BLSS Cyber Center Report - 1 Nov 2007
-------------------------------------
www.blacklabsecurity.com
China and Korea are still probing/attacking on all previously reported IPs and Ports with the same tenacity. There has been no decrease in the frequency of probes/attacks from China or Korea. However, within the last 24 hour period, we have detected the least number of new computers now broadcasting over the Internet. Over the past 24 hours, only (approx) 22 new computers have begun to broadcast over the Internet. It appears that disabling port 7212 does have a significant impact on China/Korea's ability to successfully penetrate a computer.
Port 1024; U.S. (new site). Port 1026; Korea (new site), U.S. No IANA Probe last night. This is the first time in several days that the U.S. IANA has NOT probed the Internet on port 1026. However, we did detect an Internet-wide probe of the "Latin American and Caribbean IP address Regional Registry", which is the equivalent of the U.S. IANA. We also detected a probe from the "Broadcasting Center Europe S.A." that is located in Luxembourg. This may be the Luxembourg equivalent to the U.S. IANA. We detected one U.S. DoD computer probing on port 1026. We detected two computers with no recorded (unknown) IP addresses probing on port 1026 (most likely some government agency computers). We detected a computer from J.P.
Morgan probing on port 1026. Other countries probing on port 1026; U.K. (Peat Marwick computer), France (new site), Brazil (new site). Port 22; China (new site). Port 1433; U.S. (2 new site), China (2 new sites). Port 1434; Croatia (new site). Port 2967; U.S. (new site). Port 5900; China (new sites), Chile (new site), Spain (new site), France (new site). Honey Pot Activity; None. No one surfed or attacked the Honey Pot.
The following is a list of new IPs detected and their associated ports;
----Port 1024 -------------
IP Address : 64.157.15.117 [ yui.desync.com ]
ISP : Level 3 Communications
Organization : CandidHosting
Location : US, United States
City : Tampa, FL 33602
Latitude : 27°95'78" North
Longitude : 82°46'22" West
----Port 1026 -------------
IP Address : 211.199.169.161 [ 211.199.169.161 ]
ISP : KRNIC
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 146.220.130.21 [ dummy.clt-ufa.net ]
ISP : Broadcasting Center Europe S.A.
Organization : Broadcasting Center Europe S.A.
Location : LU, Luxembourg
City : -, - -
Latitude : 49°75'00" North
Longitude : 6°16'67" East
OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Rambla Republica de Mexico 6125
City: Montevideo
StateProv:
PostalCode: 11400
Country: UY
IP Address : 22.189.227.141 [ 22.189.227.141 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US
IP Address : 158.176.170.220 [ 158.176.170.220 ]
ISP : KPMG Peat Marwick
Organization : KPMG Peat Marwick
Location : GB, United Kingdom
City : Wales, C9 -
Latitude : 53°33'33" North
Longitude : 1°28'33" West
IP Address : 192.230.95.221 [ 192.230.95.221 ]
ISP : No Record (Unknown)
IP Address : 90.44.151.20 [ AOrleans-158-1-20-20.w90-44.abo.wanadoo.fr ]
ISP : France Telecom
Organization : France Telecom
Location : FR, France
City : Paris, A8 -
Latitude : 48°86'67" North
Longitude : 2°33'33" East
IP Address : 169.100.95.158 [ 169.100.95.158 ]
ISP : J.P. Morgan & Co.
Organization : JP Morgan Chase & Co
Location : US, United States
City : New York, NY 10271
Latitude : 40°70'87" North
Longitude : 74°01'04" West
IP Address : 192.186.30.157 [ 192.186.30.157 ]
ISP : No Record (Unknown)
IP Address : 200.245.134.68 [ 200.245.134.68 ]
ISP : EMBRATEL-EMPRESA BRASILEIRA DE TELECOMUNICAÇÕES SA
Organization : LABORATORIO SARDALINA LTDA.
Location : BR, Brazil
City : Diadema, 27 -
Latitude : 23°70'00" South
Longitude : 46°61'67" West
----Port 22 -----------------
IP Address : 59.42.254.53 [ 59.42.254.53 ]
ISP : CHINANET Guangdong province network
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East
----Port 1433 ---------------
IP Address : 69.238.4.7 [ 69-238-4-7.absolutetechnologies.com ]
ISP : SBC Internet Services
Organization : Absolute Technologies
Location : US, United States
City : Yorba Linda, CA 92887
Latitude : 33°88'79" North
Longitude : 117°72'86" West
IP Address : 61.191.224.19 [ 61.191.224.19 ]
ISP : Data Communication Division
Organization : CHINANET Anhui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East
IP Address : 69.179.108.90 [ 69-179-108-90.dyn.centurytel.net ]
ISP : CenturyTel Internet Holdings
Organization : CenturyTel Internet Holdings
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 125.76.215.14 [ 125.76.215.14 ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
----Port 1434 ---------------
IP Address : 161.53.169.2 [ merkur.fesb.hr ]
ISP : Croatian Academic and Research Network (CARNet)
Organization : Croatian Academic and Research Network (CARNet)
Location : HR, Croatia
City : Zagreb, 21 -
Latitude : 45°80'00" North
Longitude : 16°00'00" East
----Port 2967 ----------------
IP Address : 69.122.209.109 [ ool-457ad16d.dyn.optonline.net ]
ISP : Optimum Online (Cablevision Systems)
Organization : Optimum Online (Cablevision Systems)
Location : US, United States
City : Westbury, NY -
Latitude : 40°75'70" North
Longitude : 73°58'14" West
----Port 5900 ----------------
IP Address : 124.224.131.247 [ 124.224.131.247 ]
ISP : CHINANET ningxia province network
Organization : CHINANET ningxia province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
IP Address : 190.160.48.168 [ 190.160.48.168 ]
ISP : -
Organization : VTR Banda Ancha S.A.
Location : CL, Chile
City : Santiago, 12 -
Latitude : 33°45'00" South
Longitude : 70°66'67" West
IP Address : 88.2.137.74 [ 74.Red-88-2-137.staticIP.rima-tde.net ]
ISP : Telefonica de Espana
Organization : Telefonica de Espana
Location : ES, Spain
City : Palma, 07 -
Latitude : 39°56'67" North
Longitude : 2°65'00" East
IP Address : 86.210.6.38 [ ANantes-256-1-87-38.w86-210.abo.wanadoo.fr ]
ISP : France Telecom
Organization : France Telecom
Location : FR, France
City : Nantes, B5 -
Latitude : 47°21'67" North
Longitude : 1°55'00" West
Thursday, November 1, 2007
Wednesday, October 31, 2007
Cyber Center Report - October 31, 2007
BLSS Cyber Center Report - 31 October 2007
------------------------------------------
www.blacklabsecurity.com
The BLSS Cyber Center has detected new activity on port 53, one IP from Korea and IP from China. China and Korea still continue probing/attacking on all previously reported ports within an increased tenacity. Disabling port 7212 seems to prevent probes/attacks in successfully activating the Microsoft Service Pack Update (Software Updates) and Help Center Service system. The BLSS Cyber Center, however, will continue to monitor such probes/attacks to detect a possible "work-around" from China, Korea, etc.
Port 53; Korea (new site), China (new site). Port 1024; Russia (new site).
Port 1026; China (3 new sites), U.S. the IANA probed 5 times last night, Apple Computers, Hewlett-Packard, XO Communications, Japan (2 new site), Australia (new site), Korea (new site), Canada (new site). Port 1027; Canada (new site). Port 1028; Canada (new site). Port 21; China (new site). Port 22; U.S. (new site). Port 1433; Romania (new site), China (2 new sites), U.S. (new site). Port 1434; China (new site). Port 3128; Korea (new site).
Port 4899; Argentina (new site). Port 5900; China (new site), Korea (new site), Netherlands (new site), U.S. (2 new sites), Canada (2 new sites).
Honey Pot Activity; U.S. (new site). Port 80 surf only.
----Port 53 (new) ---------------
IP Address : 220.88.20.5 [ 220.88.20.5 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 221.136.24.36 [ 221.136.24.36 ]
ISP : NBIP CNC(Ningbo)info-Port co.,Ltd
Organization : NBIP TongLian(Ningbo)info-Port co.,Ltd
Location : CN, China
City : Ningbo, 02 -
Latitude : 29°87'50" North
Longitude : 121°54'19" East
----Port 1024 -------------------
IP Address : 81.29.241.22 [ 81.29.241.22 ]
ISP : LLC GlobalWholesaleTrade
Organization : LLC GlobalWholesaleTrade
Location : RU, Russian Federation
City : Moscow, 48 -
Latitude : 55°75'22" North
Longitude : 37°61'56" East
----Port 1026 -------------------
IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East
IP Address : 221.208.208.100 [ 221.208.208.100 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 221.208.208.92 [ 221.208.208.92 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 106.26.68.11 [ 106.26.68.11 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 183.80.106.179 [ 183.80.106.179 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 126.122.46.85 [ softbank126122046085.bbtec.net ]
ISP : searched the APNIC whois database for an address t
Organization : Softbank BB Corp
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
IP Address : 119.70.217.23 [ 119.70.217.23 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU
IP Address : 60.45.233.13 [ p1013-ipbf10sinnagasak.nagasaki.ocn.ne.jp ]
ISP : NTT Communications Corporation
Organization : Open Computer Network
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
IP Address : 184.180.230.100 [ 184.180.230.100 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 17.29.248.133 [ 17.29.248.133 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West
IP Address : 185.17.11.96 [ 185.17.11.96 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 16.10.71.38 [ 16.10.71.38 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : Palo Alto, CA 94304
Latitude : 37°37'62" North
Longitude : 122°18'26" West
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West
IP Address : 110.180.202.35 [ 110.180.202.35 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 124.198.13.163 [ 124.198.13.163 ]
ISP : HAIonNet
Organization : campusmedia
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East
IP Address : 67.91.4.156 [ ip67-91-4-156.z4-91-67.customer.algx.net ]
ISP : XO Communications
Organization : XO Communications
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
----Port 1027 -------------
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West
----Port 1028 --------------
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West
----Port 21 ---------------
IP Address : 202.202.170.171 [ 202.202.170.171 ]
ISP : China Education and Research Network
Organization : Chongqing Three Geoges College
Location : CN, China
City : Chongqing, 33 -
Latitude : 29°56'28" North
Longitude : 106°55'28" East
----Port 22 ----------------
IP Address : 66.121.60.18 [ adsl-66-121-60-18.dsl.lsan03.pacbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : Inglewood, CA -
Latitude : 33°95'20" North
Longitude : 118°34'77" West
----Port 1433 ---------------
IP Address : 195.182.220.122 [ 195.182.220.122 ]
ISP : SC. CONDIV IMPEX SRL.
