Cyber Security BLOG: Attacking IP Addresses and Ports with Focus on China for Week Ending 19 Oct 2007

Black Lab Security Cyber Center Report
October 19, 2007 (09:00 AM CMT)

Black Lab Security Systems, Inc.
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacksecurity.com/

Our BLSS Cyber Report is experimenting with a new format. As you have requested and will see below, more categories with less narrative in an attempt to get directly to the point.

Summary of Overnight Internet Activity
-----------------------------------------------------

1) New probes/attacks were detected on port 1026 from Italy and the Univ. Of Utah (same characteristics as previously recorded with China).
2) Continued probes/attacks on port 1026 were sustained by China, Germany (Daimler Chrysler - Automobile Corporation), France and Israel.
3) New computers with no known record have begun to probe/attack on port 1026. The first computer with no record is 162.226.138.24 and was located by satellite on the coast of the United Kingdom. The second computer with no record is 96.84.183.29 and could NOT be located by satellite. Both internet addresses (computers) with no records are now broadcasting over the Internet. We can only conclude these are government agency computers, which have been configured to remain 100% stealth (silent) while on the Internet and have been "hi-jacked" over port 1026 and now broadcasting.
4) New probe/attack on port 1024 from Turkey.
5) New Probe/Attack on Port 21 from Brazil, which BLSS detected and logged two sites within Brazil executing their probe/attack on port 21 almost at the same exact time.
6) Finally, three computers connected to our BLSS Honey Port through port 80, then began to manually attack our honey pot. When the manual attacks were not successful, they executed a series of programs, which scanned over 2000 possible ports in an attempt to gain entry and hack our honey port. The hackers connected to our honey pot via port 80, remain connected while they executed their programs, then disconnected from our honey port after about 30 minutes of continuous penetration attempts.

New on Port 1026
-----------------------
Italy
Univ Of Utah (U.S.).

Previously recorded and still probing/attacking Port 1026
----------------------------------------------------------------------------
More computers in the U.K. with no record Germany France Israel

New on Port 1024
-----------------------
Turkey

New on Port 21
---------------------
Brazil - detected two sites coordinated together probing/attacking port 21

New Probes/Attacks from China
-----------------------------
New probe/attack from China on port 949
New probe/attack from China on port 22
New probe/attack from China on port 2967 New probe/attack from China on port 42

New Sites Detected From China
-----------------------------
New probe/attack from China on port 1434 from a new IP New probe/attack from China on port 2967 from a new IP New probe/attack from Rep Of Korea on port 4899

New Probes/Attacks from Korea
-----------------------------
New probe/attack from Rep Of Korea on port 7212 - same as previously recorded with China

Noticeably Higher Volume Than Normal
------------------------------------
Noticeably high volume of probes/attacks on port 8180 from U.S.
Noticeably high volume of probes/attacks on port 3128 from Korea

Hackers Connecting And Attacking Our BLSS Honey Pot
---------------------------------------------------
Actually connecting through port 80, then attacking our honey pot:
Canada
U.S. - Somewhere approximately in Colorado

Hackers Attack Summary
----------------------
The hackers connected via port 80, then manually executed a series of attacks. Once the manual attacks were not successful, the hackers executed a series of program, which scanned/probed and attempting to hack by accessing over 2000 ports. While the port attempts list is too long to actually list in this e-mail, some of the ports probes/attacked by the hackers are the following:

80, 1, 35019, 44285, 1026, 4137, 777, 5550, 4987, 830, 941, 716, 829, 49400, 61, 65, 295, 1355, 985, 680, 1664, 798, 1478, 704, 407, 1413, 902, 5060, 9991, 6147, 6006, 1984, 6112, 846, 2040, 150, 178, 297, 71, 20, 2044, 541, 1987, 910, 18184, 883, 1399, 1430, 329, 1004, 1494, 6142, 364, 528, 124, 4480, 791, 812, 1441, 640, 1352, 478, 431, 1025, 748, 8888, 3397, 1472, 347, 426, 27010, 794, 43, 274, 2628, 1350, 3455, 89, 13717, 341, 689, 500, 1485, 230, 292, 10000, 730, 784, 368, 792, 2602, 396, etc. etc. etc..... approximately 2000 ports (some scanned probed/attacked more than once)

Below is a listing of the specific details on each port probe/attack and IP address:

---- Port 1026
IP Address : 90.131.246.209 [ d90-131-246-209.cust.tele2.it ]
ISP : -
Organization : Tele2 Italy S.A
Location : IT, Italy
City : -, - -
Latitude : 42°83'33" North
Longitude : 12°83'33" East

IP Address : 155.98.155.83 [ 155.98.155.83 ]
ISP : University of Utah
Organization : University of Utah
Location : US, United States
City : Salt Lake City, UT 84108
Latitude : 40°78'55" North
Longitude : 111°73'67" West

162.226.138.24 [ 162.226.138.24 ]
No Record

IP Address : 96.84.183.29 [ 96.84.183.29 ]
No Record

IP Address : 194.164.169.63 [ 194.164.169.63 ]
ISP : Mistral Internet
Organization : Mistral Internet
Location : GB, United Kingdom
City : Brighton, E2 -
Latitude : 50°83'33" North
Longitude : 0°15'00" West

