Black Lab Security Alert
October 1, 2007
We have had 11 extremely serious probes/attacks in the past 4 days on our "honey pot" and Shadow successfully detected and stopped all of the probes/attacks.
Extremely serious is defined as two conditions;
(1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each IP address below.
(2) An IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the communications, continuously within a 12 hour period.
We have provided information that is very detailed information where we have successfully traced the Point-Of-Origin of the probes/attacks from China and other non-US locations
BACKGROUND
We are a Cyber Security Software firm and have been probed by offshore interests quite often since our genesis.
We have established a honey pot site on the Internet.
Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have successfully detected and stopped the probes/attacks and traced the probes/attacks back to China and other non-US locations.
DETAILS
(1) There are seven active sites in China. The following IP connections which have met our reporting criteria and of all the connections that met our criteria, we have detected IP 121.18.13.107, using Port 139 TCP, that installed four ".js" java scripts:
221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang
116.18.161.55 - ChinaNet Guangdong Province Network - Guangzhou
219.148.119.2 - Data Communication Division - Beijing
221.208.208.3 - CNCGROUP Heilongjiang province network - Mudanjiang
121.18.13.107 - CNC Group Hebei province network - Hebei
125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing
218.3.134.250 - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang
Of the seven sites listed above, 121.18.13.107 has attempted the most intense attack, installing Remote Access Java Scripts. The Java Scripts include . RAClient.exe, RAServer.js and RAControl.js. None of the seven sites above were successful against Shadow. All probes/attacks were detected and stopped.
(2) There was no logon, no buffer over flow, nothing of any nature that would indicate capturing the internal system name, password, etc. All probes used Port 139 TCP.
(3) Shadow has been detecting and securing our web site/network from 7 simultaneous probes/attacks from China, each from a different city in China.
(4) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.
(5) The other probes/attacks were from the following:
219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho
138.79.215.61 - CPSOFT - Australia - No City Identified
81.188.3.50 - Easynet Belgium, Cypres - Belgium - Brussel
24.64.132.11 - Shaw Communications - Canada - No City Identified
(6) Please note: during the "security hardening" of our honey pot website, we intentionally removed the four remote access java scripts because they are considered a security threat. You can read about these scripts as being classified as potential spyware at http://www.spywared.com/files/1320/12/1. RAClient.exe, RAServer.js and RAControl.js are listed in the middle of the page. Additionally, if you utilize a search engine, such as google.com, you will find that Chinese sites are discussing in great detail, how to use RAClient.js, RAServer.js and RAControl.js. If you will run a Google search with the following parameters "china [java script name]" (without quotes), you might be amazed at the results. If you run a google search on the specific java script file name(s), you will find many experts recommending the deletion of these specific scripts, as part of "security hardening".
(7) We are using our solution (Shadow) to monitor all communications, (port activity), process activity, shell activity, and user (login activity). Essentially, we have designed a new security solution to simultaneously monitor what we feel are all the critical sub-systems within a Microsoft PC or Server. Shadow has the ability to perform an analysis on a Microsoft computer, assign a unique ID to each specific executable, including all compiled binary files and O/S scripts, (.bat, .vbs, .js, etc.), and will authenticate each executable and script before it is allowed to execute. Shadow also continuously cycles all of the internal hard drives, continuously analyzing each authorized executable (binary and O/S script) to detect an unauthorized modification to any authorized compiled binary file and O/S script. Shadow will detect an unauthorized modification without the need for the executable payload to execute. Shadow will also detect new (unauthorized) executable payloads without the requirement for the payload to execute. Shadow also places a "secure environment" around all Microsoft admin tools, CMD.EXE and PowerShell.exe, when any of these utilities are executing.
IMMEDIATE RECOMMENDATION
------------------------
1) Immediately block the following IP Addresses within your network firewall(s) (This is a temporary fix since these IP addresses will change on a high frequency):
121.18.13.107 <-- Most Dangerous Attack
221.209.110.50
116.18.161.55
219.148.119.2
221.208.208.3
2) If Shadow is not installed on a Microsoft server, turn off (disable) java scripting immediately.
IP ADDRESSES DETECTED
The detailed information on each IP address is below.
---- China, Mudanjiang --------
IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East
---- China, Guangzhou ---------
IP Address : 116.18.161.55 [ 116.18.161.55 ]
ISP : -
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East
---- China, Beijing -----------
IP Address : 219.148.119.2 [ 219.148.119.2 ]
ISP : Data Communication Division
Organization : CHINANET hebei province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
----- China, Harbin -----------
IP Address : 221.208.208.3 [ 221.208.208.3 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East
----- China, Hebei -----------
IP Address : 121.18.13.107 [ 121.18.13.107 ]
ISP : -
Organization : CNC Group Hebei province network
Location : CN, China
City : Hebei, 10 -
Latitude : 39°88'97" North
Longitude : 115°27'50" East
----- China Beijing -------------------
IP Address : 125.76.238.164 [ 125.76.238.164 ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East
---- China, Zhenjiang ------------------------
IP Address : 218.3.134.250 [ 218.3.134.250 ]
ISP : Data Communication Division
Organization : Network Center of Fast China Shipbuilding institut
Location : CN, China
City : Zhenjiang, 04 -
Latitude : 32°20'92" North
Longitude : 119°43'42" East
----- Korea, Seocho -----------
IP Address : 219.240.44.147 [ 219.240.44.147 ]
ISP : Hanaro Telecom Co.
Organization : Ilifezone
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East
------ Australia ------------
IP Address : 138.79.215.61 [ 138.79.215.61 ]
ISP : CPSOFT
Organization : CPSOFT
Location : AU, Australia
City : -, - -
Latitude : 27°00'00" South
Longitude : 133°00'00" East
----- Belgium Brussels ---------------
IP Address : 81.188.3.50 [ 81-188-3-50.sdsl.easynet.be ]
ISP : Easynet Belgium
Organization : Cypres
Location : BE, Belgium
City : Brussel, 11 -
Latitude : 50°83'33" North
Longitude : 4°33'33" East
----- Canada -------------------------
IP Address : 24.64.132.11 [ S010600095b0f1aa1.lb.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment