Cyber Security BLOG

Cyber Center Report - November 1, 2007

2007-11-01T23:50:00.000-04:00

BLSS Cyber Center Report - 1 Nov 2007
-------------------------------------
www.blacklabsecurity.com

China and Korea are still probing/attacking on all previously reported IPs and Ports with the same tenacity. There has been no decrease in the frequency of probes/attacks from China or Korea. However, within the last 24 hour period, we have detected the least number of new computers now broadcasting over the Internet. Over the past 24 hours, only (approx) 22 new computers have begun to broadcast over the Internet. It appears that disabling port 7212 does have a significant impact on China/Korea's ability to successfully penetrate a computer.

Port 1024; U.S. (new site). Port 1026; Korea (new site), U.S. No IANA Probe last night. This is the first time in several days that the U.S. IANA has NOT probed the Internet on port 1026. However, we did detect an Internet-wide probe of the "Latin American and Caribbean IP address Regional Registry", which is the equivalent of the U.S. IANA. We also detected a probe from the "Broadcasting Center Europe S.A." that is located in Luxembourg. This may be the Luxembourg equivalent to the U.S. IANA. We detected one U.S. DoD computer probing on port 1026. We detected two computers with no recorded (unknown) IP addresses probing on port 1026 (most likely some government agency computers). We detected a computer from J.P.
Morgan probing on port 1026. Other countries probing on port 1026; U.K. (Peat Marwick computer), France (new site), Brazil (new site). Port 22; China (new site). Port 1433; U.S. (2 new site), China (2 new sites). Port 1434; Croatia (new site). Port 2967; U.S. (new site). Port 5900; China (new sites), Chile (new site), Spain (new site), France (new site). Honey Pot Activity; None. No one surfed or attacked the Honey Pot.

The following is a list of new IPs detected and their associated ports;

----Port 1024 -------------
IP Address : 64.157.15.117 [ yui.desync.com ]
ISP : Level 3 Communications
Organization : CandidHosting
Location : US, United States
City : Tampa, FL 33602
Latitude : 27°95'78" North
Longitude : 82°46'22" West

----Port 1026 -------------
IP Address : 211.199.169.161 [ 211.199.169.161 ]
ISP : KRNIC
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

IP Address : 146.220.130.21 [ dummy.clt-ufa.net ]
ISP : Broadcasting Center Europe S.A.
Organization : Broadcasting Center Europe S.A.
Location : LU, Luxembourg
City : -, - -
Latitude : 49°75'00" North
Longitude : 6°16'67" East

OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Rambla Republica de Mexico 6125
City: Montevideo
StateProv:
PostalCode: 11400
Country: UY

IP Address : 22.189.227.141 [ 22.189.227.141 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US

IP Address : 158.176.170.220 [ 158.176.170.220 ]
ISP : KPMG Peat Marwick
Organization : KPMG Peat Marwick
Location : GB, United Kingdom
City : Wales, C9 -
Latitude : 53°33'33" North
Longitude : 1°28'33" West

IP Address : 192.230.95.221 [ 192.230.95.221 ]
ISP : No Record (Unknown)

IP Address : 90.44.151.20 [ AOrleans-158-1-20-20.w90-44.abo.wanadoo.fr ]
ISP : France Telecom
Organization : France Telecom
Location : FR, France
City : Paris, A8 -
Latitude : 48°86'67" North
Longitude : 2°33'33" East

IP Address : 169.100.95.158 [ 169.100.95.158 ]
ISP : J.P. Morgan & Co.
Organization : JP Morgan Chase & Co
Location : US, United States
City : New York, NY 10271
Latitude : 40°70'87" North
Longitude : 74°01'04" West

IP Address : 192.186.30.157 [ 192.186.30.157 ]
ISP : No Record (Unknown)

IP Address : 200.245.134.68 [ 200.245.134.68 ]
ISP : EMBRATEL-EMPRESA BRASILEIRA DE TELECOMUNICAÇÕES SA
Organization : LABORATORIO SARDALINA LTDA.
Location : BR, Brazil
City : Diadema, 27 -
Latitude : 23°70'00" South
Longitude : 46°61'67" West

----Port 22 -----------------
IP Address : 59.42.254.53 [ 59.42.254.53 ]
ISP : CHINANET Guangdong province network
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East

----Port 1433 ---------------
IP Address : 69.238.4.7 [ 69-238-4-7.absolutetechnologies.com ]
ISP : SBC Internet Services
Organization : Absolute Technologies
Location : US, United States
City : Yorba Linda, CA 92887
Latitude : 33°88'79" North
Longitude : 117°72'86" West

IP Address : 61.191.224.19 [ 61.191.224.19 ]
ISP : Data Communication Division
Organization : CHINANET Anhui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East

IP Address : 69.179.108.90 [ 69-179-108-90.dyn.centurytel.net ]
ISP : CenturyTel Internet Holdings
Organization : CenturyTel Internet Holdings
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 125.76.215.14 [ 125.76.215.14 ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----Port 1434 ---------------
IP Address : 161.53.169.2 [ merkur.fesb.hr ]
ISP : Croatian Academic and Research Network (CARNet)
Organization : Croatian Academic and Research Network (CARNet)
Location : HR, Croatia
City : Zagreb, 21 -
Latitude : 45°80'00" North
Longitude : 16°00'00" East

----Port 2967 ----------------
IP Address : 69.122.209.109 [ ool-457ad16d.dyn.optonline.net ]
ISP : Optimum Online (Cablevision Systems)
Organization : Optimum Online (Cablevision Systems)
Location : US, United States
City : Westbury, NY -
Latitude : 40°75'70" North
Longitude : 73°58'14" West

----Port 5900 ----------------
IP Address : 124.224.131.247 [ 124.224.131.247 ]
ISP : CHINANET ningxia province network
Organization : CHINANET ningxia province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 190.160.48.168 [ 190.160.48.168 ]
ISP : -
Organization : VTR Banda Ancha S.A.
Location : CL, Chile
City : Santiago, 12 -
Latitude : 33°45'00" South
Longitude : 70°66'67" West

IP Address : 88.2.137.74 [ 74.Red-88-2-137.staticIP.rima-tde.net ]
ISP : Telefonica de Espana
Organization : Telefonica de Espana
Location : ES, Spain
City : Palma, 07 -
Latitude : 39°56'67" North
Longitude : 2°65'00" East

IP Address : 86.210.6.38 [ ANantes-256-1-87-38.w86-210.abo.wanadoo.fr ]
ISP : France Telecom
Organization : France Telecom
Location : FR, France
City : Nantes, B5 -
Latitude : 47°21'67" North
Longitude : 1°55'00" West

Cyber Center Report - October 31, 2007

2007-10-31T15:40:00.000-04:00

BLSS Cyber Center Report - 31 October 2007
------------------------------------------
www.blacklabsecurity.com

The BLSS Cyber Center has detected new activity on port 53, one IP from Korea and IP from China. China and Korea still continue probing/attacking on all previously reported ports within an increased tenacity. Disabling port 7212 seems to prevent probes/attacks in successfully activating the Microsoft Service Pack Update (Software Updates) and Help Center Service system. The BLSS Cyber Center, however, will continue to monitor such probes/attacks to detect a possible "work-around" from China, Korea, etc.

Port 53; Korea (new site), China (new site). Port 1024; Russia (new site).
Port 1026; China (3 new sites), U.S. the IANA probed 5 times last night, Apple Computers, Hewlett-Packard, XO Communications, Japan (2 new site), Australia (new site), Korea (new site), Canada (new site). Port 1027; Canada (new site). Port 1028; Canada (new site). Port 21; China (new site). Port 22; U.S. (new site). Port 1433; Romania (new site), China (2 new sites), U.S. (new site). Port 1434; China (new site). Port 3128; Korea (new site).
Port 4899; Argentina (new site). Port 5900; China (new site), Korea (new site), Netherlands (new site), U.S. (2 new sites), Canada (2 new sites).
Honey Pot Activity; U.S. (new site). Port 80 surf only.