IP Address : 30.182.61.121 [ 30.182.61.121 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 53.139.242.162 [ 53.139.242.162 ]
ISP : DaimlerChrysler AG
Organization : DAIMLERCHRYSLER AG
Location : DE, Germany
City : Stuttgart, 01 -
Latitude : 48°76'67" North
Longitude : 9°18'33" East

IP Address : 86.67.144.204 [ 204.144.67-86.rev.gaoland.net ]
ISP : LDCOM
Organization : LDCOM
Location : FR, France
City : Billancourt, A8 -
Latitude : 48°83'33" North
Longitude : 2°25'00" East

IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East

---- Port 1024
IP Address : 85.111.0.240 [ 85.111.0.240 ]
ISP : Turk Telekom
Organization : Turk Telekom
Location : TR, Turkey
City : Ankara, 68 -
Latitude : 39°92'72" North
Longitude : 32°86'44" East

--- Port 8180 (identified due to continuous hits)
IP Address : 208.109.78.71 [ wh120.prod.mesa1.secureserver.net ]
ISP : Go Daddy Software
Organization : GoDaddy.com
Location : US, United States
City : Scottsdale, AZ 85260
Latitude : 33°61'19" North
Longitude : 111°89'07" West

IP Address : 72.20.41.204 [ yourescortagency.com ]
ISP : Staminus Communications
Organization : Staminus Communications
Location : US, United States
City : Fullerton, CA 92832
Latitude : 33°86'82" North
Longitude : 117°92'93" West

---- Port 949
IP Address : 58.56.77.122 [ 58.56.77.122 ]
ISP : CHINANET shandong province network
Organization : CHINANET shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East

IP Address : 218.92.50.85 [ 218.92.50.85 ]
ISP : Data Communication Division
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

---- Port22
IP Address : 221.122.59.2 [ 221.122.59.2 ]
ISP : CETC-CHINACOMM COMMUNICATIONS Co.,Ltd.
Organization : CETC-CHINACOMM COMMUNICATIONS Co.,Ltd.
Location : CN, China
City : -, - -
Latitude : 35°00'00" North
Longitude : 105°00'00" East

---- Port 4899
IP Address : 122.38.90.165 [ 122.38.90.165 ]
ISP : -
Organization : POWERCOMM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

---- Port 2967
IP Address : 60.174.69.246 [ 60.174.69.246 ]
ISP : CHINANET Anhui province network
Organization : CHINANET Anhui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East

---- Port 42
IP Address : 210.42.88.252 [ 210.42.88.252 ]
ISP : China Education and Research Network
Organization : Hubei Communications School
Location : CN, China
City : Wuhan, 12 -
Latitude : 30°58'33" North
Longitude : 114°26'67" East

---- port 3128
IP Address : 218.50.1.119 [ 218.50.1.119 ]
ISP : Hanaro Telecom Co.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

---- Port 7212
IP Address : 59.18.87.10 [ 59.18.87.10 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" E

---- Port 1434
IP Address : 218.108.70.246 [ 218.108.70.246 ]
ISP : WASU TV & Communication Holding Co.,Ltd.
Organization : wangJiangFeng
Location : CN, China
City : Chaoyang, 19 -
Latitude : 41°57'03" North
Longitude : 120°45'86" East

---- Port 2967
IP Address : 202.113.121.152 [ 202.113.121.152 ]
ISP : China Education and Research Network
Organization : Heibei University of Technology
Location : CN, China
City : Tianjin, 28 -
Latitude : 39°14'22" North
Longitude : 117°17'67" East

---- Port 21
IP Address : 200.252.113.5 [ 200.252.113.5 ]
ISP : EMBRATEL-EMPRESA BRASILEIRA DE TELECOMUNICAÇÕES SA
Organization : CESB - Centro de Educacao Superior de Brasilia
Location : BR, Brazil
City : Brasília, 07 -
Latitude : 15°78'33" South
Longitude : 47°91'67" West

IP Address : 200.102.170.171 [200-102-170-171.paemt705.dsl.brasiltelecom.net.br ]
ISP : Brasil Telecom S/A - Filial Distrito Federal
Organization : Brasil Telecom S/A - Filial Distrito Federal
Location : BR, Brazil
City : Porto Alegre, 23 -
Latitude : 30°03'33" South
Longitude : 51°20'00" West

---- Port 80, then attacking our honey pot
IP Address : 70.68.54.161 [ S01060014a580e595.vf.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Victoria, BC -
Latitude : 48°43'33" North
Longitude : 123°35'00" West

IP Address : 69.157.7.252 [ bas2-hamilton14-1167919100.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Hamilton, ON -
Latitude : 43°25'00" North
Longitude : 79°83'33" West

IP Address : 4.91.133.221 [dialup-4.91.133.221.Dial1.Philadelphia1.Level3.net ]
ISP : Level 3 Communications
Organization : Level 3 Communications
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

###
Black Lab Security Cyber Center Report
Thursday, October 18, 2007 (10:00 AM CMT)

Black Lab Security Systems, Inc.
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

BLSS Cyber Center Observations About Chinese Sites

In performing an in-depth analysis of the Chinese probes/attacks, we have reached the following conclusion:

