr-2001 04:45:00 EDT.

   Domain servers in listed order:

   NS.SNNIC.COM                 202.100.13.11
========================================================

domain-name: xnet.ro
description: MobiFon S.A. - Connex GSM
description: 3, Nerva Traian Street
description: Complex M101, Sector 3
description: Bucharest, Romania
description: Phone: +40-1-302 2336
description: Fax: +40-1-302 1993
admin-contact: IOS1-ROTLD
technical-contact: IOS1-ROTLD
zone-contact: IOS1-ROTLD
nameserver:  xnetdns.xnet.ro 193.230.161.3
nameserver:  xnetdns2.xnet.ro 193.230.161.4
info:        object maintained by ro.rnc local registry
info:        Register your .ro domain names at www.rotld.ro
notify:      domain-adminat_private
object-maintained-by: ROTLD-MNT
updated:     danacorbat_private 19990512
updated:     ciprianat_private 20000117
updated:     cristihat_private 20000728
updated:     cristihat_private 20010412
updated:     cristihat_private 20010412
source:      ROTLD

role:        ISP Support
address:     MobiFon S.A.
address:     Avrig Business Center
address:     3-5, Avrig Street, Sector 2
address:     Bucharest, Romania
phone:       +40-1-302 2333
fax-no:      +40-1-302 1333
e-mail:      isp.supportat_private
admin-contact: IOS2-ROTLD
technical-contact: MG5-ROTLD
technical-contact: MB56-ROTLD
technical-contact: MG2-ROTLD
nic-hdl:     IOS1-ROTLD
info:        "*** For billing issue, please contact MG2-ROTLD ***"
info:        object maintained by ro.rnc local registry
notify:      domain-adminat_private
object-maintained-by: ROTLD-MNT
updated:     cristihat_private 20010412
source:      ROTLD


--
.--------1---------2---------3---------4---------5---------6---------7.
                   Eric Kimminau ericat_private

    This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 16:33:35 PDT