----Port 53 (new) ---------------
IP Address : 220.88.20.5 [ 220.88.20.5 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

IP Address : 221.136.24.36 [ 221.136.24.36 ]
ISP : NBIP CNC(Ningbo)info-Port co.,Ltd
Organization : NBIP TongLian(Ningbo)info-Port co.,Ltd
Location : CN, China
City : Ningbo, 02 -
Latitude : 29°87'50" North
Longitude : 121°54'19" East

----Port 1024 -------------------
IP Address : 81.29.241.22 [ 81.29.241.22 ]
ISP : LLC GlobalWholesaleTrade
Organization : LLC GlobalWholesaleTrade
Location : RU, Russian Federation
City : Moscow, 48 -
Latitude : 55°75'22" North
Longitude : 37°61'56" East

----Port 1026 -------------------
IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

IP Address : 221.208.208.100 [ 221.208.208.100 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 221.208.208.92 [ 221.208.208.92 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 106.26.68.11 [ 106.26.68.11 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 183.80.106.179 [ 183.80.106.179 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 126.122.46.85 [ softbank126122046085.bbtec.net ]
ISP : searched the APNIC whois database for an address t
Organization : Softbank BB Corp
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 119.70.217.23 [ 119.70.217.23 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU

IP Address : 60.45.233.13 [ p1013-ipbf10sinnagasak.nagasaki.ocn.ne.jp ]
ISP : NTT Communications Corporation
Organization : Open Computer Network
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 184.180.230.100 [ 184.180.230.100 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 17.29.248.133 [ 17.29.248.133 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West

IP Address : 185.17.11.96 [ 185.17.11.96 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 16.10.71.38 [ 16.10.71.38 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : Palo Alto, CA 94304
Latitude : 37°37'62" North
Longitude : 122°18'26" West

IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

IP Address : 110.180.202.35 [ 110.180.202.35 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 124.198.13.163 [ 124.198.13.163 ]
ISP : HAIonNet
Organization : campusmedia
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East

IP Address : 67.91.4.156 [ ip67-91-4-156.z4-91-67.customer.algx.net ]
ISP : XO Communications
Organization : XO Communications
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

----Port 1027 -------------
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 1028 --------------
IP Address : 24.64.58.9 [ 24.64.58.9 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 21 ---------------
IP Address : 202.202.170.171 [ 202.202.170.171 ]
ISP : China Education and Research Network
Organization : Chongqing Three Geoges College
Location : CN, China
City : Chongqing, 33 -
Latitude : 29°56'28" North
Longitude : 106°55'28" East

----Port 22 ----------------
IP Address : 66.121.60.18 [ adsl-66-121-60-18.dsl.lsan03.pacbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : Inglewood, CA -
Latitude : 33°95'20" North
Longitude : 118°34'77" West

----Port 1433 ---------------
IP Address : 195.182.220.122 [ 195.182.220.122 ]
ISP : SC. CONDIV IMPEX SRL.
Organization : SC. CONDIV IMPEX SRL.
Location : RO, Romania
City : -, - -
Latitude : 46°00'00" North
Longitude : 25°00'00" East

IP Address : 60.218.104.190 [ 60.218.104.190 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 71.162.124.178 [
static-71-162-124-178.bstnma.fios.verizon.net ]
ISP : Verizon Internet Services
Organization : DAVID DOHERTY
Location : US, United States
City : Winchester, MA 01890
Latitude : 42°45'47" North
Longitude : 71°15'02" West

----Port 1434 ---------------
IP Address : 58.242.184.222 [ 58.242.184.222 ]
ISP : CNC Group AnHui province network
Organization : CNC Group AnHui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East

----Port 3128 ---------------
IP Address : 61.85.202.38 [ 61.85.202.38 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

----Port 4899 ----------------
IP Address : 201.234.99.242 [ 201.234.99.242 ]
ISP : -
Organization : IMPSAT FIBER NETWORKS INC
Location : AR, Argentina
City : Buenos Aires, 07 -
Latitude : 34°58'75" South
Longitude : 58°67'25" West

----Port 5900 --------------------
IP Address : 202.96.155.134 [ 202.96.155.134 ]
ISP : CHINANET Guangdong province network
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East

IP Address : 69.80.166.124 [ 69.80.166.124 ]
ISP : -
Organization : SUNY Brockport
Location : US, United States
City : Brockport, NY 14420
Latitude : 43°25'08" North
Longitude : 77°92'46" West

IP Address : 69.176.178.178 [ 69.176.178.178 ]
ISP : -
Organization : City West Cable & Telephone Corp.
Location : CA, Canada
City : Prince Rupert, BC v8j1l1
Latitude : 54°31'67" North
Longitude : 130°33'34" West

IP Address : 84.84.136.217 [ ip545488d9.speed.planet.nl ]
ISP : World Access / Planet Internet
Organization : Planet Technologies
Location : NL, Netherlands
City : Hattem, 03 -
Latitude : 52°46'67" North
Longitude : 6°06'67" East

IP Address : 76.181.103.166 [ cpe-76-181-103-166.columbus.res.rr.com ]
ISP : -
Organization : Road Runner
Location : US, United States
City : Greensboro, NC -
Latitude : 36°08'44" North
Longitude : 79°82'09" West

IP Address : 69.158.64.21 [ bas14-toronto12-1167998997.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Rexdale, ON -
Latitude : 43°71'67" North
Longitude : 79°56'67" West

IP Address : 221.148.61.236 [ 221.148.61.236 ]
ISP : Korea Telecom
Organization : (sa)hangugsaneobgyungjeyeunguwon
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

----Honey Pot Activity --------
Activity : Port 80 surf only
IP Address : 168.91.1.189 [ 168.91.1.189 ]
ISP : IVYTech
Organization : IVYTech Community College of Indiana
Location : US, United States
City : Indianapolis, IN 46208
Latitude : 39°83'31" North
Longitude : 86°17'47" West

Recommended IPs Addresses to be Blocked - China, Korea, Taiwan, and Thailand

2007-10-29T14:26:00.000-04:00

The BLSS Cyber Center is recommending that the following (additional) IP addresses from China, Korea, Taiwan and Thailand be entered into Firewalls:

IP Address Country
---------- -------
125.76.238.164 China - Shanxi
219.148.119.2 China - Hebei
116.18.161.55 China - Guangdong
222.216.28.161 China - Guangxi
222.217.240.248 China - Guangxi
121.18.13.107 China - Hebei
218.10.137.130 China - Heilongjiang
221.208.208.101 China - Heilongjiang
221.208.208.3 China - Heilongjiang
221.208.208.83 China - Heilongjiang
221.208.208.91 China - Heilongjiang
221.208.208.95 China - Heilongjiang
221.208.208.98 China - Heilongjiang
221.209.110.50 China - Mudanjiang
218.3.134.250 China - China Shipbuilding Inst
59.72.128.14 China - Beihua Univ
58.247.50.243 China - ShangHai
222.215.136.52 China - Sichuan
218.50.1.119 Korea - Hanaro Telecomm
218.232.95.60 Korea - Hanaro Telecomm
211.67.58.203 China - Wuhan - Inst Science/Tech
61.134.56.18 China - Shanghai
58.20.228.52 China - Changsa
122.116.17.133 Taiwan - Taipei
121.18.12.197 China - Hebei
218.10.137.42 China - Harbin
61.184.101.46 China - Wuhan
218.10.137.42 China - Harbin
218.10.137.42 China - Harbin
202.97.238.202 China - Heilongjiang
219.240.44.147 Korea - Seocho
221.139.35.78 Korea - Islan
218.10.137.142 China - Harbin
221.209.110.20 China - Mudanjiang
124.114.116.18 China - Beijing
219.147.233.40 China - Zhongshan
218.75.199.50 China - Hunan
218.165.8.32 Taiwan - Taipei
222.169.226.169 China - Changchun
222.239.255.43 Korea - Soul
61.130.50.150 China - Quzhou
221.158.228.40 Korea - Korea Telecomm
221.141.127.137 Korea -Ilsan
221.209.110.50 China - Mudanjiang
218.10.137.142 China - Harbin
221.209.110.20 China - Mudanjiang
202.75.218.145 China - Hangzhou
61.189.154.33 China - Shanghai
218.106.91.25 China - Hefei
220.191.233.132 China - Taizhou
220.179.244.138 China - Hefei
61.175.243.182 China - Jinyun
58.241.178.213 China - Xuzhou
58.97.5.64 Thailand - Bangkok
222.217.221.224 China - Nanning
122.38.90.165 Korea
218.234.38.39 Korea - Seocho
221.11.6.197 China - Taiyuan
59.56.27.170 China - Beijing
219.153.5.169 China - Shanghai
220.191.252.62 China - Lishui
58.241.178.210 China - Xuzhou
61.130.134.66 China - Hangzhou
222.216.28.178 China - Nanning
124.224.131.132 China - Beijing
218.234.41.8 Korea - Seocho
218.27.148.78 China - Changchun
218.3.134.250 China - Zhenjiang
218.234.32.131 Korea - Seocho
218.153.221.29 Korea
122.136.45.2 China - Changchun
219.147.233.30 China - Zhongshan
58.38.3.178 China - Shanghai
58.247.11.242 China - Shanghai
124.226.234.15 China - Nanning
123.8.228.123 China - Beijing
211.174.179.32 Korea - Seoul
124.224.128.140 China - Beijing
218.234.38.69 Korea - Seocho
218.26.89.141 China - Changzhi
121.139.129.4 Korea - Keieii
222.217.221.214 China - Nanning
221.6.7.89 China - Nanning
220.165.8.32 China - Beijing
219.153.47.134 China - Shanghai
124.132.3.222 China - Jinan
221.194.46.204 China - Hebei
203.151.151.246 China - Thailand
210.202.199.132 Taiwan - Taichung
218.92.205.106 China - Beijing
125.225.22.110 Taiwan - Taipei
210.51.187.88 China - Bejing
218.38.56.170 Korea
218.108.70.246 China - Chaoyang
60.175.101.20 China - Hefei
58.246.107.14 China - Shanghai
219.153.5.169 China - Shanghai

Additional Attack Context

2007-10-29T14:23:00.000-04:00

Additional context to the latest set of BLSS Cyber Reports. As we are researching the techniques deployed, we found one approach documented in May 2007 that used the Microsoft Patch or Update Service (aka BITS – background intelligent transfer service). This knowledge seems to be well dispersed in the underground hacking community and could be the technique or some variation of the techniques that we have witness in the past few days.