Of all the active Chinese sites, the top nine most active sites, include two sites that are much more active than the remaining seven IP sites. The two sites which "break the curve" and are continuously probing/attacking every three-to-five minutes are the following:

Site Port
------------- ----
121.18.13.107 7212
121.18.12.197 7212

The remaining seven sites probing/attacking are the following:

Site Port
-------------- ----
221.208.208.83 1027
221.208.208.91 1027
221.208.208.95 1026 and 1027
221.208.208.98 1026
202.97.238.202 1026
218.50.1.119 3128
222.239.255.43 1080

We have detected a new computer in France joining the probe/attack on Port 1026. The information on the French computer is the following:

---- Port 1026
IP Address : 82.66.13.50 [ cau33-1-82-66-13-50.fbx.proxad.net ]
ISP : Proxad
Organization : Proxad / Free SAS
Location : FR, France
City : Bordeaux, 97 -
Latitude : 44°83'33" North
Longitude : 0°56'67" West

###
Black Lab Security Cyber Center Report
Thursday, October 18, 2007 (5:18 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

1) BLSS has detected and observed a major shift overnight, to a more positive period of overall internet activity. All probes/attacks from China still continue, but many Chinese sites appear to be much less frequent.
2) A few Chinese sites are still as aggressive, but not all Chinese sites are exhibiting the same level of aggressive activity.
3) The best news is that there has been a "shift" in computers participating in the probe/attack of ports 1026 (and at times 1027) and Port 1434. The "shift" is all new countries, (except for the U.S.), which now includes Japan, Israel, Taiwan, Switzerland and Sweden.
4) The worst news of the night, is that Performance Systems International (U.S.), Morgan Stanley Group (U.S.), Oracle (U.S.), Oracle Japan and Sweden's "The Swatch Group" are now participating in the probe/attack on port 1026. South Korea is now probing/attacking on Port 22.

We have utilized a satellite IP address locator, http://www.seomoz.org/ip2loc, in an attempt to identify the IP address 154.191.242.60 (yesterday's Cyber Report) and it is physically located on the coast of the United Kingdom. The location has been found, but the identity is still unknown.

In our professional opinion, last night's overall Internet activity is a major improvement in compared to Tuesday night's Internet activity.

Port 1026 (and at times port 1027)
----------------------------------

Japan
U.S.
Israel
Taiwan
Switzerland

Port 1434
---------
Sweden

Port 22
-------
South Korea

The specific details on each IP is below.

---- Port 1026
IP Address : 133.160.34.234 [ 133.160.34.234 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 24.211.81.202 [ cpe-024-211-081-202.sc.res.rr.com ]
ISP : Road Runner
Organization : Road Runner
Location : US, United States
City : Mamers, NC 27552
Latitude : 35°42'01" North
Longitude : 78°93'43" West

IP Address : 67.116.31.77 [ adsl-67-116-31-77.dsl.snfc21.pacbell.net ]
ISP : SBC Internet Services
Organization : PRINT SMITH
Location : US, United States
City : Moraga, CA -
Latitude : 37°83'81" North
Longitude : 122°10'26" West

IP Address : 133.121.131.115 [ 133.121.131.115 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 38.66.244.63 [ 38.66.244.63 ]
ISP : Performance Systems International
Organization : Performance Systems International
Location : US, United States
City : Washington, DC 20007
Latitude : 38°91'44" North
Longitude : 77°07'63" West

IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East

IP Address : 138.20.91.183 [ 138.20.91.183 ]
ISP : Morgan Stanley Group
Organization : Morgan Stanley Group
Location : US, United States
City : New York, NY 10036
Latitude : 40°76'05" North
Longitude : 73°99'33" West

IP Address : 148.87.242.224 [
reserved-for-dhcp-148-87-242-224.oracle.com ]
ISP : Oracle Datenbanksysteme GmbH
Organization : Oracle Datenbanksysteme GmbH
Location : US, United States
City : Redwood City, CA 94065
Latitude : 37°53'31" North
Longitude : 122°24'71" West

IP Address : 124.11.42.31 [ 124-11-42-31.static.tfn.net.tw ]
ISP : Taiwan Fixed Network CO.,LTD.
Organization : Taiwan Fixed Network CO.,LTD.
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

IP Address : 21.137.44.14 [ 21.137.44.14 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 149.133.181.115 [ 149.133.181.115 ]
ISP : THE SWATCH GROUP
Organization : THE SWATCH GROUP
Location : CH, Switzerland
City : Biel, 05 -
Latitude : 47°16'67" North
Longitude : 7°25'00" East

IP Address : 146.56.56.108 [ 146.56.56.108 ]
ISP : Oracle Corporation Japan
Organization : Oracle Corporation Japan
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

---- Port 1434
IP Address : 84.112.179.164 [ chello084112179164.31.11.vie.surfer.at ]
ISP : Chello Broadband GmbH
Organization : Chello Broadband GmbH
Location : SE, Sweden
City : -, - -
Latitude : 62°00'00" North
Longitude : 15°00'00" East

---- Port 22
IP Address : 58.120.21.229 [ 58.120.21.229 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East

###
Black Lab Security Cyber Center Report
Wednesday, October 17, 2007 (5:41 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

Because ports 1026 and 1027 were the most common ports exploited overnight, we decided to provide an end-of-day report on these specific ports.