Organization : SC. CONDIV IMPEX SRL.
Location : RO, Romania
City : -, - -
Latitude : 46°00'00" North
Longitude : 25°00'00" East
IP Address : 60.218.104.190 [ 60.218.104.190 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 71.162.124.178 [
static-71-162-124-178.bstnma.fios.verizon.net ]
ISP : Verizon Internet Services
Organization : DAVID DOHERTY
Location : US, United States
City : Winchester, MA 01890
Latitude : 42°45'47" North
Longitude : 71°15'02" West
----Port 1434 ---------------
IP Address : 58.242.184.222 [ 58.242.184.222 ]
ISP : CNC Group AnHui province network
Organization : CNC Group AnHui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East
----Port 3128 ---------------
IP Address : 61.85.202.38 [ 61.85.202.38 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
----Port 4899 ----------------
IP Address : 201.234.99.242 [ 201.234.99.242 ]
ISP : -
Organization : IMPSAT FIBER NETWORKS INC
Location : AR, Argentina
City : Buenos Aires, 07 -
Latitude : 34°58'75" South
Longitude : 58°67'25" West
----Port 5900 --------------------
IP Address : 202.96.155.134 [ 202.96.155.134 ]
ISP : CHINANET Guangdong province network
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East
IP Address : 69.80.166.124 [ 69.80.166.124 ]
ISP : -
Organization : SUNY Brockport
Location : US, United States
City : Brockport, NY 14420
Latitude : 43°25'08" North
Longitude : 77°92'46" West
IP Address : 69.176.178.178 [ 69.176.178.178 ]
ISP : -
Organization : City West Cable & Telephone Corp.
Location : CA, Canada
City : Prince Rupert, BC v8j1l1
Latitude : 54°31'67" North
Longitude : 130°33'34" West
IP Address : 84.84.136.217 [ ip545488d9.speed.planet.nl ]
ISP : World Access / Planet Internet
Organization : Planet Technologies
Location : NL, Netherlands
City : Hattem, 03 -
Latitude : 52°46'67" North
Longitude : 6°06'67" East
IP Address : 76.181.103.166 [ cpe-76-181-103-166.columbus.res.rr.com ]
ISP : -
Organization : Road Runner
Location : US, United States
City : Greensboro, NC -
Latitude : 36°08'44" North
Longitude : 79°82'09" West
IP Address : 69.158.64.21 [ bas14-toronto12-1167998997.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Rexdale, ON -
Latitude : 43°71'67" North
Longitude : 79°56'67" West
IP Address : 221.148.61.236 [ 221.148.61.236 ]
ISP : Korea Telecom
Organization : (sa)hangugsaneobgyungjeyeunguwon
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
----Honey Pot Activity --------
Activity : Port 80 surf only
IP Address : 168.91.1.189 [ 168.91.1.189 ]
ISP : IVYTech
Organization : IVYTech Community College of Indiana
Location : US, United States
City : Indianapolis, IN 46208
Latitude : 39°83'31" North
Longitude : 86°17'47" West
------------------------------------------
www.blacklabsecurity.com
The BLSS Cyber Center has detected new activity on port 53, one IP from Korea and IP from China. China and Korea still continue probing/attacking on all previously reported ports within an increased tenacity. Disabling port 7212 seems to prevent probes/attacks in successfully activating the Microsoft Service Pack Update (Software Updates) and Help Center Service system. The BLSS Cyber Center, however, will continue to monitor such probes/attacks to detect a possible "work-around" from China, Korea, etc.
Port 53; Korea (new site), China (new site). Port 1024; Russia (new site).
Port 1026; China (3 new sites), U.S. the IANA probed 5 times last night, Apple Computers, Hewlett-Packard, XO Communications, Japan (2 new site), Australia (new site), Korea (new site), Canada (new site). Port 1027; Canada (new site). Port 1028; Canada (new site). Port 21; China (new site). Port 22; U.S. (new site). Port 1433; Romania (new site), China (2 new sites), U.S. (new site). Port 1434; China (new site). Port 3128; Korea (new site).
Port 4899; Argentina (new site). Port 5900; China (new site), Korea (new site), Netherlands (new site), U.S. (2 new sites), Canada (2 new sites).
Honey Pot Activity; U.S. (new site). Port 80 surf only.
----Port 53 (new) ---------------
IP Address : 220.88.20.5 [ 220.88.20.5 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 221.136.24.36 [ 221.136.24.36 ]
ISP : NBIP CNC(Ningbo)info-Port co.,Ltd
Organization : NBIP TongLian(Ningbo)info-Port co.,Ltd
Location : CN, China
City : Ningbo, 02 -
Latitude : 29°87'50" North
Longitude : 121°54'19" East
----Port 1024 -------------------
IP Address : 81.29.241.22 [ 81.29.241.22 ]
ISP : LLC GlobalWholesaleTrade
Organization : LLC GlobalWholesaleTrade
Location : RU, Russian Federation
City : Moscow, 48 -
Latitude : 55°75'22" North
Longitude : 37°61'56" East
----Port 1026 -------------------
IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East
IP Address : 221.208.208.100 [ 221.208.208.100 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 221.208.208.92 [ 221.208.208.92 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 106.26.68.11 [ 106.26.68.11 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 183.80.106.179 [ 183.80.106.179 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 126.122.46.85 [ softbank126122046085.bbtec.net ]
ISP : searched the APNIC whois database for an address t
Organization : Softbank BB Corp
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
IP Address : 119.70.217.23 [ 119.70.217.23 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU
IP Address : 60.45.233.13 [ p1013-ipbf10sinnagasak.nagasaki.ocn.ne.jp ]
ISP : NTT Communications Corporation
Organization : Open Computer Network
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
IP Address : 184.180.230.100 [ 184.180.230.100 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 17.29.248.133 [ 17.29.248.133 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West
IP Address : 185.17.11.96 [ 185.17.11.96 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 16.10.71.38 [ 16.10.71.38 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : Palo Alto, CA 94304
Latitude : 37°37'62" North
Longitude : 122°18'26" West
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West
IP Address : 110.180.202.35 [ 110.180.202.35 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 124.198.13.163 [ 124.198.13.163 ]
ISP : HAIonNet
Organization : campusmedia
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East
IP Address : 67.91.4.156 [ ip67-91-4-156.z4-91-67.customer.algx.net ]
ISP : XO Communications
Organization : XO Communications
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
----Port 1027 -------------
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West
----Port 1028 --------------
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West
----Port 21 ---------------
IP Address : 202.202.170.171 [ 202.202.170.171 ]
ISP : China Education and Research Network
Organization : Chongqing Three Geoges College
Location : CN, China
City : Chongqing, 33 -
Latitude : 29°56'28" North
Longitude : 106°55'28" East
----Port 22 ----------------
IP Address : 66.121.60.18 [ adsl-66-121-60-18.dsl.lsan03.pacbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : Inglewood, CA -
Latitude : 33°95'20" North
Longitude : 118°34'77" West
----Port 1433 ---------------
IP Address : 195.182.220.122 [ 195.182.220.122 ]
ISP : SC. CONDIV IMPEX SRL.
Organization : SC. CONDIV IMPEX SRL.
Location : RO, Romania
City : -, - -
Latitude : 46°00'00" North
Longitude : 25°00'00" East
IP Address : 60.218.104.190 [ 60.218.104.190 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 71.162.124.178 [
static-71-162-124-178.bstnma.fios.verizon.net ]
ISP : Verizon Internet Services
Organization : DAVID DOHERTY
Location : US, United States
City : Winchester, MA 01890
Latitude : 42°45'47" North
Longitude : 71°15'02" West
----Port 1434 ---------------
IP Address : 58.242.184.222 [ 58.242.184.222 ]
ISP : CNC Group AnHui province network
Organization : CNC Group AnHui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East
----Port 3128 ---------------
IP Address : 61.85.202.38 [ 61.85.202.38 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
----Port 4899 ----------------
IP Address : 201.234.99.242 [ 201.234.99.242 ]
ISP : -
Organization : IMPSAT FIBER NETWORKS INC
Location : AR, Argentina
City : Buenos Aires, 07 -
Latitude : 34°58'75" South
Longitude : 58°67'25" West
----Port 5900 --------------------
IP Address : 202.96.155.134 [ 202.96.155.134 ]
ISP : CHINANET Guangdong province network
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East
IP Address : 69.80.166.124 [ 69.80.166.124 ]
ISP : -
Organization : SUNY Brockport
Location : US, United States
City : Brockport, NY 14420
Latitude : 43°25'08" North
Longitude : 77°92'46" West
IP Address : 69.176.178.178 [ 69.176.178.178 ]
ISP : -
Organization : City West Cable & Telephone Corp.
Location : CA, Canada
City : Prince Rupert, BC v8j1l1
Latitude : 54°31'67" North
Longitude : 130°33'34" West
IP Address : 84.84.136.217 [ ip545488d9.speed.planet.nl ]
ISP : World Access / Planet Internet
Organization : Planet Technologies
Location : NL, Netherlands
City : Hattem, 03 -
Latitude : 52°46'67" North
Longitude : 6°06'67" East
IP Address : 76.181.103.166 [ cpe-76-181-103-166.columbus.res.rr.com ]
ISP : -
Organization : Road Runner
Location : US, United States
City : Greensboro, NC -
Latitude : 36°08'44" North
Longitude : 79°82'09" West
IP Address : 69.158.64.21 [ bas14-toronto12-1167998997.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Rexdale, ON -
Latitude : 43°71'67" North
Longitude : 79°56'67" West
IP Address : 221.148.61.236 [ 221.148.61.236 ]
ISP : Korea Telecom
Organization : (sa)hangugsaneobgyungjeyeunguwon
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
----Honey Pot Activity --------
Activity : Port 80 surf only
IP Address : 168.91.1.189 [ 168.91.1.189 ]
ISP : IVYTech
Organization : IVYTech Community College of Indiana
Location : US, United States
City : Indianapolis, IN 46208
Latitude : 39°83'31" North
Longitude : 86°17'47" West
Monday, October 29, 2007
Recommended IPs Addresses to be Blocked - China, Korea, Taiwan, and Thailand
The BLSS Cyber Center is recommending that the following (additional) IP addresses from China, Korea, Taiwan and Thailand be entered into Firewalls:
IP Address Country
---------- -------
125.76.238.164 China - Shanxi
219.148.119.2 China - Hebei
116.18.161.55 China - Guangdong
222.216.28.161 China - Guangxi
222.217.240.248 China - Guangxi
121.18.13.107 China - Hebei
218.10.137.130 China - Heilongjiang
221.208.208.101 China - Heilongjiang
221.208.208.3 China - Heilongjiang
221.208.208.83 China - Heilongjiang
221.208.208.91 China - Heilongjiang
221.208.208.95 China - Heilongjiang
221.208.208.98 China - Heilongjiang
221.209.110.50 China - Mudanjiang
218.3.134.250 China - China Shipbuilding Inst
59.72.128.14 China - Beihua Univ
58.247.50.243 China - ShangHai
222.215.136.52 China - Sichuan
218.50.1.119 Korea - Hanaro Telecomm
218.232.95.60 Korea - Hanaro Telecomm
211.67.58.203 China - Wuhan - Inst Science/Tech
61.134.56.18 China - Shanghai
58.20.228.52 China - Changsa
122.116.17.133 Taiwan - Taipei
121.18.12.197 China - Hebei
218.10.137.42 China - Harbin
61.184.101.46 China - Wuhan
218.10.137.42 China - Harbin
218.10.137.42 China - Harbin
202.97.238.202 China - Heilongjiang
219.240.44.147 Korea - Seocho
221.139.35.78 Korea - Islan
218.10.137.142 China - Harbin
221.209.110.20 China - Mudanjiang
124.114.116.18 China - Beijing
219.147.233.40 China - Zhongshan
218.75.199.50 China - Hunan
218.165.8.32 Taiwan - Taipei
222.169.226.169 China - Changchun
222.239.255.43 Korea - Soul
61.130.50.150 China - Quzhou
221.158.228.40 Korea - Korea Telecomm
221.141.127.137 Korea -Ilsan
221.209.110.50 China - Mudanjiang
218.10.137.142 China - Harbin
221.209.110.20 China - Mudanjiang
202.75.218.145 China - Hangzhou
61.189.154.33 China - Shanghai
218.106.91.25 China - Hefei
220.191.233.132 China - Taizhou
220.179.244.138 China - Hefei
61.175.243.182 China - Jinyun
58.241.178.213 China - Xuzhou
58.97.5.64 Thailand - Bangkok
222.217.221.224 China - Nanning
122.38.90.165 Korea
218.234.38.39 Korea - Seocho
221.11.6.197 China - Taiyuan
59.56.27.170 China - Beijing
219.153.5.169 China - Shanghai
220.191.252.62 China - Lishui
58.241.178.210 China - Xuzhou
61.130.134.66 China - Hangzhou
222.216.28.178 China - Nanning
124.224.131.132 China - Beijing
218.234.41.8 Korea - Seocho
218.27.148.78 China - Changchun
218.3.134.250 China - Zhenjiang
218.234.32.131 Korea - Seocho
218.153.221.29 Korea
122.136.45.2 China - Changchun
219.147.233.30 China - Zhongshan
58.38.3.178 China - Shanghai
58.247.11.242 China - Shanghai
124.226.234.15 China - Nanning
123.8.228.123 China - Beijing
211.174.179.32 Korea - Seoul
124.224.128.140 China - Beijing
218.234.38.69 Korea - Seocho
218.26.89.141 China - Changzhi
121.139.129.4 Korea - Keieii
222.217.221.214 China - Nanning
221.6.7.89 China - Nanning
220.165.8.32 China - Beijing
219.153.47.134 China - Shanghai
124.132.3.222 China - Jinan
221.194.46.204 China - Hebei
203.151.151.246 China - Thailand
210.202.199.132 Taiwan - Taichung
218.92.205.106 China - Beijing
125.225.22.110 Taiwan - Taipei
210.51.187.88 China - Bejing
218.38.56.170 Korea
218.108.70.246 China - Chaoyang
60.175.101.20 China - Hefei
58.246.107.14 China - Shanghai
219.153.5.169 China - Shanghai
IP Address Country
---------- -------
125.76.238.164 China - Shanxi
219.148.119.2 China - Hebei
116.18.161.55 China - Guangdong
222.216.28.161 China - Guangxi
222.217.240.248 China - Guangxi
121.18.13.107 China - Hebei
218.10.137.130 China - Heilongjiang
221.208.208.101 China - Heilongjiang
221.208.208.3 China - Heilongjiang
221.208.208.83 China - Heilongjiang
221.208.208.91 China - Heilongjiang
221.208.208.95 China - Heilongjiang
221.208.208.98 China - Heilongjiang
221.209.110.50 China - Mudanjiang
218.3.134.250 China - China Shipbuilding Inst
59.72.128.14 China - Beihua Univ
58.247.50.243 China - ShangHai
222.215.136.52 China - Sichuan
218.50.1.119 Korea - Hanaro Telecomm
218.232.95.60 Korea - Hanaro Telecomm
211.67.58.203 China - Wuhan - Inst Science/Tech
61.134.56.18 China - Shanghai
58.20.228.52 China - Changsa
122.116.17.133 Taiwan - Taipei
121.18.12.197 China - Hebei
218.10.137.42 China - Harbin
61.184.101.46 China - Wuhan
218.10.137.42 China - Harbin
218.10.137.42 China - Harbin
202.97.238.202 China - Heilongjiang
219.240.44.147 Korea - Seocho
221.139.35.78 Korea - Islan
218.10.137.142 China - Harbin
221.209.110.20 China - Mudanjiang
124.114.116.18 China - Beijing
219.147.233.40 China - Zhongshan
218.75.199.50 China - Hunan
218.165.8.32 Taiwan - Taipei
222.169.226.169 China - Changchun
222.239.255.43 Korea - Soul
61.130.50.150 China - Quzhou
221.158.228.40 Korea - Korea Telecomm
221.141.127.137 Korea -Ilsan
221.209.110.50 China - Mudanjiang
218.10.137.142 China - Harbin
221.209.110.20 China - Mudanjiang
202.75.218.145 China - Hangzhou
61.189.154.33 China - Shanghai
218.106.91.25 China - Hefei
220.191.233.132 China - Taizhou
220.179.244.138 China - Hefei
61.175.243.182 China - Jinyun
58.241.178.213 China - Xuzhou
58.97.5.64 Thailand - Bangkok
222.217.221.224 China - Nanning
122.38.90.165 Korea
218.234.38.39 Korea - Seocho
221.11.6.197 China - Taiyuan
59.56.27.170 China - Beijing
219.153.5.169 China - Shanghai
220.191.252.62 China - Lishui
58.241.178.210 China - Xuzhou
61.130.134.66 China - Hangzhou
222.216.28.178 China - Nanning
124.224.131.132 China - Beijing
218.234.41.8 Korea - Seocho
218.27.148.78 China - Changchun
218.3.134.250 China - Zhenjiang
218.234.32.131 Korea - Seocho
218.153.221.29 Korea
122.136.45.2 China - Changchun
219.147.233.30 China - Zhongshan
58.38.3.178 China - Shanghai
58.247.11.242 China - Shanghai
124.226.234.15 China - Nanning
123.8.228.123 China - Beijing
211.174.179.32 Korea - Seoul
124.224.128.140 China - Beijing
218.234.38.69 Korea - Seocho
218.26.89.141 China - Changzhi
121.139.129.4 Korea - Keieii
222.217.221.214 China - Nanning
221.6.7.89 China - Nanning
220.165.8.32 China - Beijing
219.153.47.134 China - Shanghai
124.132.3.222 China - Jinan
221.194.46.204 China - Hebei
203.151.151.246 China - Thailand
210.202.199.132 Taiwan - Taichung
218.92.205.106 China - Beijing
125.225.22.110 Taiwan - Taipei
210.51.187.88 China - Bejing
218.38.56.170 Korea
218.108.70.246 China - Chaoyang
60.175.101.20 China - Hefei
58.246.107.14 China - Shanghai
219.153.5.169 China - Shanghai
Additional Attack Context
Additional context to the latest set of BLSS Cyber Reports. As we are researching the techniques deployed, we found one approach documented in May 2007 that used the Microsoft Patch or Update Service (aka BITS – background intelligent transfer service). This knowledge seems to be well dispersed in the underground hacking community and could be the technique or some variation of the techniques that we have witness in the past few days.
Please see :
New Attack Piggybacks on Microsoft's Patch Service (Washington Post – May 2007)
http://blog.washingtonpost.com/securityfix/2007/05/malware_using_microsoft_patch.html
Please see :
New Attack Piggybacks on Microsoft's Patch Service (Washington Post – May 2007)
http://blog.washingtonpost.com/securityfix/2007/05/malware_using_microsoft_patch.html
Cyber Center Report - October 29, 2007
BLSS Cyber Center Report - 29 October 2007
------------------------------------------
www.blacklabsecurity.com
This BLSS Cyber Center Report is a continuation of the Cyber Center Report published on 29 October 2007. BLSS has initiated an immediate analysis on the China attack of our Honey Pot, which was reported yesterday, 28 October 2007. This report will be categorized into two separate sections; 1) Analysis Of Honey Pot Attack, and 2) Advised Immediate Action Required To Prevent The Attacks.
Analysis Of Honey Pot Attack
----------------------------
Below are the first 100 program file payloads detected by Shadow. There were many more payloads installed into the "i386" and "Service Pack" nested folders. The most interesting fact about the first 100 payloads below, is that almost all the payloads are related to "Remote Access" functions. The fact is that the RegCode.dll, Adfsocm.dll, ComAdmin.dll, Dialer.exe, the "System Configuration Install" (system.configuration.install.dll), Nfsocm.dll, Explorer.exe, etc. But most interesting, is the fact that remote access program payloads were updated, along with the \Windows\PCHealth\HelpCtr\System\RemoteAssistance\Interaction\Client\Raclient.js, Racontrol.js, Raserver.js and Common.js, along with a new RegEdit.exe.
The following are the first 100 payloads detected:
1. C:\WINDOWS\ASSEMBLY\GAC\REGCODE\1.0.5000.0__B03F5F7F11D50A3A\REGCODE.DLL
2. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\ADFSOCM.DLL
3. C:\WINDOWS\SYSTEM32\COM\COMADMIN.DLL
4. C:\WINDOWS\DIALER.EXE
5. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.CONFIGURATION.INSTALL\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.CONFIGURATION.INSTALL.DLL
6. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\NFSOCM.DLL
7. C:\WINDOWS\EXPLORER.EXE
8. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.DLL
9. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\OCWSS.DLL
10. C:\PROGRAM FILES\COMMONFILES\SPEECHENGINES\MICROSOFT\TTS\1033\SPTTSENG.DLL
11. C:\WINDOWS\HH.EXE
12. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA.ORACLECLIENT\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.ORACLECLIENT.DLL
13. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\CLIENT\RACLIENT.JS
14. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\SUAIDMOG.DLL
15. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MUI\0409\MSCORSECR.DLL
16. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DIRECTORYSERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.DIRECTORYSERVICES.DLL
17. C:\WINDOWS\NOTEPAD.EXE
18. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\COMMON\RACONTROL.JS
19. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\COMMON.JS
20. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.DLL
21. C:\WINDOWS\REGEDIT.EXE
22. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\SERVER\RASERVER.JS
23. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\CONSTANTS.JS
24. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.THUNK.DLL
25. C:\WINDOWS\SYSTEM32\MUI\0C0A\W03A2409.DLL
26. C:\WINDOWS\TWAIN.DLL
27. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTE ASSISTANCE\COMMON\COMMON.JS
28. C:\WINDOWS\SYSTEM32\MUI\0C0A\WS03RES.DLL
29. C:\WINDOWS\TWAIN_32.DLL
30. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTEASSISTANCE\COMMON\CONSTANTS.JS
31. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPOB2RES.DLL
32. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.MESSAGING\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.MESSAGING.DLL
33. C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0001\DRIVERFILES\I386\PROCESSR.SYS
34. C:\WINDOWS\TWUNK_16.EXE
35. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPSP2RES.DLL
36. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.REMOTING\1.0.5000.0__B77A5C561934E089\SYSTEM.RUNTIME.REMOTING.DLL
37. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\DISKRAID.EXE
38. C:\WINDOWS\TWUNK_32.EXE
39. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP.DLL
40. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDS.EXE
41. C:\WINDOWS\UDDISP.EXE
42. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SECURITY\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SECURITY.DLL
43. C:\WINDOWS\INF\UNREGMP2.EXE
44. C:\WINDOWS\SYSTEM32\WBEM\ADSTATUS\TRUSTMON.DLL
45. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSDYNDR.DLL
46. C:\WINDOWS\VMMREG32.DLL
47. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SERVICEPROCESS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SERVICEPROCESS.DLL
48. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSLDR.EXE
49. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.DLL
50. C:\WINDOWS\WINHELP.EXE
51. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSUTIL.DLL
52. C:\WINDOWS\SYSTEM32\WBEM\XML\WMI2XML.DLL
53. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.MOBILE\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.MOBILE.DLL
54. C:\WINDOWS\WINHLP32.EXE
55. C:\WINDOWS\MSAGENT\AGENTANM.DLL
56. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.REGULAREXPRESSIONS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.REGULAREXPRESSIONS.DLL
57. C:\WINDOWS\MSAGENT\AGENTCTL.DLL
58. C:\WINDOWS\_DEFAULT.PIF
59. C:\WINDOWS\MSAGENT\AGENTDP2.DLL
60. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.SERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.SERVICES.DLL
61. C:\WINDOWS\SYSTEM32\SERVERAPPLIANCE\WEB\ADMIN\HELP\0409\LINKCSS.JS
62. C:\WINDOWS\MSAGENT\AGENTDPV.DLL
63. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\MSCORLIB\1.0.5000.0__B77A5C561934E089_1C85CDAB\MSCORLIB.DLL
64. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DAO\DAO360.DLL
65. C:\WINDOWS\MSAGENT\AGENTMPX.DLL
66. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM\1.0.5000.0__B77A5C561934E089_8DF1E0E7\SYSTEM.DLL
67. C:\WINDOWS\MSAGENT\AGENTPSH.DLL
68. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\IEINFO5.OCX
69. C:\WINDOWS\MSAGENT\AGENTSR.DLL
70. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
71. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_2DC1A7DB\SYSTEM.DESIGN.DLL
72. C:\WINDOWS\MSAGENT\AGENTSVR.EXE
73. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPI.DLL
74. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING\1.0.5000.0__B03F5F7F11D50A3A_66784F17\SYSTEM.DRAWING.DLL
75. C:\WINDOWS\MSAGENT\AGTINTL.DLL
76. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPISVR.EXE
77. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_271DA28B\SYSTEM.DRAWING.DESIGN.DLL
78. C:\WINDOWS\MSAGENT\MSLWVTTS.DLL
79. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TEXTCONV\MSCONV97.DLL
80. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.WINDOWS.FORMS\1.0.5000.0__B77A5C561934E089_9D99100D\SYSTEM.WINDOWS.FORMS.DLL
81. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\DHTMLED.OCX
82. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.XML\1.0.5000.0__B77A5C561934E089_667035EA\SYSTEM.XML.DLL
83. C:\WINDOWS\SRCHASST\MSGR3EN.DLL
84. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\TRIEDIT.DLL
85. C:\WINDOWS\SRCHASST\SRCHCTLS.DLL
86. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\ALINKUI.DLL
87. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VGX\VGX.DLL
88. C:\WINDOWS\SRCHASST\SRCHUI.DLL
89. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\CSCOMPUI.DLL
90. C:\PROGRAM FILES\COMMON FILES\SPEECHENGINES\MICROSOFT\SPCOMMON.DLL
91. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VBC7UI.DLL
92. C:\WINDOWS\SYSTEM32\6TO4SVC.DLL
93. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADER15.DLL
94. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VSAVB7RTUI.DLL
95. C:\WINDOWS\SYSTEM32\AAAAMON.DLL
96. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADO15.DLL
97. C:\WINDOWS\SYSTEM32\ACCTRES.DLL
98. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASP.NETCLIENTFILES\SMARTNAV.JS
99. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADOMD.DLL
100.C:\WINDOWS\SYSTEM32\ACCWIZ.EXE
Advised Immediate Action Required To Prevent The Attacks
--------------------------------------------------------
The first step, is to enter the following ports into firewalls, if organizations can do so without inhibiting the normal operations of your network and software:
Port 7212
Port 1026
Port 1027
Port 1028
The second step, is to enter the following IP addresses into firewalls:
IP Address
----------
121.18.13.107
121.18.12.197
221.208.208.83
221.208.208.91
221.208.208.95
221.208.208.98
202.97.238.202
218.50.1.119
222.239.255.43
121.235.156.114
210.79.152.144
202.97.238.202
221.208.208.101
44.139.107.99
The third step, is to TURN OFF all Automatic Updates and Disable the Microsoft Help Center Remote Access Functions. As a "hardening method"
within BLSS, we actually erase the following java scripts:
Java Scripts
-----------
Raclient.js
Racontrol.js
Common.js
Raserver.js
Constants.js
The BLSS Cyber Center will be publishing a list of all IP addresses detected from China and Korea within the next 24 hours. It is recommended that all IP addresses from China and Korea be entered into firewalls as a security
(safety) precaution.
------------------------------------------
www.blacklabsecurity.com
This BLSS Cyber Center Report is a continuation of the Cyber Center Report published on 29 October 2007. BLSS has initiated an immediate analysis on the China attack of our Honey Pot, which was reported yesterday, 28 October 2007. This report will be categorized into two separate sections; 1) Analysis Of Honey Pot Attack, and 2) Advised Immediate Action Required To Prevent The Attacks.
Analysis Of Honey Pot Attack
----------------------------
Below are the first 100 program file payloads detected by Shadow. There were many more payloads installed into the "i386" and "Service Pack" nested folders. The most interesting fact about the first 100 payloads below, is that almost all the payloads are related to "Remote Access" functions. The fact is that the RegCode.dll, Adfsocm.dll, ComAdmin.dll, Dialer.exe, the "System Configuration Install" (system.configuration.install.dll), Nfsocm.dll, Explorer.exe, etc. But most interesting, is the fact that remote access program payloads were updated, along with the \Windows\PCHealth\HelpCtr\System\RemoteAssistance\Interaction\Client\Raclient.js, Racontrol.js, Raserver.js and Common.js, along with a new RegEdit.exe.
The following are the first 100 payloads detected:
1. C:\WINDOWS\ASSEMBLY\GAC\REGCODE\1.0.5000.0__B03F5F7F11D50A3A\REGCODE.DLL
2. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\ADFSOCM.DLL
3. C:\WINDOWS\SYSTEM32\COM\COMADMIN.DLL
4. C:\WINDOWS\DIALER.EXE
5. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.CONFIGURATION.INSTALL\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.CONFIGURATION.INSTALL.DLL
6. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\NFSOCM.DLL
7. C:\WINDOWS\EXPLORER.EXE
8. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.DLL
9. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\OCWSS.DLL
10. C:\PROGRAM FILES\COMMONFILES\SPEECHENGINES\MICROSOFT\TTS\1033\SPTTSENG.DLL
11. C:\WINDOWS\HH.EXE
12. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA.ORACLECLIENT\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.ORACLECLIENT.DLL
13. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\CLIENT\RACLIENT.JS
14. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\SUAIDMOG.DLL
15. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MUI\0409\MSCORSECR.DLL
16. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DIRECTORYSERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.DIRECTORYSERVICES.DLL
17. C:\WINDOWS\NOTEPAD.EXE
18. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\COMMON\RACONTROL.JS
19. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\COMMON.JS
20. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.DLL
21. C:\WINDOWS\REGEDIT.EXE
22. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\SERVER\RASERVER.JS
23. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\CONSTANTS.JS
24. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.THUNK.DLL
25. C:\WINDOWS\SYSTEM32\MUI\0C0A\W03A2409.DLL
26. C:\WINDOWS\TWAIN.DLL
27. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTE ASSISTANCE\COMMON\COMMON.JS
28. C:\WINDOWS\SYSTEM32\MUI\0C0A\WS03RES.DLL
29. C:\WINDOWS\TWAIN_32.DLL
30. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTEASSISTANCE\COMMON\CONSTANTS.JS
31. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPOB2RES.DLL
32. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.MESSAGING\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.MESSAGING.DLL
33. C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0001\DRIVERFILES\I386\PROCESSR.SYS
34. C:\WINDOWS\TWUNK_16.EXE
35. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPSP2RES.DLL
36. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.REMOTING\1.0.5000.0__B77A5C561934E089\SYSTEM.RUNTIME.REMOTING.DLL
37. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\DISKRAID.EXE
38. C:\WINDOWS\TWUNK_32.EXE
39. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP.DLL
40. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDS.EXE
41. C:\WINDOWS\UDDISP.EXE
42. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SECURITY\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SECURITY.DLL
43. C:\WINDOWS\INF\UNREGMP2.EXE
44. C:\WINDOWS\SYSTEM32\WBEM\ADSTATUS\TRUSTMON.DLL
45. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSDYNDR.DLL
46. C:\WINDOWS\VMMREG32.DLL
47. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SERVICEPROCESS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SERVICEPROCESS.DLL
48. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSLDR.EXE
49. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.DLL
50. C:\WINDOWS\WINHELP.EXE
51. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSUTIL.DLL
52. C:\WINDOWS\SYSTEM32\WBEM\XML\WMI2XML.DLL
53. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.MOBILE\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.MOBILE.DLL
54. C:\WINDOWS\WINHLP32.EXE
55. C:\WINDOWS\MSAGENT\AGENTANM.DLL
56. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.REGULAREXPRESSIONS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.REGULAREXPRESSIONS.DLL
57. C:\WINDOWS\MSAGENT\AGENTCTL.DLL
58. C:\WINDOWS\_DEFAULT.PIF
59. C:\WINDOWS\MSAGENT\AGENTDP2.DLL
60. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.SERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.SERVICES.DLL
61. C:\WINDOWS\SYSTEM32\SERVERAPPLIANCE\WEB\ADMIN\HELP\0409\LINKCSS.JS
62. C:\WINDOWS\MSAGENT\AGENTDPV.DLL
63. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\MSCORLIB\1.0.5000.0__B77A5C561934E089_1C85CDAB\MSCORLIB.DLL
64. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DAO\DAO360.DLL
65. C:\WINDOWS\MSAGENT\AGENTMPX.DLL
66. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM\1.0.5000.0__B77A5C561934E089_8DF1E0E7\SYSTEM.DLL
67. C:\WINDOWS\MSAGENT\AGENTPSH.DLL
68. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\IEINFO5.OCX
69. C:\WINDOWS\MSAGENT\AGENTSR.DLL
70. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
71. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_2DC1A7DB\SYSTEM.DESIGN.DLL
72. C:\WINDOWS\MSAGENT\AGENTSVR.EXE
73. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPI.DLL
74. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING\1.0.5000.0__B03F5F7F11D50A3A_66784F17\SYSTEM.DRAWING.DLL
75. C:\WINDOWS\MSAGENT\AGTINTL.DLL
76. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPISVR.EXE
77. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_271DA28B\SYSTEM.DRAWING.DESIGN.DLL
78. C:\WINDOWS\MSAGENT\MSLWVTTS.DLL
79. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TEXTCONV\MSCONV97.DLL
80. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.WINDOWS.FORMS\1.0.5000.0__B77A5C561934E089_9D99100D\SYSTEM.WINDOWS.FORMS.DLL
81. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\DHTMLED.OCX
82. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.XML\1.0.5000.0__B77A5C561934E089_667035EA\SYSTEM.XML.DLL
83. C:\WINDOWS\SRCHASST\MSGR3EN.DLL
84. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\TRIEDIT.DLL
85. C:\WINDOWS\SRCHASST\SRCHCTLS.DLL
86. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\ALINKUI.DLL
87. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VGX\VGX.DLL
88. C:\WINDOWS\SRCHASST\SRCHUI.DLL
89. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\CSCOMPUI.DLL
90. C:\PROGRAM FILES\COMMON FILES\SPEECHENGINES\MICROSOFT\SPCOMMON.DLL
91. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VBC7UI.DLL
92. C:\WINDOWS\SYSTEM32\6TO4SVC.DLL
93. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADER15.DLL
94. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VSAVB7RTUI.DLL
95. C:\WINDOWS\SYSTEM32\AAAAMON.DLL
96. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADO15.DLL
97. C:\WINDOWS\SYSTEM32\ACCTRES.DLL
98. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASP.NETCLIENTFILES\SMARTNAV.JS
99. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADOMD.DLL
100.C:\WINDOWS\SYSTEM32\ACCWIZ.EXE
Advised Immediate Action Required To Prevent The Attacks
--------------------------------------------------------
The first step, is to enter the following ports into firewalls, if organizations can do so without inhibiting the normal operations of your network and software:
Port 7212
Port 1026
Port 1027
Port 1028
The second step, is to enter the following IP addresses into firewalls:
IP Address
----------
121.18.13.107
121.18.12.197
221.208.208.83
221.208.208.91
221.208.208.95
221.208.208.98
202.97.238.202
218.50.1.119
222.239.255.43
121.235.156.114
210.79.152.144
202.97.238.202
221.208.208.101
44.139.107.99
The third step, is to TURN OFF all Automatic Updates and Disable the Microsoft Help Center Remote Access Functions. As a "hardening method"
within BLSS, we actually erase the following java scripts:
Java Scripts
-----------
Raclient.js
Racontrol.js
Common.js
Raserver.js
Constants.js
The BLSS Cyber Center will be publishing a list of all IP addresses detected from China and Korea within the next 24 hours. It is recommended that all IP addresses from China and Korea be entered into firewalls as a security
(safety) precaution.
Storm Worm Research
Commenting on eWeek articles:
NAC Can't Weather the Storm - October 26, 2007
http://www.eweek.com/article2/0,1895,2207921,00.asp
Storm Worm Botnet Lobotomizing Anti-Virus Programs - October 24, 2007
http://www.eweek.com/article2/0,1895,2205606,00.asp
Our Storm Worm Research
The Storm worm and other nameless worms roaming the Internet today are extremely capable and are not beating with brute force techniques; they don’t need to base on the techniques being deployed. These worms are intruding networks and systems almost at will without logins, passwords, or help from insiders. There are hundreds of new compromised IPs added to the attack every day using the same attack profile and techniques. Therefore blocking IPs and countries in your firewalls and other network access controls (NACs) from accessing your networks is a mission impossible. The actual attack is hidden is the overload of communications and probes that come from these compromised computers that intrude looking like normal expected communications. Anti-virus and anti-spyware solutions are being rendered worst than useless since they are reporting that all is OK.
Adjusting filters and behaviors in IPS systems and UTM systems is also nearly unproductive since these worms change their signature every 30 minutes or less. Once in, these worms are invisible because they comes with a rootkit built in and hide at the kernel level; and they are clever enough to change every few weeks (or days). These worms have built-in defense mechanisms and they know when they are being investigated, and it punishes and fights back.
We are finding that the best security defense in depth (DiD) architectures with many security appliances and software products are having equally difficult problems in stopping theses worms. The filter sensitivities are different in each tool and analyzing a single event has many gaps in what the logs are showing. Since there are some many short-burst probes and attacks each day, the logs are extremely lengthy. Often after identifying an suspicious event, they files are gone since they are already were installed, make critical O/S changes or download other malware via open ports looking like valid communications, and then deleted themselves.
So why is the information so vague about the storm worm? It’s because the storm worm knows the weaknesses of security products available today and it doing a grand job of defeating and confusing computer security analysts. A new security technology and approach is required by the industry. As you see form the posted cyber reports, we are able to prevent, capture forensics, and analyze these worms without much difficulty. No need for filter adjustments or new signature updates for us. We see these attacks like watching a video game in near real-time. By the way, we have not published our forensics and logs, but have provided this information through several channels. We will remain discrete about how these attacks are so successful.
NAC Can't Weather the Storm - October 26, 2007
http://www.eweek.com/article2/0,1895,2207921,00.asp
Storm Worm Botnet Lobotomizing Anti-Virus Programs - October 24, 2007
http://www.eweek.com/article2/0,1895,2205606,00.asp
Our Storm Worm Research
The Storm worm and other nameless worms roaming the Internet today are extremely capable and are not beating with brute force techniques; they don’t need to base on the techniques being deployed. These worms are intruding networks and systems almost at will without logins, passwords, or help from insiders. There are hundreds of new compromised IPs added to the attack every day using the same attack profile and techniques. Therefore blocking IPs and countries in your firewalls and other network access controls (NACs) from accessing your networks is a mission impossible. The actual attack is hidden is the overload of communications and probes that come from these compromised computers that intrude looking like normal expected communications. Anti-virus and anti-spyware solutions are being rendered worst than useless since they are reporting that all is OK.
Adjusting filters and behaviors in IPS systems and UTM systems is also nearly unproductive since these worms change their signature every 30 minutes or less. Once in, these worms are invisible because they comes with a rootkit built in and hide at the kernel level; and they are clever enough to change every few weeks (or days). These worms have built-in defense mechanisms and they know when they are being investigated, and it punishes and fights back.
We are finding that the best security defense in depth (DiD) architectures with many security appliances and software products are having equally difficult problems in stopping theses worms. The filter sensitivities are different in each tool and analyzing a single event has many gaps in what the logs are showing. Since there are some many short-burst probes and attacks each day, the logs are extremely lengthy. Often after identifying an suspicious event, they files are gone since they are already were installed, make critical O/S changes or download other malware via open ports looking like valid communications, and then deleted themselves.
So why is the information so vague about the storm worm? It’s because the storm worm knows the weaknesses of security products available today and it doing a grand job of defeating and confusing computer security analysts. A new security technology and approach is required by the industry. As you see form the posted cyber reports, we are able to prevent, capture forensics, and analyze these worms without much difficulty. No need for filter adjustments or new signature updates for us. We see these attacks like watching a video game in near real-time. By the way, we have not published our forensics and logs, but have provided this information through several channels. We will remain discrete about how these attacks are so successful.
Cyber Center Report - October 28, 2007
BLSS Cyber Center Report - 28 October 2007
------------------------------------------
http://www.blacklabsecurity.com/
BLSS detected and observed the highest number of new computers suddenly broadcasting over the Internet to date. China and Korea continue to escalate their probes/attacks on all previously reported ports. The number of IPs in China and Korea probing/attacking the U.S. is rising substantially each night.
Please read this report carefully. Several government computers are now broadcasting over port 1026 UDP.
BLSS also detected and captured the forensics of multiple IP connections from China (Hebei, Beijing and 3 Harbin IP sites), Japan, and one site inside the U.S. from an Amateur Radio Digital Communications Group.