Please see :

New Attack Piggybacks on Microsoft's Patch Service (Washington Post – May 2007)
http://blog.washingtonpost.com/securityfix/2007/05/malware_using_microsoft_patch.html

Cyber Center Report - October 29, 2007

2007-10-29T14:17:00.000-04:00

BLSS Cyber Center Report - 29 October 2007
------------------------------------------
www.blacklabsecurity.com

This BLSS Cyber Center Report is a continuation of the Cyber Center Report published on 29 October 2007. BLSS has initiated an immediate analysis on the China attack of our Honey Pot, which was reported yesterday, 28 October 2007. This report will be categorized into two separate sections; 1) Analysis Of Honey Pot Attack, and 2) Advised Immediate Action Required To Prevent The Attacks.

Analysis Of Honey Pot Attack
----------------------------

Below are the first 100 program file payloads detected by Shadow. There were many more payloads installed into the "i386" and "Service Pack" nested folders. The most interesting fact about the first 100 payloads below, is that almost all the payloads are related to "Remote Access" functions. The fact is that the RegCode.dll, Adfsocm.dll, ComAdmin.dll, Dialer.exe, the "System Configuration Install" (system.configuration.install.dll), Nfsocm.dll, Explorer.exe, etc. But most interesting, is the fact that remote access program payloads were updated, along with the \Windows\PCHealth\HelpCtr\System\RemoteAssistance\Interaction\Client\Raclient.js, Racontrol.js, Raserver.js and Common.js, along with a new RegEdit.exe.

The following are the first 100 payloads detected:

1. C:\WINDOWS\ASSEMBLY\GAC\REGCODE\1.0.5000.0__B03F5F7F11D50A3A\REGCODE.DLL
2. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\ADFSOCM.DLL
3. C:\WINDOWS\SYSTEM32\COM\COMADMIN.DLL
4. C:\WINDOWS\DIALER.EXE
5. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.CONFIGURATION.INSTALL\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.CONFIGURATION.INSTALL.DLL
6. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\NFSOCM.DLL
7. C:\WINDOWS\EXPLORER.EXE
8. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.DLL
9. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\OCWSS.DLL
10. C:\PROGRAM FILES\COMMONFILES\SPEECHENGINES\MICROSOFT\TTS\1033\SPTTSENG.DLL
11. C:\WINDOWS\HH.EXE
12. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DATA.ORACLECLIENT\1.0.5000.0__B77A5C561934E089\SYSTEM.DATA.ORACLECLIENT.DLL
13. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\CLIENT\RACLIENT.JS
14. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\NEWBINS\I386\SUAIDMOG.DLL
15. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\MUI\0409\MSCORSECR.DLL
16. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.DIRECTORYSERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.DIRECTORYSERVICES.DLL
17. C:\WINDOWS\NOTEPAD.EXE
18. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\COMMON\RACONTROL.JS
19. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\COMMON.JS
20. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.DLL
21. C:\WINDOWS\REGEDIT.EXE
22. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTEASSISTANCE\INTERACTION\SERVER\RASERVER.JS
23. C:\WINDOWS\PCHEALTH\HELPCTR\SYSTEM\REMOTE ASSISTANCE\COMMON\CONSTANTS.JS
24. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.ENTERPRISESERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.ENTERPRISESERVICES.THUNK.DLL
25. C:\WINDOWS\SYSTEM32\MUI\0C0A\W03A2409.DLL
26. C:\WINDOWS\TWAIN.DLL
27. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTE ASSISTANCE\COMMON\COMMON.JS
28. C:\WINDOWS\SYSTEM32\MUI\0C0A\WS03RES.DLL
29. C:\WINDOWS\TWAIN_32.DLL
30. C:\WINDOWS\PCHEALTH\HELPCTR\VENDORS\CN=MICROSOFTCORPORATION,L=REDMOND,S=WASHINGTON,C=US\REMOTEASSISTANCE\COMMON\CONSTANTS.JS
31. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPOB2RES.DLL
32. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.MESSAGING\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.MESSAGING.DLL
33. C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0001\DRIVERFILES\I386\PROCESSR.SYS
34. C:\WINDOWS\TWUNK_16.EXE
35. C:\WINDOWS\SYSTEM32\MUI\0C0A\XPSP2RES.DLL
36. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.REMOTING\1.0.5000.0__B77A5C561934E089\SYSTEM.RUNTIME.REMOTING.DLL
37. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\DISKRAID.EXE
38. C:\WINDOWS\TWUNK_32.EXE
39. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.RUNTIME.SERIALIZATION.FORMATTERS.SOAP.DLL
40. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDS.EXE
41. C:\WINDOWS\UDDISP.EXE
42. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SECURITY\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SECURITY.DLL
43. C:\WINDOWS\INF\UNREGMP2.EXE
44. C:\WINDOWS\SYSTEM32\WBEM\ADSTATUS\TRUSTMON.DLL
45. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSDYNDR.DLL
46. C:\WINDOWS\VMMREG32.DLL
47. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.SERVICEPROCESS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.SERVICEPROCESS.DLL
48. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSLDR.EXE
49. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.DLL
50. C:\WINDOWS\WINHELP.EXE
51. C:\WINDOWS\SERVICEPACKFILES\SERVICEPACKCACHE\CMPNENTS\R2\PACKAGES\VDS11\VDSUTIL.DLL
52. C:\WINDOWS\SYSTEM32\WBEM\XML\WMI2XML.DLL
53. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.MOBILE\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.MOBILE.DLL
54. C:\WINDOWS\WINHLP32.EXE
55. C:\WINDOWS\MSAGENT\AGENTANM.DLL
56. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.REGULAREXPRESSIONS\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.REGULAREXPRESSIONS.DLL
57. C:\WINDOWS\MSAGENT\AGENTCTL.DLL
58. C:\WINDOWS\_DEFAULT.PIF
59. C:\WINDOWS\MSAGENT\AGENTDP2.DLL
60. C:\WINDOWS\ASSEMBLY\GAC\SYSTEM.WEB.SERVICES\1.0.5000.0__B03F5F7F11D50A3A\SYSTEM.WEB.SERVICES.DLL
61. C:\WINDOWS\SYSTEM32\SERVERAPPLIANCE\WEB\ADMIN\HELP\0409\LINKCSS.JS
62. C:\WINDOWS\MSAGENT\AGENTDPV.DLL
63. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\MSCORLIB\1.0.5000.0__B77A5C561934E089_1C85CDAB\MSCORLIB.DLL
64. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\DAO\DAO360.DLL
65. C:\WINDOWS\MSAGENT\AGENTMPX.DLL
66. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM\1.0.5000.0__B77A5C561934E089_8DF1E0E7\SYSTEM.DLL
67. C:\WINDOWS\MSAGENT\AGENTPSH.DLL
68. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\IEINFO5.OCX
69. C:\WINDOWS\MSAGENT\AGENTSR.DLL
70. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\MSINFO32.EXE
71. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_2DC1A7DB\SYSTEM.DESIGN.DLL
72. C:\WINDOWS\MSAGENT\AGENTSVR.EXE
73. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPI.DLL
74. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING\1.0.5000.0__B03F5F7F11D50A3A_66784F17\SYSTEM.DRAWING.DLL
75. C:\WINDOWS\MSAGENT\AGTINTL.DLL
76. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\SPEECH\SAPISVR.EXE
77. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.DRAWING.DESIGN\1.0.5000.0__B03F5F7F11D50A3A_271DA28B\SYSTEM.DRAWING.DESIGN.DLL
78. C:\WINDOWS\MSAGENT\MSLWVTTS.DLL
79. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TEXTCONV\MSCONV97.DLL
80. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.WINDOWS.FORMS\1.0.5000.0__B77A5C561934E089_9D99100D\SYSTEM.WINDOWS.FORMS.DLL
81. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\DHTMLED.OCX
82. C:\WINDOWS\ASSEMBLY\NATIVEIMAGES1_V1.1.4322\SYSTEM.XML\1.0.5000.0__B77A5C561934E089_667035EA\SYSTEM.XML.DLL
83. C:\WINDOWS\SRCHASST\MSGR3EN.DLL
84. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRIEDIT\TRIEDIT.DLL
85. C:\WINDOWS\SRCHASST\SRCHCTLS.DLL
86. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\ALINKUI.DLL
87. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VGX\VGX.DLL
88. C:\WINDOWS\SRCHASST\SRCHUI.DLL
89. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\CSCOMPUI.DLL
90. C:\PROGRAM FILES\COMMON FILES\SPEECHENGINES\MICROSOFT\SPCOMMON.DLL
91. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VBC7UI.DLL
92. C:\WINDOWS\SYSTEM32\6TO4SVC.DLL
93. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADER15.DLL
94. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\1033\VSAVB7RTUI.DLL
95. C:\WINDOWS\SYSTEM32\AAAAMON.DLL
96. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADO15.DLL
97. C:\WINDOWS\SYSTEM32\ACCTRES.DLL
98. C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\ASP.NETCLIENTFILES\SMARTNAV.JS
99. C:\PROGRAM FILES\COMMON FILES\SYSTEM\ADO\MSADOMD.DLL
100.C:\WINDOWS\SYSTEM32\ACCWIZ.EXE

