Re: Kuang2 strikes again, is it just me?

From: Johannes Ullrich (jullrichat_private)
Date: Sat Feb 15 2003 - 20:18:13 PST

Next message: Jasmine: "Re: Kuang2 strikes again, is it just me?"

Previous message: Rob Shein: "RE: Kuang2 strikes again, is it just me?"
In reply to: Jeff Kell: "Kuang2 strikes again, is it just me?"
Next in thread: Jasmine: "Re: Kuang2 strikes again, is it just me?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We are tracking these 'Kuang2' scans for a couple weeks now at DShield.org
So far it looks like they are just empty connect scans of someone building
a target list (maybe?)


On Sat, 15 Feb 2003 20:35:02 -0500
Jeff Kell <jeff-kellat_private> wrote:

> Last Sunday (Feb 9) I reported a sudden flurry of scans on tcp/17300
> (the Kuang2 backdoor).  I had 9 hits in an hour on a cable modem, and
> 18 in all in the next 6 hours, then they stopped.  Nothing appeared
> on my radar screen at work where I monitor a /18, a /22, and a /24 
> address block.
> 
> Today looks like a revisit of similar probing.  Home cable modem 
> reports (timezone EST, GMT-05:00), all directed at my tcp/17300:
> 
> 2003/02/15 16:47:35    81.65.242.15:3149 (m15.net81-65-242.noos.fr) 
> 2003/02/15 16:47:35   211.28.41.112:4970 (c17758.rivrw1.nsw.optusnet.com.au)
> 2003/02/15 17:02:25   213.226.66.79:3222 (hd5e2424f.gavlegardarna.gavle.to)
> 2003/02/15 17:04:45  213.98.218.209:3702 (213-98-218-209.uc.nombres.ttd.es)
> 2003/02/15 17:17:42   62.178.112.57:4835 (chello062178112057.10.12.vie.surfer.at)
> 2003/02/15 17:29:07  212.181.67.244:4285 (sagan-67-244.ip-pluggen.com)
> 2003/02/15 17:30:54    213.46.66.21:3842 (d66021.upc-d.chello.nl)
> 2003/02/15 17:50:30 213.200.153.133:3882 (c213-200-153-133.cm-upc.chello.se) 
> 2003/02/15 17:51:44 212.187.116.244:3343 (c116244.upc-c.chello.nl)
> 2003/02/15 17:54:41 212.114.214.226:3020 (DSL01-214226.NEFkom.net)
> 2003/02/15 17:54:49    213.10.93.27:1321 (ipd50a5d1b.speed.planet.nl)
> 2003/02/15 18:04:49    80.38.58.157:2900 (157.Red-80-38-58.pooles.rima-tde.net)
> 2003/02/15 18:30:53 217.215.175.113:1768 (as11-4-4.ehn.lk.bonet.se)
> 2003/02/15 18:38:30 211.222.249.106:4230 
> 2003/02/15 19:02:57  213.67.117.218:2436 (h218n1fls13o893.telia.com)
> 2003/02/15 19:22:48     66.72.61.20:4358 (adsl-66-72-61-20.dsl.gdrpmi.ameritech.net)
> 2003/02/15 19:25:08   24.185.30.193:1829 (ool-18b91ec1.dyn.optonline.net)
> 2003/02/15 19:35:22    213.66.82.38:4059 (h38n1fls33o863.telia.com)
> 
> But once again, no sign of it at the office.  Very strange.  Since the
> connection is never established, I don't know the payload they are 
> trying to deliver.  Will try to setup a honeypot on the port and see
> what comes up.
> 
> Jeff
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 


-- 
--------------------------------------------------------------------
jullrichat_private             Collaborative Intrusion Detection
                                         join http://www.dshield.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jasmine: "Re: Kuang2 strikes again, is it just me?"
Previous message: Rob Shein: "RE: Kuang2 strikes again, is it just me?"
In reply to: Jeff Kell: "Kuang2 strikes again, is it just me?"
Next in thread: Jasmine: "Re: Kuang2 strikes again, is it just me?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 16 2003 - 14:03:06 PST