Several unauthorized files were detected from offshore sources (IPs) within the BLSS Honey Pot that included REGCODE.DLL and ADFSOCM.DLL.
The following IPs were connected to the BLSS Honey Pot when these files were received:
IP Address Location Port Protocol
------------- ----------- ----- --------
121.18.13.107 China - Hebei 7212 TCP
121.235.156.114 China - Beijing 1026 UDP
210.79.152.144 Japan 1026 UDP
221.208.208.91 China - Harbin 1027 UDP
202.97.238.202 China - Harbin 1027 UDP
221.208.208.101 China - Harbin 1026 UDP
44.139.107.99 U.S. 1026 UDP
(IP 44.139.107.99 is located somewhere (approx) in Colorado at an Armature Radio Digital Communications Station)
Several other key U.S. government computers are now suddenly broadcasting over port 1026 UDP;
Four computers from the Naval Ocean Systems Center:
1) 214.174.173.142
2) 33.14.45.142
3) 214.71.189.59
4) 214.84.88.214
One computer from the DoD Network Centric Operations:
1) 26.198.93.126
Several other computers now broadcasting on port 1026. from the U.S. there are; The IANA probed port 1026 a total number of eight times last night, from eight separate IP addresses, one computer from Hewlett-Packard Company, one computer from Cingular Wireless II, one computer from Road Runner, one computer from TDS Telecom, one computer the Buckeye Pipe Line Company.
Other countries probing on Port 1026; China (new site), Korea (2 new sites), Japan (2 new sites), Canada (4 new sites – one of these computers is from Nortel Networks Canada), Italy (new site), Germany (new site), New Zealand (new site), United Kingdom, (new site), “Societe Internationale de Telecomm (Europe), One IP Address which has no record and cannot be traced (most likely belongs to a government agency), Australia (new site). Port 1027; Canada (new site), Israel (new site). Port 1028; Canada (new site). Port 21; China (new site). Port 22; Netherlands (new site), China (2 new sites), Japan (new site), U.S. (new site). Port 25; Taiwan (new site). Port 1080; China (new site), Korea (new site). Port 1433; Taiwan (new site), U.S. (new site), China (new site). Port 1434; China (2 new sites, including China Mobile Comm Corp). Port 2967; Spain (new site), U.S. (new site), China (new site). Port 2968; U.S. (new site). Port 3128; Germany (new site). Port 4899; China (new site), India (new site). Port 5900; Algeria (new site), China (2 new sites), Korea (new site). Port 7212; China (new site). Honey Port Activity; China surfed port 80 and attacked through port 1080, three hours after the service pack update was attempted. The Chinese attack failed. Germany surfed port 80 and attempted no attack. Ethiopia surfed port 80 and attempted no attack.
----Service Pack Update Activated During The Following IP Connections -----
IP Address : 121.18.13.107 [ 121.18.13.107 ]
ISP : -
Organization : CNC Group Hebei province network
Location : CN, China
City : Hebei, 10 -
Latitude : 39°88'97" North
Longitude : 115°27'50" East
IP Address : 121.235.156.114 [
114.156.235.121.broad.wx.js.dynamic.163data.com.cn ]
ISP : -
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
IP Address : 210.79.152.144 [ 144M61.rivo.mediatti.net ]
ISP : Mediatti Communications Inc.
Organization : Mediatti Communications,Inc.
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
IP Address : 221.208.208.91 [ 221.208.208.91 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 202.97.238.202 [ 202.97.238.202 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 221.208.208.101 [ 221.208.208.101 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 44.139.107.99 [ 44.139.107.99 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: :Amateur Radio Digital Communications
OrgID: : ARDC
Address:
City:
StateProv:
PostalCode:
Country: : US
Below is a listing of the specific details on each port probe/attack and IP
address:
----Port 1026 ---------
IP Address : 110.223.103.15 [ 110.223.103.15 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 221.208.208.100 [ 221.208.208.100 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 16.190.180.16 [ 16.190.180.16 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : Palo Alto, CA 94304
Latitude : 37°37'62" North
Longitude : 122°18'26" West
IP Address : 122.43.240.241 [ 122.43.240.241 ]
ISP : -
Organization : POWERCOMM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 214.174.173.142 [ 214.174.173.142 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 155.164.42.223 [ 155.164.42.223 ]
ISP : Cingular Wireless II, LLC
Organization : Cingular Wireless II, LLC
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 77.148.5.226 [ 77.148.5.226 ]
ISP : -
Organization : freenet Cityline GmbH
Location : DE, Germany
City : Kiel, 10 -
Latitude : 54°33'33" North
Longitude : 10°13'33" East
IP Address : 142.217.35.43 [ 142-217-35-43.telebecinternet.net ]
ISP : Telebec
Organization : Telebec
Location : CA, Canada
City : Scarborough, ON -
Latitude : 43°75'00" North
Longitude : 79°20'00" West
IP Address : 91.81.75.23 [ 91.81.75.23 ]
ISP : -
Organization : Vodafone Omnitel N.V.
Location : IT, Italy
City : Ivrea, 12 -
Latitude : 45°46'67" North
Longitude : 7°86'67" East
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West
IP Address : 47.8.89.165 [ h165s89a8n47.user.nortelnetworks.com ]
ISP : Bell-Northern Research
Organization : Nortel Networks
Location : CA, Canada
City : Ottawa, ON k1y4h7
Latitude : 45°41'67" North
Longitude : 75°70'00" West
IP Address : 133.94.112.4 [ 133.94.112.4 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
OrgName: : Japan Network Information Center
OrgID: : JNIC
Address: : Kokusai-kougyou-Kanda Bldg 6F
Address: : 2-3-4 Uchikanda
City: : Chiyoda-ku
StateProv: : Tokyo
PostalCode: : 101-0047
Country: : JP
IP Address : 33.14.45.142 [ 33.14.45.142 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 175.71.14.149 [ 175.71.14.149 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 121.135.156.114 [ 121.135.156.114 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 210.79.52.144 [ 210.79.52.144 ]
ISP : Traced to Auckland, New Zealand and lost
IP Address : 44.139.107.99 [ 44.139.107.99 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Amateur Radio Digital Communications
OrgID: : ARDC
Address:
City:
StateProv:
PostalCode:
Country: : US
IP Address : 82.26.217.87 [ client-82-26-217-87.glfd.adsl.virgin.net ]
ISP : NTL Internet
Organization : NTL Internet
Location : GB, United Kingdom
City : Rochdale, L2 -
Latitude : 53°61'67" North
Longitude : 2°15'00" West
IP Address : 214.71.189.59 [ 214.71.189.59 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 57.14.29.60 [ 57.14.29.60 ]
ISP : SITA-Societe Internationale de Telecommunications
Organization : SITA-Societe Internationale de Telecommunications
Location : EU, Europe
City : -, - -
Latitude : 47°00'00" North
Longitude : 8°00'00" East
IP Address : 69.135.158.111 [ voip-69-135-158-111.neo.rr.com ]
ISP : Road Runner
Organization : Road Runner
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 121.110.92.53 [ KD121110092053.ppp-bb.dion.ne.jp ]
ISP : -
Organization : KDDI Corporation
Location : JP, Japan
City : Tokyo, 40 -
Latitude : 35°68'50" North
Longitude : 139°75'14" East
IP Address : 177.119.235.34 [ 177.119.235.34 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 174.28.137.177 [ 174.28.137.177 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 142.61.198.197 [ 142.61.198.197 ]
ISP : Canadian Research Network
Organization : Canadian Research Network
Location : CA, Canada
City : Toronto, ON m5s3j1
Latitude : 43°66'67" North
Longitude : 79°41'68" West
IP Address : 216.165.129.157 [ ns6.dns.tds.net ]
ISP : TDS TELECOM
Organization : TDS TELECOM
Location : US, United States
City : Madison, WI 53717
Latitude : 43°07'37" North
Longitude : 89°52'74" West
IP Address : 178.95.193.126 [ 178.95.193.126 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 26.198.93.126 [ 26.198.93.126 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US
IP Address : 209.197.186.202 [ hs-scarlett-209197186202.3web.net ]
ISP : Cybersurf
Organization : 3web Corp.
Location : CA, Canada
City : Calgary, AB t2e7p1
Latitude : 51°08'33" North
Longitude : 114°08'33" West
IP Address : 139.186.84.121 [ 139.186.84.121 ]
ISP : No Record (Unknown) No Trace Whatsoever
IP Address : 161.224.174.101 [ 161.224.174.101 ]
ISP : Buckeye Pipe Line Company
Organization : Buckeye Pipe Line Company
Location : US, United States
City : Emmaus, PA 18049
Latitude : 40°51'89" North
Longitude : 75°50'13" West
IP Address : 182.148.106.18 [ 182.148.106.18 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 108.85.32.236 [ 108.85.32.236 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 183.200.235.254 [ 183.200.235.254 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 118.242.111.243 [ 118.242.111.243 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU
IP Address : 214.84.88.214 [ 214.84.88.214 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
----Port 1027 -----------
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West
IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East
----Port 1028 -----------
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West
----Port 21 -----------
IP Address : 202.108.12.7 [ 202.108.12.7 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
----Port 22 -----------
IP Address : 212.204.181.15 [ cc573055-b.wolve1.fr.home.nl ]
ISP : Essent Kabelcom B.V.
Organization : Essent Kabelcom B.V. B.V.
Location : NL, Netherlands
City : Nijmegen, 03 -
Latitude : 51°83'33" North
Longitude : 5°86'67" East
IP Address : 61.146.178.13 [ 61.146.178.13 ]
ISP : Data Communication Division
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East
IP Address : 65.19.156.160 [ 65.19.156.160 ]
ISP : Hurricane Electric
Organization : Joe's Web Hosting
Location : JP, Japan
City : Osaka, 32 -
Latitude : 34°66'67" North
Longitude : 135°50'00" East
IP Address : 202.106.62.52 [ 202.106.62.52 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
IP Address : 208.115.34.232 [ 208.115.34.232 ]
ISP : -
Organization : Bocacom.net LLC
Location : US, United States
City : Boca Raton, FL 33431
Latitude : 26°38'18" North
Longitude : 80°10'46" West
----Port 25 -----------
IP Address : 61.31.167.78 [ 61-31-167-78.dynamic.tfn.net.tw ]
ISP : Taiwan Fixed Network CO.,LTD.
Organization : Taiwan Fixed Network CO.,LTD.