Advised Immediate Action Required To Prevent The Attacks
--------------------------------------------------------

The first step, is to enter the following ports into firewalls, if organizations can do so without inhibiting the normal operations of your network and software:

Port 7212
Port 1026
Port 1027
Port 1028

The second step, is to enter the following IP addresses into firewalls:

IP Address
----------
121.18.13.107
121.18.12.197
221.208.208.83
221.208.208.91
221.208.208.95
221.208.208.98
202.97.238.202
218.50.1.119
222.239.255.43
121.235.156.114
210.79.152.144
202.97.238.202
221.208.208.101
44.139.107.99

The third step, is to TURN OFF all Automatic Updates and Disable the Microsoft Help Center Remote Access Functions. As a "hardening method"
within BLSS, we actually erase the following java scripts:

Java Scripts
-----------
Raclient.js
Racontrol.js
Common.js
Raserver.js
Constants.js

The BLSS Cyber Center will be publishing a list of all IP addresses detected from China and Korea within the next 24 hours. It is recommended that all IP addresses from China and Korea be entered into firewalls as a security
(safety) precaution.

Storm Worm Research

2007-10-29T10:00:00.000-04:00

Commenting on eWeek articles:
NAC Can't Weather the Storm - October 26, 2007
http://www.eweek.com/article2/0,1895,2207921,00.asp
Storm Worm Botnet Lobotomizing Anti-Virus Programs - October 24, 2007
http://www.eweek.com/article2/0,1895,2205606,00.asp

Our Storm Worm Research

The Storm worm and other nameless worms roaming the Internet today are extremely capable and are not beating with brute force techniques; they don’t need to base on the techniques being deployed. These worms are intruding networks and systems almost at will without logins, passwords, or help from insiders. There are hundreds of new compromised IPs added to the attack every day using the same attack profile and techniques. Therefore blocking IPs and countries in your firewalls and other network access controls (NACs) from accessing your networks is a mission impossible. The actual attack is hidden is the overload of communications and probes that come from these compromised computers that intrude looking like normal expected communications. Anti-virus and anti-spyware solutions are being rendered worst than useless since they are reporting that all is OK.

Adjusting filters and behaviors in IPS systems and UTM systems is also nearly unproductive since these worms change their signature every 30 minutes or less. Once in, these worms are invisible because they comes with a rootkit built in and hide at the kernel level; and they are clever enough to change every few weeks (or days). These worms have built-in defense mechanisms and they know when they are being investigated, and it punishes and fights back.

We are finding that the best security defense in depth (DiD) architectures with many security appliances and software products are having equally difficult problems in stopping theses worms. The filter sensitivities are different in each tool and analyzing a single event has many gaps in what the logs are showing. Since there are some many short-burst probes and attacks each day, the logs are extremely lengthy. Often after identifying an suspicious event, they files are gone since they are already were installed, make critical O/S changes or download other malware via open ports looking like valid communications, and then deleted themselves.

So why is the information so vague about the storm worm? It’s because the storm worm knows the weaknesses of security products available today and it doing a grand job of defeating and confusing computer security analysts. A new security technology and approach is required by the industry. As you see form the posted cyber reports, we are able to prevent, capture forensics, and analyze these worms without much difficulty. No need for filter adjustments or new signature updates for us. We see these attacks like watching a video game in near real-time. By the way, we have not published our forensics and logs, but have provided this information through several channels. We will remain discrete about how these attacks are so successful.

Cyber Center Report - October 28, 2007

2007-10-29T07:55:00.000-04:00

BLSS Cyber Center Report - 28 October 2007
------------------------------------------
http://www.blacklabsecurity.com/

BLSS detected and observed the highest number of new computers suddenly broadcasting over the Internet to date. China and Korea continue to escalate their probes/attacks on all previously reported ports. The number of IPs in China and Korea probing/attacking the U.S. is rising substantially each night.

Please read this report carefully. Several government computers are now broadcasting over port 1026 UDP.

BLSS also detected and captured the forensics of multiple IP connections from China (Hebei, Beijing and 3 Harbin IP sites), Japan, and one site inside the U.S. from an Amateur Radio Digital Communications Group.

Several unauthorized files were detected from offshore sources (IPs) within the BLSS Honey Pot that included REGCODE.DLL and ADFSOCM.DLL.

The following IPs were connected to the BLSS Honey Pot when these files were received:

IP Address Location Port Protocol
------------- ----------- ----- --------
121.18.13.107 China - Hebei 7212 TCP
121.235.156.114 China - Beijing 1026 UDP
210.79.152.144 Japan 1026 UDP
221.208.208.91 China - Harbin 1027 UDP
202.97.238.202 China - Harbin 1027 UDP
221.208.208.101 China - Harbin 1026 UDP
44.139.107.99 U.S. 1026 UDP

(IP 44.139.107.99 is located somewhere (approx) in Colorado at an Armature Radio Digital Communications Station)

Several other key U.S. government computers are now suddenly broadcasting over port 1026 UDP;

Four computers from the Naval Ocean Systems Center:

1) 214.174.173.142
2) 33.14.45.142
3) 214.71.189.59
4) 214.84.88.214

One computer from the DoD Network Centric Operations:

1) 26.198.93.126

Several other computers now broadcasting on port 1026. from the U.S. there are; The IANA probed port 1026 a total number of eight times last night, from eight separate IP addresses, one computer from Hewlett-Packard Company, one computer from Cingular Wireless II, one computer from Road Runner, one computer from TDS Telecom, one computer the Buckeye Pipe Line Company.

Other countries probing on Port 1026; China (new site), Korea (2 new sites), Japan (2 new sites), Canada (4 new sites – one of these computers is from Nortel Networks Canada), Italy (new site), Germany (new site), New Zealand (new site), United Kingdom, (new site), “Societe Internationale de Telecomm (Europe), One IP Address which has no record and cannot be traced (most likely belongs to a government agency), Australia (new site). Port 1027; Canada (new site), Israel (new site). Port 1028; Canada (new site). Port 21; China (new site). Port 22; Netherlands (new site), China (2 new sites), Japan (new site), U.S. (new site). Port 25; Taiwan (new site). Port 1080; China (new site), Korea (new site). Port 1433; Taiwan (new site), U.S. (new site), China (new site). Port 1434; China (2 new sites, including China Mobile Comm Corp). Port 2967; Spain (new site), U.S. (new site), China (new site). Port 2968; U.S. (new site). Port 3128; Germany (new site). Port 4899; China (new site), India (new site). Port 5900; Algeria (new site), China (2 new sites), Korea (new site). Port 7212; China (new site). Honey Port Activity; China surfed port 80 and attacked through port 1080, three hours after the service pack update was attempted. The Chinese attack failed. Germany surfed port 80 and attempted no attack. Ethiopia surfed port 80 and attempted no attack.

----Service Pack Update Activated During The Following IP Connections -----
IP Address : 121.18.13.107 [ 121.18.13.107 ]
ISP : -
Organization : CNC Group Hebei province network
Location : CN, China
City : Hebei, 10 -
Latitude : 39°88'97" North
Longitude : 115°27'50" East

IP Address : 121.235.156.114 [
114.156.235.121.broad.wx.js.dynamic.163data.com.cn ]
ISP : -
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 210.79.152.144 [ 144M61.rivo.mediatti.net ]
ISP : Mediatti Communications Inc.
Organization : Mediatti Communications,Inc.
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 221.208.208.91 [ 221.208.208.91 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 202.97.238.202 [ 202.97.238.202 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 221.208.208.101 [ 221.208.208.101 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 44.139.107.99 [ 44.139.107.99 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: :Amateur Radio Digital Communications
OrgID: : ARDC
Address:
City:
StateProv:
PostalCode:
Country: : US

Below is a listing of the specific details on each port probe/attack and IP
address:

----Port 1026 ---------
IP Address : 110.223.103.15 [ 110.223.103.15 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 221.208.208.100 [ 221.208.208.100 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 16.190.180.16 [ 16.190.180.16 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : Palo Alto, CA 94304
Latitude : 37°37'62" North
Longitude : 122°18'26" West

IP Address : 122.43.240.241 [ 122.43.240.241 ]
ISP : -
Organization : POWERCOMM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

IP Address : 214.174.173.142 [ 214.174.173.142 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 155.164.42.223 [ 155.164.42.223 ]
ISP : Cingular Wireless II, LLC
Organization : Cingular Wireless II, LLC
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 77.148.5.226 [ 77.148.5.226 ]
ISP : -
Organization : freenet Cityline GmbH
Location : DE, Germany
City : Kiel, 10 -
Latitude : 54°33'33" North
Longitude : 10°13'33" East

