Interesting data. >> - 3 came from Canada (BellNexxia 65.93.160.0/19,
There's that bellnexxia.net again !!!! Andrew P. Kaplan Network Administrator CyberShore, Inc. http://www.cshore.com "Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [ OK ]" > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Len Conrad > Sent: Friday, March 08, 2002 1:25 PM > To: [EMAIL PROTECTED] > Subject: Re: [IMail Forum] Need Help - Virus Attack? > > > > >Not knowing the details IP addressing I blocked 61.0.0.0/61.255.255.255 > >addesses. > > one notation is 61/8, or 61.0.0.0/8. that's a whole Class A. > > or > > 61.0.0.0 netmask 255.0.0.0 > > >Is > >61.183.0.0/61.184.255.255 the subnet I should be blocking? > > that notation would be 61.183/16 > > or > > 61.183.0.0 netmask 255.255.0.0 > > btw, if this gets up you jingo knee a-jerkin, here's a message from the > snort list today. the guy set up a honey pot and watched it with snort: > > I used LaBrea in this way - created a bogus /24 off my production > network, poked a global allow for that /24 at my border, fired > up LaBrea and Snort on an unaddressed laptop on the /24, and > listened. > > Some points of order regarding this quasi-honeypot: > > - no dns, no outbound traffic, no nothing to indicate to an external > party that the subnet even existed - thus, any traffic coming to > that network was either misdirected or hostile; > > - historically, the subnet had been unused and unallocated out of our > /16 core (.edu network) for over two years; > > - the subnet came into existence on Thu Dec 20 2001 sometime > after 4:15 p.m.; > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > - in the first full day of listening (December 21st) - one 24-hour period: > ^^^^^^^^^^^^^^^^^^ > ================================================================ > - 1,702 different external hosts attempted at least one initial > TCP connection; > > - 1,026 attempted more than one; > > - 335 attempted 20 or more; > > - 71 attempted 255 or more, thereby scanning the entire subnet > multiple times - > of the top 60 or so: > > - 12 unique IP's came from U.S. educational institutions > (UCLA 128.97.0.0/16, UVA 128.143.0.0/16, UGA 128.192.0.0/16, > SunyBuffalo 128.205.0.0/16, UWA 128.208.0.0/16, > UHI 128.171.0.0/16, SunyBinghamtom 128.226.0.0/16, > Syracuse 128.230.0.0/16, WashUStLouis 128.252.0.0/16, > UOKNorman 129.15.0.0/16, UMI 131.213.0.0/16); > > - 12 unique IP's came from US providers (HSACorp 24.240.23.0/24, > AOL 172.128.0.0/10, rr.com 24.24.0.0/13sortof, > genuity.net 4.0.0.0/8, > naxs.com 216.98.64.0/19, arnet 209.40.128.0/18, UUNET > 208.254.72.0/23, > Comastpc.com 68.40.0.0/13, @home 65.9.112.0/20, > SBCIS/PacBell 63.192.0.0/12); > > - 5 came from a random US ".com" (tag.com 216.177.32.0/19, > mrws.net 63.166.61.0/24, "Oilgear" (AT&T) 209.36.148.0/24, > BritSys.com 192.216.171.0/24, RuralNet 216.169.69.32/27); > > - 3 came from Canada (BellNexxia 65.93.160.0/19, > ShawFiberlink 24.80.0.0/13, hyperlinx.net 207.107.55.0/24); > > - 3 came from Mexico (UnivAutonomaZacatecas 148.217.0.0/16, > MERKANET 200.23.95.0/24, Avantel 148.240.0.0/16); > > - 2 came from South America (cable.net.co-Colombia > 200.68.160.0/21, > ImpSat-Venezuela 200.31.4.0/24); > > - 5 came from Germany (denoc.net 62.116.128.0/20, > JWGoethe-UnivFrankfurt 141.2.0.0/16, t-online.com > 80.128.0.0/12sortof, > t-online.com 217.80.0.0/12sortof); > > - 4 came from France (internet-fr.net 212.37.210.0/22, > wanadoo 217.128.39.0/24, wanadoo 193.252.192.0/24, > wanadoo 80.13.214.0/24); > > - 2 came from Norway (nextgentel.com 213.145.160.0/19, > NTANET 128.39.0.0/16); > > - 2 came from the Netherlands (tiscali.nl 195.241.0.0/16, > UnivUtrecht 131.211.0.0/16); > > - 6 came from other European countries > (InstitutoDaAgua-Portugal 193.136.235.0/24, > Lidkopings-Sweden 195.84.233.128/26, MedUnivLodz-Poland > 212.5.198.0/23, > telefonica.es-Spain 213.96.0.0/15, tin.it-Italy 62.211.128.0/17, > hispeed.ch-Switzerland 217.162.0.0/16sortof); > > - 1 came from Australia (bigpond.net.au 203.40.0.0/13); > > - 1 came from India (vsnl.net 203.199.84.128/26); > > - 9 came from Korea (rapitel.co.kr 211.189.198.0/25, > KoreaTelecom 128.134.0.0/16, nuri.net 210.1221.56.192/26, > kornet.net 61.73.128.0/20sortof, kornet 61.73.152.0/21sortof); > > - 2 came from China (Chinanet 202.104.0.0/16, > LianyungangFoodMfry 61.155.96.0/19sortof); > > - 1 came from Taiwan (TANET 140.109.0.0/16); > > - 1 came from Japan (u-tokyo.ac.jp 133.11.0.0/16); > > - activity peaks occurred 6-7am (97 hits), 11-12am (148), 5-6pm (158), > 6-7pm (202), and 7-8pm (295); [all times CST] > > - most of these were reconnaissance (see below). > ================ > - of the initial connection attempts, 845 were to HTTP port 80 (presumably > Code Red, Nimda, or more serious Web attackers), 243 > were to FTP port > 21 (widely vulnerable), 242 were to SOCKS/Wingate port > 1080 (widely > exploitable), 232 were to ssh port 22 (recent exploits), and 14 > were to portmapper port 111 (an oldie but a goodie - widely > exploitable, but most people block it nowadays) > ================ > - 56 hosts completed a TCP connection, 53 more than one, 43 hosts > completed > 20 or more, and 9 hosts completed 255 or more; this number was > presumably attempting exploits in realtime. > ================ > - 4 internal security issues were detected: > 3 incidences of Code Red or Nimda > 1 incidence of a compromised internal machine portscanning ssh > ================ > > > > > > > Please visit http://www.ipswitch.com/support/mailing-lists.html > to be removed from this list. > > An Archive of this list is available at: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.325 / Virus Database: 182 - Release Date: 2/19/02 > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.325 / Virus Database: 182 - Release Date: 2/19/02 Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