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East
----Port 1080 ----------
IP Address : 125.65.76.15 [ 125.65.76.15 ]
ISP : CHINANET Sichuan province network
Organization : SC-MY-XIWEISHUMA-LYD
Location : CN, China
City : Mianyang, 32 -
Latitude : 31°46'67" North
Longitude : 104°76'67" East
IP Address : 222.239.255.43 [ 222.239.255.43 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East
----Port 1433 ----------
IP Address : 60.248.124.139 [ 60-248-124-139.HINET-IP.hinet.net ]
ISP : CHTD, Chunghwa Telecom Co.,Ltd.
Organization : Chunghwa Telecom Data communication Business Group
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East
IP Address : 69.149.1.231 [ adsl-69-149-1-231.dsl.rcsntx.swbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 218.28.119.230 [ pc0.zz.ha.cn ]
ISP : CNCGROUP Henan province network
Organization : CNCGROUP Henan province network
Location : CN, China
City : Henan, 24 -
Latitude : 37°89'97" North
Longitude : 112°18'72" East
----Port 1434 ----------
IP Address : 61.242.244.143 [ 61.242.244.143 ]
ISP : China United Telecommunications Corporation
Organization : China United Telecommunications Corporation
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
IP Address : 221.130.68.206 [ 221.130.68.206 ]
ISP : China Mobile Communications Corporation
Organization : China Mobile Communications Corporation - jiangsu
Location : CN, China
City : -, - -
Latitude : 35°00'00" North
Longitude : 105°00'00" East
----Port 2967 -----------
IP Address : 62.43.240.58 [ 62.43.240.58 ]
ISP : ONO
Organization : ONO
Location : ES, Spain
City : Madrid, 29 -
Latitude : 40°40'00" North
Longitude : 3°68'33" West
IP Address : 64.194.57.21 [ ims-64-194-57-21.imsday.com ]
ISP : Level 3 Communications
Organization : Time Warner Cable
Location : US, United States
City : Houston, TX -
Latitude : 29°77'55" North
Longitude : 95°41'52" West
IP Address : 218.66.104.217 [ 218.66.104.217 ]
ISP : Data Communication Division
Organization : Data Communication Division
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East
---Port 2968 ----------
IP Address : 69.22.217.135 [ user-12hdmc7.cable.mindspring.com ]
ISP : EarthLink
Organization : EarthLink
Location : US, United States
City : Cliffside Park, NJ 07010
Latitude : 40°82'03" North
Longitude : 73°98'71" West
----Port 3128 ---------
IP Address : 87.118.118.98 [ ns.km31021.keymachine.de ]
ISP : Keyweb AG
Organization : Keyweb AG IP Network
Location : DE, Germany
City : Erfurt, 15 -
Latitude : 50°98'33" North
Longitude : 11°03'33" East
----Port 4899 ---------
IP Address : 61.153.155.189 [ 61.153.155.189 ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Ningbo node network
Location : CN, China
City : Ningbo, 02 -
Latitude : 29°87'50" North
Longitude : 121°54'19" East
IP Address : 59.163.49.6 [ 59.163.49.6.static.vsnl.net.in ]
ISP : Videsh Sanchar Nigam Ltd - India.
Organization : Videsh Sanchar Nigam Ltd
Location : IN, India
City : Bombay, 16 -
Latitude : 18°97'50" North
Longitude : 72°82'58" East
----Port 5900 ----------
IP Address : 82.101.190.13 [ 82.101.190.13 ]
ISP : IP-ADSL-ALGER
Organization : IP-ADSL-ALGER
Location : DZ, Algeria
City : Alger, 01 -
Latitude : 36°76'31" North
Longitude : 3°05'06" East
IP Address : 222.216.28.178 [ 222.216.28.178 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East
IP Address : 211.116.157.35 [ 211.116.157.35 ]
ISP : KRNIC
Organization : NEORO COM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 218.95.184.104 [ 218.95.184.104 ]
ISP : Data Communication Division
Organization : CHINANET ningxia province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
----Port 7212 -------------
IP Address : 60.213.45.62 [ 60.213.45.62 ]
ISP : CNCGROUP Shandong province network
Organization : CNCGROUP Shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East
----Honey Pot Activity -----------
IP Activity : Surfed port 80 and attacked through port 1080
IP Address : 222.217.221.214 [ 222.217.221.214 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East
IP Activity : Surfed port 80
IP Address : 87.118.118.98 [ ns.km31021.keymachine.de ]
ISP : Keyweb AG
Organization : Keyweb AG IP Network
Location : DE, Germany
City : Erfurt, 15 -
Latitude : 50°98'33" North
Longitude : 11°03'33" East
IP Activity : Surfed port 80
IP Address : 213.55.79.250 [ 213.55.79.250 ]
ISP : Ethiopian Telecommuncation Corporation
Organization : Ethiopian Telecommunication corporation
Location : ET, Ethiopia
City : -, - -
Latitude : 8°00'00" North
------------------------------------------
http://www.blacklabsecurity.com/
BLSS detected and observed the highest number of new computers suddenly broadcasting over the Internet to date. China and Korea continue to escalate their probes/attacks on all previously reported ports. The number of IPs in China and Korea probing/attacking the U.S. is rising substantially each night.
Please read this report carefully. Several government computers are now broadcasting over port 1026 UDP.
BLSS also detected and captured the forensics of multiple IP connections from China (Hebei, Beijing and 3 Harbin IP sites), Japan, and one site inside the U.S. from an Amateur Radio Digital Communications Group.
Several unauthorized files were detected from offshore sources (IPs) within the BLSS Honey Pot that included REGCODE.DLL and ADFSOCM.DLL.
The following IPs were connected to the BLSS Honey Pot when these files were received:
IP Address Location Port Protocol
------------- ----------- ----- --------
121.18.13.107 China - Hebei 7212 TCP
121.235.156.114 China - Beijing 1026 UDP
210.79.152.144 Japan 1026 UDP
221.208.208.91 China - Harbin 1027 UDP
202.97.238.202 China - Harbin 1027 UDP
221.208.208.101 China - Harbin 1026 UDP
44.139.107.99 U.S. 1026 UDP
(IP 44.139.107.99 is located somewhere (approx) in Colorado at an Armature Radio Digital Communications Station)
Several other key U.S. government computers are now suddenly broadcasting over port 1026 UDP;
Four computers from the Naval Ocean Systems Center:
1) 214.174.173.142
2) 33.14.45.142
3) 214.71.189.59
4) 214.84.88.214
One computer from the DoD Network Centric Operations:
1) 26.198.93.126
Several other computers now broadcasting on port 1026. from the U.S. there are; The IANA probed port 1026 a total number of eight times last night, from eight separate IP addresses, one computer from Hewlett-Packard Company, one computer from Cingular Wireless II, one computer from Road Runner, one computer from TDS Telecom, one computer the Buckeye Pipe Line Company.
Other countries probing on Port 1026; China (new site), Korea (2 new sites), Japan (2 new sites), Canada (4 new sites – one of these computers is from Nortel Networks Canada), Italy (new site), Germany (new site), New Zealand (new site), United Kingdom, (new site), “Societe Internationale de Telecomm (Europe), One IP Address which has no record and cannot be traced (most likely belongs to a government agency), Australia (new site). Port 1027; Canada (new site), Israel (new site). Port 1028; Canada (new site). Port 21; China (new site). Port 22; Netherlands (new site), China (2 new sites), Japan (new site), U.S. (new site). Port 25; Taiwan (new site). Port 1080; China (new site), Korea (new site). Port 1433; Taiwan (new site), U.S. (new site), China (new site). Port 1434; China (2 new sites, including China Mobile Comm Corp). Port 2967; Spain (new site), U.S. (new site), China (new site). Port 2968; U.S. (new site). Port 3128; Germany (new site). Port 4899; China (new site), India (new site). Port 5900; Algeria (new site), China (2 new sites), Korea (new site). Port 7212; China (new site). Honey Port Activity; China surfed port 80 and attacked through port 1080, three hours after the service pack update was attempted. The Chinese attack failed. Germany surfed port 80 and attempted no attack. Ethiopia surfed port 80 and attempted no attack.
----Service Pack Update Activated During The Following IP Connections -----
IP Address : 121.18.13.107 [ 121.18.13.107 ]
ISP : -
Organization : CNC Group Hebei province network
Location : CN, China
City : Hebei, 10 -
Latitude : 39°88'97" North
Longitude : 115°27'50" East
IP Address : 121.235.156.114 [
114.156.235.121.broad.wx.js.dynamic.163data.com.cn ]
ISP : -
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
IP Address : 210.79.152.144 [ 144M61.rivo.mediatti.net ]
ISP : Mediatti Communications Inc.
Organization : Mediatti Communications,Inc.
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
IP Address : 221.208.208.91 [ 221.208.208.91 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 202.97.238.202 [ 202.97.238.202 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 221.208.208.101 [ 221.208.208.101 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 44.139.107.99 [ 44.139.107.99 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: :Amateur Radio Digital Communications
OrgID: : ARDC
Address:
City:
StateProv:
PostalCode:
Country: : US
Below is a listing of the specific details on each port probe/attack and IP
address:
----Port 1026 ---------
IP Address : 110.223.103.15 [ 110.223.103.15 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 221.208.208.100 [ 221.208.208.100 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
IP Address : 16.190.180.16 [ 16.190.180.16 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : Palo Alto, CA 94304
Latitude : 37°37'62" North
Longitude : 122°18'26" West
IP Address : 122.43.240.241 [ 122.43.240.241 ]
ISP : -
Organization : POWERCOMM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 214.174.173.142 [ 214.174.173.142 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 155.164.42.223 [ 155.164.42.223 ]
ISP : Cingular Wireless II, LLC
Organization : Cingular Wireless II, LLC
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 77.148.5.226 [ 77.148.5.226 ]
ISP : -
Organization : freenet Cityline GmbH
Location : DE, Germany
City : Kiel, 10 -
Latitude : 54°33'33" North
Longitude : 10°13'33" East
IP Address : 142.217.35.43 [ 142-217-35-43.telebecinternet.net ]
ISP : Telebec
Organization : Telebec
Location : CA, Canada
City : Scarborough, ON -
Latitude : 43°75'00" North
Longitude : 79°20'00" West
IP Address : 91.81.75.23 [ 91.81.75.23 ]
ISP : -
Organization : Vodafone Omnitel N.V.