IP Address : 142.217.35.43 [ 142-217-35-43.telebecinternet.net ]
ISP : Telebec
Organization : Telebec
Location : CA, Canada
City : Scarborough, ON -
Latitude : 43°75'00" North
Longitude : 79°20'00" West

IP Address : 91.81.75.23 [ 91.81.75.23 ]
ISP : -
Organization : Vodafone Omnitel N.V.
Location : IT, Italy
City : Ivrea, 12 -
Latitude : 45°46'67" North
Longitude : 7°86'67" East

IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West

IP Address : 47.8.89.165 [ h165s89a8n47.user.nortelnetworks.com ]
ISP : Bell-Northern Research
Organization : Nortel Networks
Location : CA, Canada
City : Ottawa, ON k1y4h7
Latitude : 45°41'67" North
Longitude : 75°70'00" West

IP Address : 133.94.112.4 [ 133.94.112.4 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
OrgName: : Japan Network Information Center
OrgID: : JNIC
Address: : Kokusai-kougyou-Kanda Bldg 6F
Address: : 2-3-4 Uchikanda
City: : Chiyoda-ku
StateProv: : Tokyo
PostalCode: : 101-0047
Country: : JP

IP Address : 33.14.45.142 [ 33.14.45.142 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 175.71.14.149 [ 175.71.14.149 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 121.135.156.114 [ 121.135.156.114 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

IP Address : 210.79.52.144 [ 210.79.52.144 ]
ISP : Traced to Auckland, New Zealand and lost

IP Address : 44.139.107.99 [ 44.139.107.99 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Amateur Radio Digital Communications
OrgID: : ARDC
Address:
City:
StateProv:
PostalCode:
Country: : US

IP Address : 82.26.217.87 [ client-82-26-217-87.glfd.adsl.virgin.net ]
ISP : NTL Internet
Organization : NTL Internet
Location : GB, United Kingdom
City : Rochdale, L2 -
Latitude : 53°61'67" North
Longitude : 2°15'00" West

IP Address : 214.71.189.59 [ 214.71.189.59 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 57.14.29.60 [ 57.14.29.60 ]
ISP : SITA-Societe Internationale de Telecommunications
Organization : SITA-Societe Internationale de Telecommunications
Location : EU, Europe
City : -, - -
Latitude : 47°00'00" North
Longitude : 8°00'00" East

IP Address : 69.135.158.111 [ voip-69-135-158-111.neo.rr.com ]
ISP : Road Runner
Organization : Road Runner
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 121.110.92.53 [ KD121110092053.ppp-bb.dion.ne.jp ]
ISP : -
Organization : KDDI Corporation
Location : JP, Japan
City : Tokyo, 40 -
Latitude : 35°68'50" North
Longitude : 139°75'14" East

IP Address : 177.119.235.34 [ 177.119.235.34 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 174.28.137.177 [ 174.28.137.177 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 142.61.198.197 [ 142.61.198.197 ]
ISP : Canadian Research Network
Organization : Canadian Research Network
Location : CA, Canada
City : Toronto, ON m5s3j1
Latitude : 43°66'67" North
Longitude : 79°41'68" West

IP Address : 216.165.129.157 [ ns6.dns.tds.net ]
ISP : TDS TELECOM
Organization : TDS TELECOM
Location : US, United States
City : Madison, WI 53717
Latitude : 43°07'37" North
Longitude : 89°52'74" West

IP Address : 178.95.193.126 [ 178.95.193.126 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 26.198.93.126 [ 26.198.93.126 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US

IP Address : 209.197.186.202 [ hs-scarlett-209197186202.3web.net ]
ISP : Cybersurf
Organization : 3web Corp.
Location : CA, Canada
City : Calgary, AB t2e7p1
Latitude : 51°08'33" North
Longitude : 114°08'33" West

IP Address : 139.186.84.121 [ 139.186.84.121 ]
ISP : No Record (Unknown) No Trace Whatsoever

IP Address : 161.224.174.101 [ 161.224.174.101 ]
ISP : Buckeye Pipe Line Company
Organization : Buckeye Pipe Line Company
Location : US, United States
City : Emmaus, PA 18049
Latitude : 40°51'89" North
Longitude : 75°50'13" West

IP Address : 182.148.106.18 [ 182.148.106.18 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 108.85.32.236 [ 108.85.32.236 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 183.200.235.254 [ 183.200.235.254 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 118.242.111.243 [ 118.242.111.243 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU

IP Address : 214.84.88.214 [ 214.84.88.214 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

----Port 1027 -----------
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West

IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East

----Port 1028 -----------
IP Address : 24.64.238.193 [ S0106000cf1e85077.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West

----Port 21 -----------
IP Address : 202.108.12.7 [ 202.108.12.7 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----Port 22 -----------
IP Address : 212.204.181.15 [ cc573055-b.wolve1.fr.home.nl ]
ISP : Essent Kabelcom B.V.
Organization : Essent Kabelcom B.V. B.V.
Location : NL, Netherlands
City : Nijmegen, 03 -
Latitude : 51°83'33" North
Longitude : 5°86'67" East

IP Address : 61.146.178.13 [ 61.146.178.13 ]
ISP : Data Communication Division
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East

IP Address : 65.19.156.160 [ 65.19.156.160 ]
ISP : Hurricane Electric
Organization : Joe's Web Hosting
Location : JP, Japan
City : Osaka, 32 -
Latitude : 34°66'67" North
Longitude : 135°50'00" East

IP Address : 202.106.62.52 [ 202.106.62.52 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 208.115.34.232 [ 208.115.34.232 ]
ISP : -
Organization : Bocacom.net LLC
Location : US, United States
City : Boca Raton, FL 33431
Latitude : 26°38'18" North
Longitude : 80°10'46" West

----Port 25 -----------
IP Address : 61.31.167.78 [ 61-31-167-78.dynamic.tfn.net.tw ]
ISP : Taiwan Fixed Network CO.,LTD.
Organization : Taiwan Fixed Network CO.,LTD.
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

----Port 1080 ----------
IP Address : 125.65.76.15 [ 125.65.76.15 ]
ISP : CHINANET Sichuan province network
Organization : SC-MY-XIWEISHUMA-LYD
Location : CN, China
City : Mianyang, 32 -
Latitude : 31°46'67" North
Longitude : 104°76'67" East

IP Address : 222.239.255.43 [ 222.239.255.43 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East

----Port 1433 ----------
IP Address : 60.248.124.139 [ 60-248-124-139.HINET-IP.hinet.net ]
ISP : CHTD, Chunghwa Telecom Co.,Ltd.
Organization : Chunghwa Telecom Data communication Business Group
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

IP Address : 69.149.1.231 [ adsl-69-149-1-231.dsl.rcsntx.swbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 218.28.119.230 [ pc0.zz.ha.cn ]
ISP : CNCGROUP Henan province network
Organization : CNCGROUP Henan province network
Location : CN, China
City : Henan, 24 -
Latitude : 37°89'97" North
Longitude : 112°18'72" East

----Port 1434 ----------
IP Address : 61.242.244.143 [ 61.242.244.143 ]
ISP : China United Telecommunications Corporation
Organization : China United Telecommunications Corporation
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 221.130.68.206 [ 221.130.68.206 ]
ISP : China Mobile Communications Corporation
Organization : China Mobile Communications Corporation - jiangsu
Location : CN, China
City : -, - -
Latitude : 35°00'00" North
Longitude : 105°00'00" East

----Port 2967 -----------
IP Address : 62.43.240.58 [ 62.43.240.58 ]
ISP : ONO
Organization : ONO
Location : ES, Spain
City : Madrid, 29 -
Latitude : 40°40'00" North
Longitude : 3°68'33" West

IP Address : 64.194.57.21 [ ims-64-194-57-21.imsday.com ]
ISP : Level 3 Communications
Organization : Time Warner Cable
Location : US, United States
City : Houston, TX -
Latitude : 29°77'55" North
Longitude : 95°41'52" West

IP Address : 218.66.104.217 [ 218.66.104.217 ]
ISP : Data Communication Division
Organization : Data Communication Division
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

---Port 2968 ----------
IP Address : 69.22.217.135 [ user-12hdmc7.cable.mindspring.com ]
ISP : EarthLink
Organization : EarthLink
Location : US, United States
City : Cliffside Park, NJ 07010
Latitude : 40°82'03" North
Longitude : 73°98'71" West

----Port 3128 ---------
IP Address : 87.118.118.98 [ ns.km31021.keymachine.de ]
ISP : Keyweb AG
Organization : Keyweb AG IP Network
Location : DE, Germany
City : Erfurt, 15 -
Latitude : 50°98'33" North
Longitude : 11°03'33" East

----Port 4899 ---------
IP Address : 61.153.155.189 [ 61.153.155.189 ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Ningbo node network
Location : CN, China
City : Ningbo, 02 -
Latitude : 29°87'50" North
Longitude : 121°54'19" East