The most interesting probe/attack, comes from an IP address of 154.191.242.60, which is not recorded in any of the 10 "whois" communication databases BLSS utilizes as reference at this time. It is an actual IP address and it is conducting probes/attacks on port 1026 UDP. We can only conclude that the IP must belong to a computer within a government agency.

We have detected and observed two new countries probing/attacking on the following ports (same as previously reported by China):

---- Port 1026
IP Address : 161.71.93.139 [ ip-161-71-0-0.euro.3com.com ]
ISP : Isolan House
Organization : Isolan House
Location : GB, United Kingdom
City : Hemel Hempstead, F8 -
Latitude : 51°75'00" North
Longitude : 0°46'67" West

---- Port 1027
IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East

###
Black Lab Security Cyber Center Report
Wednesday, October 17, 2007 (9:00 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

1) BLSS has detected and observed the worst night of probes/attacks since we started reported internet activity.
2) All probes/attacks from China continue and the frequency of China probes/attacks has gotten much shorter (worse) and China is "bombarding" the U.S. internet infrastructure.
3) It is also the same scenario for South Korea. South Korea is probing/attacking with a greater frequency (same previously reported probes/attacks).
4) Within a 15 hour period since yesterday, many other countries have "suddenly started" probing/attacking the same ports as China/South Korea.

In summary, after days of continuous probes/attacks from China/South Korea, suddenly within a 15 hour period we (BLSS) have detected and observed Argentina, New Zealand, Russia, Belgium, Mexico, Africa, India, Taiwan, Sweden, Oman, Spain, Brazil and Germany joined in on the same probes/attacks on the U.S. Internet infrastructure. This does not include the U.S. computers that have joined the same attack, including a computer within the U.S. Army's Information Systems headquarters located at Fort Huachuca, AZ.

As the U.S. is concerned about a possible penetration into U.S. power (electric) companies, it has happened below with WISCONSIN ENERGY CONSERVATION CORPORATION (port 2967).

Within the past 15 hours, the following countries/organizations have joined in probing/attacking the U.S. Internet infrastructure:

Port 1026
---------
140.200.226.166 New Zealand
17.202.238.133 U.S. - APPLE COMPUTER
17.91.7.155 U.S. - APPLE COMPUTER
17.202.238.133 Russia Russian Federation
190.174.3.188 Argentina
97.70.91.231 U.S. - Bright Networks, Brandon, FL
152.18.12.22 U.S. Univ Of North Carolina At Asheville
147.93.101.5 Belgium
200.66.140.237 Mexico
35.16.46.36 U.S. An Arbor, Michigan
41.147.113.229 Africa
130.5.134.185 AT&T Bell Laboratories, Lake Mary, FL
68.51.170.66 Comcast Cable, Savannah, GA

Port 4899
---------
59.163.49.6 India, Bombay
143.80.159.231 Headquarters, USAAISC, Fort Huachuca, AZ

Port 25
-------
219.81.161.121 Taiwan

Port 1433
---------
95.198.208.188 Sweden

Port 1434
---------
82.178.22.22 Oman

Port 2967
---------
69.128.111.252 WISCONSIN ENERGY CONSERVATION CORPORATION

Port 5900
---------
85.155.70.239 Spain
201.88.2.10 Brazil

Port 5475
---------
87.106.15.165 Germany

The IANA continues its normal activity of probing/scanning computers throughout the U.S. Internet infrastructure.

The specifics on each defined IP (above) is listed below.

---- Port 1026
IP Address : 9.239.123.165 [ 9.239.123.165 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 140.200.226.166 [ 140.200.226.166 ]
ISP : The University of Waikato
Organization : Network Provider
Location : NZ, New Zealand
City : Wellington, 00 -
Latitude : 41°30'00" South
Longitude : 174°78'33" East

IP Address : 17.202.238.133 [ 17.202.238.133 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West

IP Address : 17.91.7.155 [ 17.91.7.155 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West

IP Address : 77.34.95.139 [ 77.34.95.139 ]
ISP : -
Organization : Open Joint Stock Company Far East Telecommunicatio
Location : RU, Russian Federation
City : Vladivostok, 59 -
Latitude : 43°13'33" North
Longitude : 131°90'00" East

IP Address : 190.174.3.188 [ 190-174-3-188.speedy.com.ar ]
inetnum: 190.174/15
status: allocated
owner: Telefonica de Argentina
ownerid: AR-TEAR7-LACNIC
responsible: Agustín Gomez Dhers
address: AV. ING. HUERGO - OBS. JUDICIALES, 723,
address: 1065 - Buenos Aires - CF
country: AR
phone: +54 11 4332-2220 []
owner-c: TEA
tech-c: TEA
inetrev: 190.174/15
nserver: DNS1.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
nserver: DNS2.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
nserver: DNS3.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
nserver: DNS4.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
created: 20071005
changed: 20071005

IP Address : 97.70.91.231 [ 97.70.91.231 ]
OrgName: bright house NETWORKS
OrgID: BHN-2
Address: 1219 Millennium Parkway
City: Brandon
StateProv: FL
PostalCode: 33511
Country: US