Location : IT, Italy
City : Ivrea, 12 -
Latitude : 45°46'67" North
Longitude : 7°86'67" East
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West
IP Address : 47.8.89.165 [ h165s89a8n47.user.nortelnetworks.com ]
ISP : Bell-Northern Research
Organization : Nortel Networks
Location : CA, Canada
City : Ottawa, ON k1y4h7
Latitude : 45°41'67" North
Longitude : 75°70'00" West
IP Address : 133.94.112.4 [ 133.94.112.4 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
OrgName: : Japan Network Information Center
OrgID: : JNIC
Address: : Kokusai-kougyou-Kanda Bldg 6F
Address: : 2-3-4 Uchikanda
City: : Chiyoda-ku
StateProv: : Tokyo
PostalCode: : 101-0047
Country: : JP
IP Address : 33.14.45.142 [ 33.14.45.142 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 175.71.14.149 [ 175.71.14.149 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 121.135.156.114 [ 121.135.156.114 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 210.79.52.144 [ 210.79.52.144 ]
ISP : Traced to Auckland, New Zealand and lost
IP Address : 44.139.107.99 [ 44.139.107.99 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Amateur Radio Digital Communications
OrgID: : ARDC
Address:
City:
StateProv:
PostalCode:
Country: : US
IP Address : 82.26.217.87 [ client-82-26-217-87.glfd.adsl.virgin.net ]
ISP : NTL Internet
Organization : NTL Internet
Location : GB, United Kingdom
City : Rochdale, L2 -
Latitude : 53°61'67" North
Longitude : 2°15'00" West
IP Address : 214.71.189.59 [ 214.71.189.59 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 57.14.29.60 [ 57.14.29.60 ]
ISP : SITA-Societe Internationale de Telecommunications
Organization : SITA-Societe Internationale de Telecommunications
Location : EU, Europe
City : -, - -
Latitude : 47°00'00" North
Longitude : 8°00'00" East
IP Address : 69.135.158.111 [ voip-69-135-158-111.neo.rr.com ]
ISP : Road Runner
Organization : Road Runner
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 121.110.92.53 [ KD121110092053.ppp-bb.dion.ne.jp ]
ISP : -
Organization : KDDI Corporation
Location : JP, Japan
City : Tokyo, 40 -
Latitude : 35°68'50" North
Longitude : 139°75'14" East
IP Address : 177.119.235.34 [ 177.119.235.34 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 174.28.137.177 [ 174.28.137.177 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 142.61.198.197 [ 142.61.198.197 ]
ISP : Canadian Research Network
Organization : Canadian Research Network
Location : CA, Canada
City : Toronto, ON m5s3j1
Latitude : 43°66'67" North
Longitude : 79°41'68" West
IP Address : 216.165.129.157 [ ns6.dns.tds.net ]
ISP : TDS TELECOM
Organization : TDS TELECOM
Location : US, United States
City : Madison, WI 53717
Latitude : 43°07'37" North
Longitude : 89°52'74" West
IP Address : 178.95.193.126 [ 178.95.193.126 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 26.198.93.126 [ 26.198.93.126 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US
IP Address : 209.197.186.202 [ hs-scarlett-209197186202.3web.net ]
ISP : Cybersurf
Organization : 3web Corp.
Location : CA, Canada
City : Calgary, AB t2e7p1
Latitude : 51°08'33" North
Longitude : 114°08'33" West
IP Address : 139.186.84.121 [ 139.186.84.121 ]
ISP : No Record (Unknown) No Trace Whatsoever
IP Address : 161.224.174.101 [ 161.224.174.101 ]
ISP : Buckeye Pipe Line Company
Organization : Buckeye Pipe Line Company
Location : US, United States
City : Emmaus, PA 18049
Latitude : 40°51'89" North
Longitude : 75°50'13" West
IP Address : 182.148.106.18 [ 182.148.106.18 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 108.85.32.236 [ 108.85.32.236 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 183.200.235.254 [ 183.200.235.254 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US
IP Address : 118.242.111.243 [ 118.242.111.243 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU
IP Address : 214.84.88.214 [ 214.84.88.214 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
----Port 1027 -----------
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West
IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East
----Port 1028 -----------
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West
----Port 21 -----------
IP Address : 202.108.12.7 [ 202.108.12.7 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
----Port 22 -----------
IP Address : 212.204.181.15 [ cc573055-b.wolve1.fr.home.nl ]
ISP : Essent Kabelcom B.V.
Organization : Essent Kabelcom B.V. B.V.
Location : NL, Netherlands
City : Nijmegen, 03 -
Latitude : 51°83'33" North
Longitude : 5°86'67" East
IP Address : 61.146.178.13 [ 61.146.178.13 ]
ISP : Data Communication Division
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East
IP Address : 65.19.156.160 [ 65.19.156.160 ]
ISP : Hurricane Electric
Organization : Joe's Web Hosting
Location : JP, Japan
City : Osaka, 32 -
Latitude : 34°66'67" North
Longitude : 135°50'00" East
IP Address : 202.106.62.52 [ 202.106.62.52 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
IP Address : 208.115.34.232 [ 208.115.34.232 ]
ISP : -
Organization : Bocacom.net LLC
Location : US, United States
City : Boca Raton, FL 33431
Latitude : 26°38'18" North
Longitude : 80°10'46" West
----Port 25 -----------
IP Address : 61.31.167.78 [ 61-31-167-78.dynamic.tfn.net.tw ]
ISP : Taiwan Fixed Network CO.,LTD.
Organization : Taiwan Fixed Network CO.,LTD.
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East
----Port 1080 ----------
IP Address : 125.65.76.15 [ 125.65.76.15 ]
ISP : CHINANET Sichuan province network
Organization : SC-MY-XIWEISHUMA-LYD
Location : CN, China
City : Mianyang, 32 -
Latitude : 31°46'67" North
Longitude : 104°76'67" East
IP Address : 222.239.255.43 [ 222.239.255.43 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East
----Port 1433 ----------
IP Address : 60.248.124.139 [ 60-248-124-139.HINET-IP.hinet.net ]
ISP : CHTD, Chunghwa Telecom Co.,Ltd.
Organization : Chunghwa Telecom Data communication Business Group
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East
IP Address : 69.149.1.231 [ adsl-69-149-1-231.dsl.rcsntx.swbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
IP Address : 218.28.119.230 [ pc0.zz.ha.cn ]
ISP : CNCGROUP Henan province network
Organization : CNCGROUP Henan province network
Location : CN, China
City : Henan, 24 -
Latitude : 37°89'97" North
Longitude : 112°18'72" East
----Port 1434 ----------
IP Address : 61.242.244.143 [ 61.242.244.143 ]
ISP : China United Telecommunications Corporation
Organization : China United Telecommunications Corporation
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
IP Address : 221.130.68.206 [ 221.130.68.206 ]
ISP : China Mobile Communications Corporation
Organization : China Mobile Communications Corporation - jiangsu
Location : CN, China
City : -, - -
Latitude : 35°00'00" North
Longitude : 105°00'00" East
----Port 2967 -----------
IP Address : 62.43.240.58 [ 62.43.240.58 ]
ISP : ONO
Organization : ONO
Location : ES, Spain
City : Madrid, 29 -
Latitude : 40°40'00" North
Longitude : 3°68'33" West
IP Address : 64.194.57.21 [ ims-64-194-57-21.imsday.com ]
ISP : Level 3 Communications
Organization : Time Warner Cable
Location : US, United States
City : Houston, TX -
Latitude : 29°77'55" North
Longitude : 95°41'52" West
IP Address : 218.66.104.217 [ 218.66.104.217 ]
ISP : Data Communication Division
Organization : Data Communication Division
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East
---Port 2968 ----------
IP Address : 69.22.217.135 [ user-12hdmc7.cable.mindspring.com ]
ISP : EarthLink
Organization : EarthLink
Location : US, United States
City : Cliffside Park, NJ 07010
Latitude : 40°82'03" North
Longitude : 73°98'71" West
----Port 3128 ---------
IP Address : 87.118.118.98 [ ns.km31021.keymachine.de ]
ISP : Keyweb AG
Organization : Keyweb AG IP Network
Location : DE, Germany
City : Erfurt, 15 -
Latitude : 50°98'33" North
Longitude : 11°03'33" East
----Port 4899 ---------
IP Address : 61.153.155.189 [ 61.153.155.189 ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Ningbo node network
Location : CN, China
City : Ningbo, 02 -
Latitude : 29°87'50" North
Longitude : 121°54'19" East
IP Address : 59.163.49.6 [ 59.163.49.6.static.vsnl.net.in ]
ISP : Videsh Sanchar Nigam Ltd - India.
Organization : Videsh Sanchar Nigam Ltd
Location : IN, India
City : Bombay, 16 -
Latitude : 18°97'50" North
Longitude : 72°82'58" East
----Port 5900 ----------
IP Address : 82.101.190.13 [ 82.101.190.13 ]
ISP : IP-ADSL-ALGER
Organization : IP-ADSL-ALGER
Location : DZ, Algeria
City : Alger, 01 -
Latitude : 36°76'31" North
Longitude : 3°05'06" East
IP Address : 222.216.28.178 [ 222.216.28.178 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East
IP Address : 211.116.157.35 [ 211.116.157.35 ]
ISP : KRNIC
Organization : NEORO COM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East
IP Address : 218.95.184.104 [ 218.95.184.104 ]
ISP : Data Communication Division
Organization : CHINANET ningxia province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
----Port 7212 -------------
IP Address : 60.213.45.62 [ 60.213.45.62 ]
ISP : CNCGROUP Shandong province network
Organization : CNCGROUP Shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East
----Honey Pot Activity -----------
IP Activity : Surfed port 80 and attacked through port 1080
IP Address : 222.217.221.214 [ 222.217.221.214 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East
IP Activity : Surfed port 80
IP Address : 87.118.118.98 [ ns.km31021.keymachine.de ]
ISP : Keyweb AG
Organization : Keyweb AG IP Network
Location : DE, Germany
City : Erfurt, 15 -
Latitude : 50°98'33" North
Longitude : 11°03'33" East
IP Activity : Surfed port 80
IP Address : 213.55.79.250 [ 213.55.79.250 ]
ISP : Ethiopian Telecommuncation Corporation
Organization : Ethiopian Telecommunication corporation
Location : ET, Ethiopia
City : -, - -
Latitude : 8°00'00" North
Subscribe to:
Posts (Atom)