IP Address : 59.163.49.6 [ 59.163.49.6.static.vsnl.net.in ]
ISP : Videsh Sanchar Nigam Ltd - India.
Organization : Videsh Sanchar Nigam Ltd
Location : IN, India
City : Bombay, 16 -
Latitude : 18°97'50" North
Longitude : 72°82'58" East

----Port 5900 ----------
IP Address : 82.101.190.13 [ 82.101.190.13 ]
ISP : IP-ADSL-ALGER
Organization : IP-ADSL-ALGER
Location : DZ, Algeria
City : Alger, 01 -
Latitude : 36°76'31" North
Longitude : 3°05'06" East

IP Address : 222.216.28.178 [ 222.216.28.178 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East

IP Address : 211.116.157.35 [ 211.116.157.35 ]
ISP : KRNIC
Organization : NEORO COM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

IP Address : 218.95.184.104 [ 218.95.184.104 ]
ISP : Data Communication Division
Organization : CHINANET ningxia province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----Port 7212 -------------
IP Address : 60.213.45.62 [ 60.213.45.62 ]
ISP : CNCGROUP Shandong province network
Organization : CNCGROUP Shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East

----Honey Pot Activity -----------
IP Activity : Surfed port 80 and attacked through port 1080
IP Address : 222.217.221.214 [ 222.217.221.214 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East

IP Activity : Surfed port 80
IP Address : 87.118.118.98 [ ns.km31021.keymachine.de ]
ISP : Keyweb AG
Organization : Keyweb AG IP Network
Location : DE, Germany
City : Erfurt, 15 -
Latitude : 50°98'33" North
Longitude : 11°03'33" East

IP Activity : Surfed port 80
IP Address : 213.55.79.250 [ 213.55.79.250 ]
ISP : Ethiopian Telecommuncation Corporation
Organization : Ethiopian Telecommunication corporation
Location : ET, Ethiopia
City : -, - -
Latitude : 8°00'00" North

Information about the Honey Pot

2007-10-29T07:47:00.000-04:00

Information about the Honey Pot

Several people have asked about more information regarding our Honey pot. We have deployed our honey pot directly connected to the Internet with a non-descript basic webpage. In doing so, we are exposed to every computer probe and attack that finds its way to our IP. We are using turnkey cyber center software from Black Lab Security Systems that monitors and protects a standard workstation or server used as a honey pot. We do our best to protect the IP address of the honey pot to protect the integrity of what is detected. Cyber-probes and -attacks can be monitor in near-real time mode and quickly analyzed from the forensics evidenced gathered.

In simplest terms, enterprises would benefit from using a honey pot in on company registered IPs to analyze what probes and attacks are (1) finding enterprise systems directly connected to the Internet, (2) intruding enterprise’s demilitarized zone (DMZ), and (3) intruding an enterprises internal network or intranet.

Internal Network
Attacks to the internal network are the most serious and immediate action should be considered. Attacks, scans, and probes can come from both internal (e.g., the insider threat) or external.

Cyber Center Report - October 27, 2007

2007-10-28T22:01:00.000-04:00

BLSS Cyber Center Report - 27 October 2007
------------------------------------------
http://www.blacklabsecurity.com/

IMPORTANT - This report identifies the most significant computers suddenly broadcasting over the Internet.

China and Korea continue to probe/attack the U.S. with a new level of tenacity. All previous probes/attacks on China and Korean IPs continue on all reported ports. Last night's probes/attacks have reached an all-time high of new and significant computers now broadcasting on port 1026. Never before has the BLSS Cyber Center, detected so many "significant" computers, to suddenly start broadcasting (almost) at one time over port 1026. The computers now broadcasting on Port 1026 are the following:

1) Chevron Corporation
2) The British Petroleum Company
3) Hewlett-Packard
4) Wageningen University and Research Centre (NetherLands)
5) Two Computers Recorded as the property of the Department Of Defense
(DoD)
6) The "Societe Internationale de Telecommunications" (Europe)
7) The NIB (National Internet Backbone) Of India
8) The Japan Network Information Center- Japan
9) The Government of the Province of Ontario- Canada
10) The Cable And Wireless System Of Panama
11) Two computers that cannot be identified, which most likely belong to a government agency.
12) One computer which was traced to , but the trace was lost on the African Continent.

The other significant computer, is America On Line (AOL) which is now broadcasting over port 5900.

Other significant news is that CHINA IS AWARE of the BLSS Honey Pot and is now "surfing" probing and attacking the BLSS Honey Pot. China has NOT been successful (so far) utilizing their methods/programs against the BLSS Honey Pot. The BLSS Honey Pot is stopping all attacks by China. The Chinese IP is 219.153.5.169 located in Shanghai, China.

Other additional probes on port 1026 include Thailand, India, U.S., Japan, and the Ukraine. The Internet Assigned Numbers Authority (IANA) also probed port 1026 three times last night. Port 22; China (new site), Taiwan (new site). Port 1433; China (new site), Korea (new site). Port 1434; China (2 new sites). Port 4899; U.S. (new site). Port 5168; China (new site). Port 5900; U.S. (2 new sites - AOL reported above and Mikrotec Internet Services), Greece (new site). Honey Pot Activity; China "surfing" and unsuccessfully attacking the BLSS Honey Pot (reported above), One other "surf" located in the U.S. (Utah). No attack from the Utah "surf".

Below is a listing of the specific details on each port probe/attack and IP
address:

----Port 1026 ----------------
IP Address : 203.151.151.246 [ 203.151.151.246 ]
ISP : Internet Thailand Company Limited
Organization : Internet Thailand Company Limited
Location : TH, Thailand
City : -, - -
Latitude : 15°00'00" North
Longitude : 100°00'00" East

IP Address : 64.184.56.105 [ ip56-105.dyn.comteck.com ]
ISP : Indiana Fiber Network, LLC
Organization : Sweetser Telephone Co.
Location : US, United States
City : Sweetser, IN 46987
Latitude : 40°56'95" North
Longitude : 85°76'68" West

IP Address : 63.28.160.72 [ 1Cust72.an4.nyc41.da.uu.net ]
ISP : UUNET Technologies
Organization : UUNET Technologies
Location : US, United States
City : Ashburn, VA 20147
Latitude : 39°03'35" North
Longitude : 77°48'38" West

IP Address : 61.16.186.68 [ hw-static-68-186-16-61.direct.net.in ]
ISP : Direct Internet
Organization : Hotwire
Location : IN, India
City : New Delhi, 07 -
Latitude : 28°60'00" North
Longitude : 77°20'00" East

IP Address : 97.127.86.68 [ 97.127.86.68 ]
ISP : No Record (Not recorded)

IP Address : 61.119.81.22 [ 61.119.81.22 ]
ISP : Nippon Telecommunication Network Co.,Ltd.
Organization : NTT Communications Corporation
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 174.220.153.83 [ 174.220.153.83 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv : CA
PostalCode : 90292-6695
Country: : US

IP Address : 137.224.244.14 [ 137.224.244.14 ]
ISP : Wageningen University and Research Centre
Organization : Wageningen University and Research Centre
Location : NL, Netherlands
City : Wageningen, 03 -
Latitude : 51°96'67" North
Longitude : 5°66'67" East

IP Address : 161.103.43.111 [ 161.103.43.111 ]
ISP : The British Petroleum Company p.l.c (BP)
Organization : The British Petroleum Company p.l.c (BP)
Location : US, United States
City : Cleveland, OH 44128
Latitude : 41°43'79" North
Longitude : 81°53'66" West

IP Address : 30.126.167.170 [ 30.126.167.170 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US

IP Address : 133.210.238.95 [ 133.210.238.95 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East
OrgName: : Japan Network Information Center
OrgID: : JNIC
Address: : Kokusai-kougyou-Kanda Bldg 6F
Address: : 2-3-4 Uchikanda
City: : Chiyoda-ku
StateProv : Tokyo
PostalCode : 101-0047
Country: : JP

IP Address : 190.34.233.95 [ 190.34.233.95 ]
ISP : -
Organization : Cable & Wireless Panama
Location : PA, Panama
City : -, - -
Latitude : 9°00'00" North
Longitude : 80°00'00" West

IP Address : 36.186.62.69 [ 36.186.62.69 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 105.113.251.184 [ 105.113.251.184 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 191.186.213.173 [ 191.186.213.173 ]
ISP : No Record (Not Recorded)

IP Address : 57.236.39.178 [ 57.236.39.178 ]
ISP : SITA-Societe Internationale de Telecommunications
Organization : SITA-Societe Internationale de Telecommunications
Location : EU, Europe
City : -, - -
Latitude : 47°00'00" North
Longitude : 8°00'00" East

IP Address : 146.29.139.39 [ 146.29.139.39 ]
ISP : Chevron Corporation
Organization : Chevron Corporation
Location : US, United States
City : San Ramon, CA 94583
Latitude : 37°78'06" North
Longitude : 121°99'04" West

IP Address : 31.28.22.227 [ 31.28.22.227 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 117.243.53.225 [ 117.243.53.225 ]
ISP : -
Organization : NIB (National Internet Backbone)
Location : IN, India
City : New Delhi, 07 -
Latitude : 28°60'00" North
Longitude : 77°20'00" East