IP Address :[ 152.18.12.22 ]
ISP : University of North Carolina at Asheville
Organization : University of North Carolina at Asheville
Location : US, United States
City : Asheville, NC 28804
Latitude : 35°64'73" North
Longitude : 82°55'12" West

IP Address : 147.93.101.5 [ 147.93.101.5 ]
ISP : Landsbond der Christelijke Mutualiteiten
Organization : Landsbond der Christelijke Mutualiteiten
Location : BE, Belgium
City : Brussel, 11 -
Latitude : 50°83'33" North
Longitude : 4°33'33" East

IP Address : 200.66.140.237 [ dup-200-66-140-237.prodigy.net.mx ]
ISP : Uninet S.A. de C.V.
Organization : Uninet S.A. de C.V.
Location : MX, Mexico
City : -, - -
Latitude : 23°00'00" North
Longitude : 102°00'00" West

IP Address : 35.16.46.36 [ 35.16.46.36 ]
ISP : Merit Network
Organization : Merit Network
Location : US, United States
City : Ann Arbor, MI 48104
Latitude : 42°27'34" North
Longitude : 83°71'33" West

IP Address : 41.147.113.229 [ 41.147.113.229 ]
organisation: ORG-AFNC1-AFRINIC
org-name: AfriNIC - The African Network Information Centre
org-type: RIR
country: MU
address: =======================================
address: Office 03B3, 3rd Floor Cyber Tower
address: Port Louis
address: Mauritius
address:
phone: +230 466 6616
fax-no: +230 466 6758
remarks:
e-mail: contact@afrinic.net
admin-c: TEAM-AFRINIC
tech-c: TEAM-AFRINIC

IP Address : 130.5.134.185 [ 130.5.134.185 ]
ISP : AT&T Bell Laboratories
Organization : AT&T Bell Laboratories
Location : US, United States
City : Lake Mary, FL 32746
Latitude : 28°75'78" North
Longitude : 81°33'97" West

IP Address : 68.51.170.66 [ c-68-51-170-66.hsd1.ga.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Savannah, GA -
Latitude : 32°04'33" North
Longitude : 81°11'67" West

IP Address : 77.184.52.56 [ 77.184.52.56 ]
ISP : -
Organization : 1&1 Internet AG
Location : DE, Germany
City : Karlsruhe, 01 -
Latitude : 49°00'47" North
Longitude : 8°38'58" East

---- Port 4899
IP Address : 59.163.49.6 [ 59.163.49.6.static.vsnl.net.in ]
ISP : Videsh Sanchar Nigam Ltd - India.
Organization : Videsh Sanchar Nigam Ltd
Location : IN, India
City : Bombay, 16 -
Latitude : 18°97'50" North
Longitude : 72°82'58" East

IP Address : 143.80.159.231 [ 143.80.159.231 ]
ISP : Headquarters, USAAISC
Organization : Headquarters, USAAISC
Location : US, United States
City : Fort Huachuca, AZ 85613
Latitude : 31°52'73" North
Longitude : 110°36'07" West

---- Port 25
IP Address : 219.81.161.121 [ 219-81-161-121.dynamic.tfn.net.tw ]
ISP : Taiwan Fixed Network CO.,LTD.
Organization : Taiwan Fixed Network CO.,LTD.
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

---- Port 990
IP Address : 75.126.114.34 [ vipeax.info ]
ISP : -
Organization : SoftLayer Technologies
Location : US, United States
City : Dallas, TX 75207
Latitude : 32°78'25" North
Longitude : 96°82'07" West

---- Port 1433
IP Address : 195.198.208.188 [ 195-198-208-188.customer.telia.com ]
ISP : TeliaSonera AB
Organization : Kanal-Data AB
Location : SE, Sweden
City : Kungälv, 28 -
Latitude : 57°86'67" North
Longitude : 11°96'67" East

---- Port 1434
IP Address : 82.178.22.22 [ 82.178.22.22 ]
ISP : Oman
Organization : Muscat Ltd
Location : OM, Oman
City : Muscat, 06 -
Latitude : 23°61'33" North
Longitude : 58°59'33" East

---- Port 2967
IP Address : 69.128.111.252 [ http://www.energyfinancesolutions.com/ ]
ISP : TDS TELECOM
Organization : WISCONSIN ENERGY CONSERVATION CORPORATION
Location : US, United States
City : Janesville, WI -
Latitude : 42°68'10" North
Longitude : 89°04'38" West

---- Port 5900
IP Address : 85.155.70.239 [ 85.155.70.239.dyn.user.ono.com ]
ISP : CABLETELCA, S.A.
Organization : AUNA CANARIAS
Location : ES, Spain
City : Barcelona, 56 -
Latitude : 41°38'33" North
Longitude : 2°18'33" East

IP Address : 201.88.2.10 [ 201-88-2-10.pvoce301.ipd.brasiltelecom.net.br ]
ISP : -
Organization : Brasil Telecom S/A - Filial Distrito Federal
Location : BR, Brazil
City : -, - -
Latitude : 10°00'00" South
Longitude : 55°00'00" West

IP Address : 201.40.16.202 [ 201.40.16.202 ]
ISP : Brasil Telecom S/A - Filial Distrito Federal
Organization : Brasil Telecom S/A - Filial Distrito Federal
Location : BR, Brazil
City : -, - -
Latitude : 10°00'00" South
Longitude : 55°00'00" West

---- Port 5475
IP Address : 87.106.15.165 [ s15210777.onlinehome-server.info ]
ISP : Schlund+Partner AG
Organization : Schlund + Partner AG
Location : DE, Germany
City : Karlsruhe, 01 -
Latitude : 49°00'47" North
Longitude : 8°38'58" East

###
Black Lab Security Cyber Center Report
Tuesday, October 16, 2007 (3:00 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

We have detected and observed that Russia is now probing/attacking port 1434 with multiple "short burst" probes/attacks. As a reminder, port 1434 is primarily associated with Microsoft SQL databases.

IP Address : 78.106.211.115 [ 78-106-211-115.broadband.corbina.ru ]
ISP : -
Organization : Investelektrosviaz Ltd.
Location : RU, Russian Federation
City : Moscow, 48 -
Latitude : 55°75'22" North
Longitude : 37°61'56" East

###
Black Lab Security Cyber Center Report
Tuesday, October 16, 2007 (7:26 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

1) We have detected and observed that China is still continuously probing/attacking all previously reported ports. The frequency of probes/attacks from China seem to have (arguably) "leveled off", however the frequency is still very short, with multiple "short burst" probes/attacks throughout the night. All China IP addresses continue to "cycle" with "short bursts" with no apparent end in sight.
2) We have also detected and observed several new computers probing/attacking the internet. Specifically, several new computers have joined in on the probe/attack of port 1026 UDP, which has a known vulnerability for the Microsoft Messenger service.
3) As stated in the previous BLSS Cyber Center reports, port 1026 UDP has been continuously probed/attacked by China and continues at this time, to be probed/attacked by China. The alarming news, is that computers within the United Kingdom Department Of Defense and U.S. Postal Service have now joined the probe/attack on port 1026 UDP.
4) To further clarify the IANA listed in today's BLSS Cyber Report; The IANA probe/scan is a normal scan that routinely comes through port 1026 UDP."Also received normal probes/scans on Port 1026 UDP from the IANA", with the intent to communicate that this is normal for the IANA and not a probe/attack.

Port 1026 UDP----------
25.95.83.237 UK Ministry Of Defense
56.38.164.130 United States Postal Service
86.166.238.67 British Telecommunications
51.71.178.188 United Kingdom
24.64.72.203 Shaw Communications, Canada
31.194.10.185 Approx somewhere in Colorado
68.215.198.222 Bellsouth, Marietta, GA
75.126.114.34 SoftLayer Technologies, Dallas, TX

Also received normal probes/scans on port 1026 UDP from the IANA-----
46.229.8.88 Internet Assigned Numbers Authority (IANA) - Received two scans/probes overnight

Port 1027 UDP, 1028 UDP -------
24.64.72.203 Shaw Communications, Canada

Port 1024 TCP ----------------
86.166.238.67 British Telecommunications

Specific IP Data is the following:

------ Port 1026 UDP --------------
IP Address : 25.95.83.237 [ 25.95.83.237 ]
ISP : UK Ministry of Defence
Organization : DINSA, Ministry of Defence
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

------ Port 1026 UDP --------------
IP Address : 56.38.164.130 [ 56.38.164.130 ]
ISP : United States Postal Service.
Organization : United States Postal Service.
Location : US, United States
City : Raleigh, NC 27668
Latitude : 35°79'77" North
Longitude : 78°62'53" West

------ Port 1026 UDP -------------
IP Address 46.229.8.88
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695

------- Port 1026 UDP -------------
IP Address : 86.166.238.67 [host86-166-238-67.range86-166.btcentralplus.com ]
ISP : British Telecommunications
Organization : British Telecommunications
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

-------- Port 1024 TCP ------------
IP Address : 86.166.238.67 [host86-166-238-67.range86-166.btcentralplus.com ]
ISP : British Telecommunications
Organization : British Telecommunications
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

--------- Port 1026, 1027, 1028 UDP -------
IP Address : 24.64.72.203 [ 24.64.72.203 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Penhold, AB -
Latitude : 52°13'33" North
Longitude : 113°86'67" West

--------- Port 1026 UDP --------------
IP Address : 51.71.178.188 [ 51.71.178.188 ]
ISP : -
Organization : -
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

--------- Port 1026 UDP ----------
IP Address : 31.194.10.185 [ 31.194.10.185 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

-------- Port 1026 UDP ---------
IP Address : 68.215.198.222 [ adsl-215-198-222.aep.bellsouth.net ]
ISP : BellSouth.net
Organization : BellSouth.net
Location : US, United States
City : Marietta, GA -
Latitude : 33°95'32" North
Longitude : 84°51'77" West

-------- Port 1026 UDP ---------
IP Address : 75.126.114.34 [ vipeax.info ]
ISP : -
Organization : SoftLayer Technologies
Location : US, United States
City : Dallas, TX 75207
Latitude : 32°78'25" North
Longitude : 96°82'07" West

###
Black Lab Security Cyber Center Report
Sunday, October 14, 2007 (3:00 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

1) Same previous ports that have been reported are still being scanned...
2) China - more frequent probes/attacks on all previously defined ports, including increased frequency on port 4899 (TCP). China is now probing/attacking port 25 (TCP), which directly affects Microsoft Internet Information Services (ISS), which is the "back-bone" of a Microsoft server.
3) We can some computer in Houston, probing port 1024 (TCP).
4) We also have a computer, located in Herndon, VA probing/attacking port 5038 (TCP), attempting to access the Microsoft console server.
5) South Korea (same previously reported IP), is now probing/attacking port 3128 in an attempt to find a "back door" to a firewall. To obtain more information on port 3128, use the following search parameters on search: "Microsoft port 3128 firewall" (without quotes).

