LinuxSA Mailing list archives

Index: [thread] [date] [subject] [author] [stats]

  From: Alan Kennington <akenning@dog.topology.org>
  To  : Simon Hackett <simon@internode.com.au>
  Date: Fri, 23 Feb 2001 10:08:08 +1030

Re: Deny List project

On Thu, Feb 22, 2001 at 06:49:14PM +1030, Simon Hackett wrote:
> Or *could be* innocent victims that were just the next recpient of a 
> dynamically assigned IP address.
> 
> Simon

Simon et alia:

Since I observe about 50 (literally) malicious port probes
per day, and I get many reports back on the nature of the
miscreant, I can say this:

About 50% of all mischievous probes are from Korea,
mostly NetBus (port 12345) with a few port 111 etc.
These are probably mostly hacked machines - e.g. the
"miscreants" tend to be from machines running overnight at
department stores and primary schools.
But I've never ever got a reply back from a hacker report
to a Korean site.

Of the other 50%, most are from North America, with
a fair proportion from Europe and a smattering from
Australia. These are almost all dynamically allocated.

E.g. Here's the last probe I've received 15 minutes ago:

------------------------------------------------------------- 
Feb 23 09:41:48 dog kernel: IP fw-in deny ppp0 TCP 200.48.146.99:1721 203.38.148.48:111 L=60 S=0x00 I=4801 F=0x0040 T=44
Feb 23 09:41:48 dog kernel: IP fw-in deny ppp0 TCP 200.48.146.99:1726 203.38.148.53:111 L=60 S=0x00 I=4806 F=0x0040 T=44
Feb 23 09:41:48 dog kernel: IP fw-in deny ppp0 TCP 200.48.146.99:1731 203.38.148.58:111 L=60 S=0x00 I=4811 F=0x0040 T=44
Feb 23 09:41:48 dog kernel: IP fw-in deny ppp0 TCP 200.48.146.99:1736 203.38.148.63:111 L=60 S=0x00 I=4816 F=0x0040 T=44  
------------------------------------------------------------- 

This one's in Peru. Rather unusual!!
mail.surmedio.com.pe
This is almost certainly a hacked machine.

Here's the previous probe, 7 minutes earlier:

------------------------------------------------------------- 
Feb 23 09:34:25 dog kernel: IP fw-in deny ppp0 TCP 208.53.243.8:4498 203.48.2.151:12345 L=48 S=0x00 I=22641 F=0x0040 T=100
Feb 23 09:34:28 dog kernel: IP fw-in deny ppp0 TCP 208.53.243.8:4498 203.48.2.151:12345 L=48 S=0x00 I=25969 F=0x0040 T=100
Feb 23 09:34:34 dog kernel: IP fw-in deny ppp0 TCP 208.53.243.8:4498 203.48.2.151:12345 L=48 S=0x00 I=38513 F=0x0040 T=100
Feb 23 09:34:46 dog kernel: IP fw-in deny ppp0 TCP 208.53.243.8:4498 203.48.2.151:12345 L=48 S=0x00 I=63089 F=0x0040 T=100   
------------------------------------------------------------- 

This seems to be in the USA in domain bluestar.net.
Hmmm. This leads to Covad Business Solutions.
I would say this is a hacked machine.
Where are the Koreans this morning?

Here's the previous probe:

------------------------------------------------------------- 
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4184 203.48.2.129:111 L=60 S=0x00 I=59347 F=0x0040 T=37
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4188 203.48.2.132:111 L=60 S=0x00 I=59350 F=0x0040 T=36
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4194 203.48.2.137:111 L=60 S=0x00 I=59355 F=0x0040 T=36
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4197 203.48.2.140:111 L=60 S=0x00 I=59358 F=0x0040 T=37
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4201 203.48.2.143:111 L=60 S=0x00 I=59361 F=0x0040 T=37
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4206 203.48.2.147:111 L=60 S=0x00 I=59365 F=0x0040 T=37
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4209 203.48.2.150:111 L=60 S=0x00 I=59368 F=0x0040 T=37
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4214 203.48.2.154:111 L=60 S=0x00 I=59372 F=0x0040 T=36
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4218 203.48.2.158:111 L=60 S=0x00 I=59376 F=0x0040 T=37
Feb 23 05:59:22 dog kernel: IP fw-in deny ppp0 TCP 210.111.237.115:4219 203.48.2.159:111 L=60 S=0x00 I=59377 F=0x0040 T=37   
------------------------------------------------------------- 

Ah. This one is in Korea.

But this sample is too small.
In my observations over the last 24 months, the very great
majority of machines have been either hacked, or else
dynamically assigned IP addresses.

Therefore ---- There is absolutely no point at all in
making a black list of IP addresses.

That having been said, I do block out various subnets of Korean 
IP space in my firewall.

Cheers,
Alan Kennington.

-------------------------------------------------------------
PS. Is "alia" the vocative case of the nominative plural "alia"?
I hope so....
I wouldn't want to set a bad example to young Latin students!

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject

Index: [thread] [date] [subject] [author] [stats]

Return to the LinuxSA Mailing List Information Page