IP Address : 142.106.73.19 [ 142.106.73.19 ]
ISP : Government of the Province of Ontario
Organization : Government of the Province of Ontario
Location : CA, Canada
City : Toronto, ON m5h3b7
Latitude : 43°66'67" North
Longitude : 79°41'68" West

IP Address : 16.180.25.196 [ 16.180.25.196 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : Palo Alto, CA 94304
Latitude : 37°37'62" North
Longitude : 122°18'26" West

IP Address : 41.29.76.81 [ 41.29.76.81 ]
ISP : No Record (Not Recorded), But known to be somewhere in Africa
: Was Directed To The AfriNIC Whois server

IP Address : 77.91.184.1 [ 77-91-184-1.client.telesystems.ua ]
ISP : -
Organization : Telesystems of Ukraine LLC
Location : UA, Ukraine
City : Kiev, 13 -
Latitude : 50°43'33" North
Longitude : 30°51'67" East

----Port 22 ------------------
IP Address : 210.202.199.132 [
TC210-202-199-132.vdslpro.static.apol.com.tw ]
ISP : Asia Pacific On-line Services Inc.
Organization : Jeng Wu Jie Automatous Co., Ltd.
Location : TW, Taiwan
City : Taichung, 04 -
Latitude : 24°14'33" North
Longitude : 120°68'14" East

IP Address : 218.92.205.106 [ 218.92.205.106 ]
ISP : Data Communication Division
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----Port 25 -------------------
IP Address : 125.225.22.110 [ 125-225-22-110.dynamic.hinet.net ]
ISP : CHTD, Chunghwa Telecom Co.,Ltd.
Organization : Chunghwa Telecom Data communication Business Group
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

----Port 1433 ----------------
IP Address : 210.51.187.88 [ 210.51.187.88 ]
ISP : CNCGROUP IP network
Organization : Beijing YiZhuang IDC of China Netcom
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 218.38.56.170 [ 218.38.56.170 ]
ISP : KRNIC
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

----Port 1434 ----------------
IP Address : 218.108.70.246 [ 218.108.70.246 ]
ISP : WASU TV & Communication Holding Co.,Ltd.
Organization : wangJiangFeng
Location : CN, China
City : Chaoyang, 19 -
Latitude : 41°57'03" North
Longitude : 120°45'86" East

IP Address : 60.175.101.20 [ 60.175.101.20 ]
ISP : CHINANET Anhui province network
Organization : CHINANET Anhui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East

----Port 4899 ----------------
IP Address : 76.105.111.122 [ c-76-105-111-122.hsd1.ga.comcast.net ]
ISP : -
Organization : Comcast Cable
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

----Port 5168 ----------------
IP Address : 58.246.107.14 [ 58.246.107.14 ]
ISP : CNC Group ShangHai province network
Organization : CNC Group ShangHai province network
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

----Port 5900 -----------------
IP Address : 172.201.222.7 [ ACC9DE07.ipt.aol.com ]
ISP : America Online
Organization : America Online
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 80.76.56.66 [ dslcustomer66.vivodi.gr ]
ISP : Vivodi Telecommunications S.A.
Organization : Vivodi Telecommunications S.A.
Location : GR, Greece
City : Athens, 35 -
Latitude : 37°98'33" North
Longitude : 23°73'32" East

IP Address : 69.176.25.80 [ hld-dsl-69-176-25-80.mis.net ]
ISP : Mikrotec Internet Services
Organization : Mikrotec Internet Services
Location : US, United States
City : Lexington, KY 40505
Latitude : 38°06'15" North
Longitude : 84°45'66" West

----Honey Pot Activity ---------------
IP Address : 219.153.5.169 [
169.5.153.219.broad.cq.cq.dynamic.163data.com.cn ]
ISP : Data Communication Division
Organization : Data Communication Division
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

IP Address : 216.83.145.130 [ 216.83.145.130.afcity.net ]
ISP : Fibernet Corporation
Organization : American Fork City
Location : US, United States
City : American Fork, UT 84003
Latitude : 40°39'30" North
Longitude : 111°78'38" West

Cyber Center Report - October 26, 2007

2007-10-28T21:59:00.000-04:00

BLSS Cyber Center Report - 26 October 2007
------------------------------------------
http://www.blacklabsecurity.com/

Last night's probes/attacks were just as consistent and with the same sustained frequency as the 25 October 2005 BLSS Cyber Center Report. The severity and frequency of all previously reported probes/attacks (on all reported ports), from China and Korea remains consistent across the Internet.

One new IP in China (221.194.46.204) is tenacious in it's continuous probing of port 7212. The frequency is so high, that 221.194.46.204 performs a probe every 3-4 minutes.

New activity on Port 1026; The Internet Assigned Number Authority (IANA), performed 4 probes last night, with 4 different (new) IP addresses.

Two IP addresses recorded as the property of the Department Of Defense (DoD), located somewhere (approximately) in Colorado were detected probing on port 1026. One computer with an unknown IP (not recorded) was detected probing on port 1026. Again, it has been our experience that unknown IPs (not recorded) are the property of some government agency. One computer that is recorded to be within Apple Computer Corporation was detected probing port 1026. Additional probes detected on Port 1026 were from U.S. (4 other new sites), New Zealand (new site), Slovenia (new site), Canada (2 new sites), Germany (new site), Japan (new site), Australia (new site). Port 1027; Canada (new site). Port 1028; Canada (new site). Port 22; Philippines (new site), U.S. (new site).

Port 1433; China (2 new sites), Korea (new site), Port 1434; China (2 new sites). Port 2967; China (new site). Port 5900; Sweden (new site), China (new site), France (2 new sites). Port 7212; China (one new site, which was discussed above). Honey Port Activity; No attacks last night on the BLSS Honey Port. The BLSS Honey Pot was "surfed" by one IP in the U.S., and one IP in Spain from a University located in Madrid.

Below is a listing of the specific details on each port probe/attack and IP
address:

----Port 1026 ---------------
IP Address : 23.102.102.67 [ 23.102.102.67 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 131.239.20.104 [ host-131-239-20-104.customer.veroxity.net ]
ISP : Veroxity Technology Partners
Organization : Veroxity Technology Partners
Location : US, United States
City : Newtonville, MA 02460
Latitude : 42°35'22" North
Longitude : 71°20'98" West

IP Address : 106.201.119.31 [ 106.201.119.31 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 138.211.173.87 [ 138.211.173.87 ]
ISP : WAIARI
Organization : WAIARI
Location : NZ, New Zealand
City : -, - -
Latitude : 41°00'00" South
Longitude : 174°00'00" East

IP Address : 22.89.119.186 [ 22.89.119.186 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US

IP Address : 22.216.206.127 [ 22.216.206.127 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : DoD Network Information Center
OrgID: : DNIC
Address: : 3990 E. Broad Street
City: : Columbus
StateProv: : OH
PostalCode: : 43218
Country: : US

IP Address : 75.35.178.112 [ 75.35.178.112 ]
ISP : -
Organization : Aquila
Location : US, United States
City : Overland Park, KS 66214
Latitude : 38°96'43" North
Longitude : 94°71'35" West

IP Address : 12.122.135.214 [ 12.122.135.214 ]
ISP : AT&T WorldNet Services
Organization : AT&T WorldNet Services
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 153.5.22.199 [ cmb61-199.dial-up.arnes.si ]
ISP : Slovenia
Organization : Slovenia
Location : SI, Slovenia
City : Ljubljana, 04 -
Latitude : 46°05'53" North
Longitude : 14°51'44" East

IP Address : 24.64.138.179 [ S01060010dcf19f13.lb.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

IP Address : 171.61.227.28 [ 171.61.227.28 ]
ISP : No Record (Unknown)

IP Address : 213.69.88.54 [ 213.69.88.54 ]
ISP : MCI Deutschland
Organization : Gilat Europe GmbH
Location : DE, Germany
City : Backnang, 01 -
Latitude : 48°95'00" North
Longitude : 9°43'33" East

IP Address : 180.254.222.130 [ 180.254.222.130 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 204.205.236.130 [ 204.205.236.130 ]
ISP : Sprint
Organization : Sprint
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Sprint
OrgID: : SPRN
Address: : 12502 Sunrise Valley Drive
City: : Reston
StateProv: : VA
PostalCode: : 20196
Country: : US

IP Address : 37.69.229.31 [ 37.69.229.31 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 120.121.232.78 [ 120.121.232.78 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU

IP Address : 17.115.18.103 [ 17.115.18.103 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West

IP Address : 122.103.75.247 [ e3d247.BFL12.vectant.ne.jp ]
ISP : -
Organization : VECTANT Ltd.
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 66.97.29.3 [ 66.97.29.3 ]
ISP : ORANO
Organization : ORANO
Location : CA, Canada
City : Toronto, ON m5c2x8
Latitude : 43°66'67" North
Longitude : 79°41'68" West