----- Port 4899 ------------
IP Address : 58.215.65.237 [ 58.215.65.237 ]
ISP : CHINANET jiangsu province network
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----- Houston Probing Port 1024 ---
IP Address : 67.15.83.36 [ ronaldsrecordclub.com ]
ISP : Everyones Internet
Organization : Everyones Internet
Location : US, United States
City : Houston, TX 77060
Latitude : 29°93'42" North
Longitude : 95°40'57" West

----- Herndon, VA Probing Port 5038 Attempting to access the console server -----
IP Address : 70.62.253.83 [ rrcs-70-62-253-83.central.biz.rr.com ]
ISP : Road Runner Business
Organization : Road Runner Business
Location : US, United States
City : -, NC -
Latitude : 35°57'64" North
Longitude : 79°52'87" West

OrgName: Road Runner HoldCo LLC
OrgID: RCMS
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

http://security-world.blogspot.com/2007_07_09_archive.html

The script works by logging into the console server on port 5038/TCP on localhost. It then issues an 'Action: Originate' command which is used to setup the bridged call.

---- Direct attack on Port 25 against Internet Information Services
(IIS) ----
IP Address : 221.218.180.21 [ 221.218.180.21 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

https://technet.microsoft.com/en-us/library/aa998114.aspx

----- South Korea Probe on Port 3128 ------------
IP Address : 218.50.1.119 [ 218.50.1.119 ]
ISP : Hanaro Telecom Co.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

Netherlands probing/attacking port 10000 TCP. Sans Institute reports that port 10000 TCP is vulnerable to remote code execution via "VERITAS Backup Exec Windows Agent Remote File Access Exploit (0day)"

IP Address : 217.148.183.125 [ backup.vsm-hosting.nl ]
ISP : We Dare B.V.
Organization : We Dare B.V.
Location : NL, Netherlands
City : Rotterdam, 11 -
Latitude : 51°91'67" North
Longitude : 4°50'00" East

URL:

http://isc.sans.org/diary.html?date=2005-08-11

###
Black Lab Security Cyber Center Report
Saturday, October 13, 2007 (9:56 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

1) We are observing a gradual increase in the frequency of the "short burst” probes/attacks as reported within the 12 Oct 2007 BLSS Cyber Center report.
2) However, we have detected and are now observing two new countries with "short burst" probes/attacks on port 4899, which looks for known vulnerabilities within the Microsoft radmin server 2.0 and 2.1. The countries are Sri Lanka and Turkey:

----Port 4899 ----------------------------------------------
IP Address : 220.247.214.66 [ mail.zmvertiko.com ]
ISP : Sri Lanka Telecom
Organization : Z.M.Vertico Ltd
Location : LK, Sri Lanka
City : Padukka, 36 -
Latitude : 6°83'25" North
Longitude : 80°09'86" East

IP Address : 85.98.240.125 [ dsl85-98-61565.ttnet.net.tr ]
ISP : Turk Telekom
Organization : Turk Telekom
Location : TR, Turkey
City : Türk, 15 -
Latitude : 37°05'00" North
Longitude : 29°70'00" East

The Sans Storm Center URL is below, along with posted comments from the URL:

http://isc.sans.org/port.html?port=4899

As stated just above, there´s a known vulnerability related to this service (radmin).

There is a known remote exploitable vulnerability in radmin server versions 2.0 and 2.1 that allows code execution.

###
Black Lab Security Cyber Center Report
Friday, October 12, 2007 (10:40 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

The past 24 hours, we have detected continuous "short burst" probes/attacks on ports 1026, 1027, 1434, 7212, 5900 and 5901, from the same previous IPs reported by BLSS. These "short burst" probes/attack, continued to "cycle on and off" our honey pot all night and continue as I write this e-mail.

Additionally, we have picked up attempted probes/attacks on ports 1080, 2967, 3072 and 5110, all which have been previously reported via Sans Institute, etc., with various security warnings:

Port 1080 - Attempt to gain access to proxy servers Port 2967 - Port is used by Symantec and is commonly scanned for port information Port 3072 - Attempted connection directly to port 3072 Port 5110 - Attempt to gain access to incoming mail

And last but not least, we were probed again by the IANA!! :)

----- Port 2967 ----------------
IP Address : 69.248.27.110 [ c-69-248-27-110.hsd1.nj.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Edison, NJ -
Latitude : 40°53'78" North
Longitude : 74°37'14" West

IP Address : 221.0.56.16 [ 221.0.56.16 ]
ISP : CNCGROUP Shandong province network
Organization : CNCGROUP Shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East

IP Address : 81.136.182.62 [ host81-136-182-62.in-addr.btopenworld.com ]
ISP : British Telecommunications
Organization : British Telecommunications
Location : GB, United Kingdom
City : Uxbridge, F9 -
Latitude : 51°55'00" North
Longitude : 0°48'34" West

----- Port 3072 ------------
IP Address : 67.15.83.36 [ ronaldsrecordclub.com ]
ISP : Everyones Internet
Organization : Everyones Internet
Location : US, United States
City : Houston, TX 77060
Latitude : 29°93'42" North
Longitude : 95°40'57" West

----- Port 5110 ------------
IP Address : 69.157.156.64 [ bas6-quebec14-1167957056.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Quebec, QC -
Latitude : 46°80'00" North
Longitude : 71°25'00" West

----- Port 1080 -------------
IP Address : 208.77.45.13 [ 208.77.45.13 ]
ISP : -
Organization : AKANOC Solutions
Location : US, United States
City : Fremont, CA 94538
Latitude : 37°50'79" North
Longitude : 121°95'99" West

----- Probed again by the IANA -----
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

Within the past hour, new probe from South Korea and a new probe from China have begun on ports 6588 and 5471 (both tcp). These parts are also well recognized as being a potential threat from numerous security web sites on the internet;

----- Port 6588 TCP ------------------
IP Address : 218.234.41.8 [ 218.234.41.8 ]
ISP : Hanaro Telecom Co.
Organization : SEOULMEDIA
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

----- Port 5471 TCP ------------------
IP Address : 58.221.28.143 [ 58.221.28.143 ]
ISP : CHINANET jiangsu province network
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

###
Black Lab Security Cyber Center Report
Thursday, October 11, 2007 (5:43 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

Within the last 20 minutes, our honey pot as detected 3 separate Chinese sites (IPs), from 3 different ISPs, probing and attacking on port 5900 TCP.
The Sans Institute Storm Center has recognized recent attacks on this port and further documented that a probe/attack on port 5900 TCP, is because RealVNC successfully achieves unauthorized direct connections to a machine (computer).

We are seeing an incredible spike with China attempting to connect directly to port 5900.

--- Chinese sites (IPs) attempting an unauthorized direct TCP Connection -------

IP Address : 220.185.215.36 [
36.215.185.220.broad.tz.zj.dynamic.163data.com.cn ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Taizhou node network
Location : CN, China
City : Taizhou, 04 -
Latitude : 32°49'33" North
Longitude : 119°90'81" East

IP Address : 211.160.163.85 [ 211.160.163.85 ]
ISP : Haidian District, Beijing
Organization : FibrLINK Communications Co., Ltd.
Location : CN, China
City : Chaoyang, 19 -
Latitude : 41°57'03" North
Longitude : 120°45'86" East

IP Address : 124.114.94.10 [10.94.114.124.broad.xa.sn.dynamic.163data.com.cn ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

###
Black Lab Security Cyber Center Report
Thursday, October 11, 2007 (4:29 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

Probes/Attacks on ports 7212, 1026 and 1027 continue throughout today. It appears that two more U.S. computers are participating in the probes/attacks on ports 1026 and 1027; 1) An Amateur Radio Station located somewhere
(approximately) in Colorado (Isn't it interesting that it's an amateur radio station? I wonder if they are talking to China? -hint, hint), and 2) A computer within the DuPont industry.

France has one IP that is probing/attacking port 5901 TCP. Below is a URL which documents the fact that 5901 has been probed, and the URL suggests that the probe on port 5901 could mean a new release of attack tools. Fyi, see below.

----- Radio Station --------------
IP Address : 44.229.178.141 [ 44.229.178.141 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

OrgName: Amateur Radio Digital Communications
OrgID: ARDC
Address:
City:
StateProv:
PostalCode:
Country: US

------ Du Pont Computer --------
IP Address : 52.58.172.162 [ 52.58.172.162 ]
ISP : E.I. du Pont de Nemours and Co.
Organization : E.I. du Pont de Nemours and Co.
Location : US, United States
City : Wilmington, DE 19893
Latitude : 39°56'45" North
Longitude : 75°59'70" West

OrgName: E.I. du Pont de Nemours and Co., Inc.
OrgID: EDPDNC
Address: E.I. du Pont de Nemours and Co., Inc.
Address: 1007 market Street
City: Wilmington
StateProv: DE
PostalCode: 19893
Country: US

---- Port 5901 Probe/Attack -------------

IP Address : 217.128.199.223 [
LNeuilly-152-23-105-223.w217-128.abo.wanadoo.fr ]
ISP : France Telecom
Organization : France Telecom
Location : FR, France
City : Saint-Orens-de-Gameville, B3 -
Latitude : 43°55'00" North
Longitude : 1°53'33" East

Port 5901 Information (url) is the following:

http://forums.spywareinfo.com/index.php?showtopic=101999&mode=linearplus

Cyber Security BLOG

Sunday, October 28, 2007

Attacking IP Addresses and Ports with Focus on China for Week Ending 19 Oct 2007

No comments:

About Me

Blog Archive