----Port 1027 ----------------
IP Address : 24.64.138.179 [ S01060010dcf19f13.lb.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 1028 -----------------
IP Address : 24.64.138.179 [ S01060010dcf19f13.lb.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 22 -----------------
IP Address : 125.252.66.222 [ ip-125-252-66-222.asianetcom.net ]
ISP : Asia Netcom Corporation
Organization : Worldwide Technologies Ltd. / Digitel
Location : PH, Philippines
City : Asia, H3 -
Latitude : 9°55'17" North
Longitude : 122°51'75" East

IP Address : 66.143.231.89 [ adsl-66-143-231-89.aasimsa.com ]
ISP : SBC Internet Services
Organization : Rosa Hilda Andrade
Location : US, United States
City : Columbus, KS 66725
Latitude : 37°14'93" North
Longitude : 94°88'93" West

----Port 1433 ---------------
IP Address : 218.26.89.141 [ 218.26.89.141 ]
ISP : China Network Communications Group Corporation
Organization : changzhi xxghw gov
Location : CN, China
City : Changzhi, 24 -
Latitude : 36°04'58" North
Longitude : 113°04'42" East

IP Address : 121.139.129.4 [ 121.139.129.4 ]
ISP : Korea Telecom
Organization : keieii(ju)
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

IP Address : 222.217.221.214 [ 222.217.221.214 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East

----Port 1434 ----------------
IP Address : 221.6.7.89 [ 221.6.7.89 ]
ISP : CNC Group Jiangsu province network
Organization : CNC Group Jiangsu province network
Location : CN, China
City : Nanjing, 04 -
Latitude : 32°06'17" North
Longitude : 118°77'78" East

IP Address : 220.165.8.32 [ 220.165.8.32 ]
ISP : Data Communication Division
Organization : CHINANET Yunnan province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----Port 2967 -----------------
IP Address : 219.153.47.134 [
134.47.153.219.broad.cq.cq.dynamic.163data.com.cn ]
ISP : Data Communication Division
Organization : Data Communication Division
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

----Port 5900 ---------------
IP Address : 85.224.178.107 [
c-6bb2e055.1111-1-64736c20.cust.bredbandsbolaget.se ]
ISP : Bredbandsbolaget AB
Organization : B2 customer network
Location : SE, Sweden
City : Hägersten, 26 -
Latitude : 59°30'00" North
Longitude : 17°96'67" East

IP Address : 124.132.3.222 [ 124.132.3.222 ]
ISP : CNC Group Shandong province network
Organization : CNC Group Shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East

IP Address : 91.121.24.215 [ ks39719.kimsufi.com ]
ISP : -
Organization : OVH SAS
Location : FR, France
City : Roubaix, B4 -
Latitude : 50°70'00" North
Longitude : 3°16'67" East

IP Address : 83.113.65.59 [ ALyon-156-1-146-59.w83-113.abo.wanadoo.fr ]
ISP : France Telecom
Organization : France Telecom
Location : FR, France
City : Lyon, B9 -
Latitude : 45°75'00" North
Longitude : 4°85'00" East

----Port 7212 ---------------
IP Address : 221.194.46.204 [ 221.194.46.204 ]
ISP : CNCGROUP Hebei province network
Organization : CNCGROUP Hebei province network
Location : CN, China
City : Hebei, 10 -
Latitude : 39°88'97" North
Longitude : 115°27'50" East

----Honey Pot Activity On Port 80 --------
IP Address : 72.71.221.66 [ pool-72-71-221-66.cncdnh.east.verizon.net ]
ISP : Verizon Internet Services
Organization : Verizon Internet Services
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 62.204.197.58 [ ccia-062-204-197-058.uned.es ]
ISP : Universidad Nacional de Educacion a Distancia
Organization : Universidad Nacional de Educacion a Distancia
Location : ES, Spain
City : Madrid, 29 -
Latitude : 40°40'00" North
Longitude : 3°68'33" West

Cyber Center Report - October 25, 2007

2007-10-28T21:57:00.000-04:00

BLSS Cyber Center Report - 25 October 2007
------------------------------------------
http://www.blacklabsecurity.com/

Last night's probes/attacks were the worst we (BLSS), have detected since we started reporting Internet Activity. The severity and frequency of all previously reported probes/attacks (on all reported ports), from China, Korea, etc., has increased, along with more new IPs detected than ever previously reported. We have detected two new (active) ports, which are 8000 (China) and 23 (Germany). Port 1026; An interesting and astonishing observation, is that 5 separate probes were sent out from the Internet Assigned Numbers Authority (IANA) on five separate IP addresses. There were three IP addresses detected probing port 1026, which have no record. There is a high probability these three IPs (computers) belong to some government agency. An IP probe on port 1026 was detected from Ford Motor Company. An IP probe on port 1026 was detected from the U.S. Air Force. IP probes were detected on Port 1026 from Taiwan (new site), Argentina (new site), Germany (new site), Japan (new site), Venezuela (new site) and Canada (new site).
Port 22; Japan (new site), Korea (2 new sites). Port 1027; Canada (2 new sites), Port 1028; Canada (2 new sites). Port 1433; U.S. (new site). Port 1434; U.S. (new site), China (new site), Mexico (new site). Port 2967; U.S.
(new site), China (new site). Port 5168; China (new site). Port 5900; Mexico (new site), China (3 new sites), Spain (2 new sites), Korea (new site). Port 7212; Korea (new site). Honey Pot Activity; No attacks on BLSS Honey Pot. Two IPs "surfed" the Honey Pot via port 80; U.S. (new site), Latvia (new site).

Below is a listing of the specific details on each port probe/attack and IP
address:

------------------New ports detected ---------------------------

----Port 8000 ----------
IP Address : 218.3.134.250 [ 218.3.134.250 ]
ISP : Data Communication Division
Organization : Network Center of Fast China Shipbuilding institut
Location : CN, China
City : Zhenjiang, 04 -
Latitude : 32°20'92" North
Longitude : 119°43'42" East

----Port 23 -------------
IP Address : 62.75.222.56 [ rom109.server4you.de ]
ISP : intergenia AG
Organization : SERVER4YOU Dedicated Server Hosting
Location : DE, Germany
City : -, - -
Latitude : 51°00'00" North
Longitude : 9°00'00" East

-----------------Previously reportd ports with new IPs ------------

----Port 22--------------
IP Address : 121.1.133.193 [ w133193.ppp.asahi-net.or.jp ]
ISP : -
Organization : ASAHI Net,Inc.
Location : JP, Japan
City : Asahi, 04 -
Latitude : 35°71'67" North
Longitude : 140°65'00" East

IP Address : 218.234.32.131 [ 218.234.32.131 ]
ISP : Hanaro Telecom Co.
Organization : T&CSERVICE
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

IP Address : 218.153.221.29 [ 218.153.221.29 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

----Port 25 -------------
IP Address : 122.136.45.2 [ 122.136.45.2 ]
ISP : -
Organization : CNCGROUP Jilin province network
Location : CN, China
City : Changchun, 05 -
Latitude : 43°88'00" North
Longitude : 125°32'28" East

----Port 1026 -----------
IP Address : 168.215.6.124 [ 168-215-6-124.static.twtelecom.net ]
ISP : Time Warner Telecom
Organization : Time Warner Telecom
Location : US, United States
City : Littleton, CO 80124
Latitude : 39°52'90" North
Longitude : 104°90'50" West

IP Address : 181.94.48.142
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 23.196.161.161
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 111.47.93.216 [ 111.47.93.216 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 31.105.131.203 [ 31.105.131.203 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 163.22.15.95 [ ip095.puli15.ncnu.edu.tw ]
ISP : MOEC
Organization : Taichung Changhua Nantou Regional Network
Location : TW, Taiwan
City : Taichung, 04 -
Latitude : 24°14'33" North
Longitude : 120°68'14" East

IP Address : 79.237.38.69 [ 79.237.38.69 ]
ISP : -
Organization : Deutsche Telekom AG
Location : DE, Germany
City : -, - -
Latitude : 51°00'00" North
Longitude : 9°00'00" East

IP Address : 200.70.166.102 [ 200.70.166.102 ]
ISP : Telefonica Data Argentina S.A.
Organization : Telefonica Data Argentina S.A.
Location : AR, Argentina
City : Buenos Aires, 07 -
Latitude : 34°58'75" South
Longitude : 58°67'25" West

IP Address : 136.74.8.184 [ 136.74.8.184 ]
ISP : FORD MOTOR COMPANY
Organization : FORD MOTOR COMPANY
Location : US, United States
City : Dearborn, MI 48121
Latitude : 42°31'27" North
Longitude : 83°19'23" West

IP Address : 151.231.90.82 [ 151.231.90.82 ]
ISP : No Record Available

IP Address : 161.196.217.237 [ 161.196.217.237 ]
ISP : Compania Anonima Nacional de Telefonos de Venezuel
Organization : Compania Anonima Nacional de Telefonos de Venezuel
Location : VE, Venezuela
City : Caracas, 25 -
Latitude : 10°50'00" North
Longitude : 66°91'67" West

IP Address : 41.42.114.215 [ 41.42.114.215 ]
ISP : No Record Available

IP Address : 84.188.214.84 [ p54BCD654.dip.t-dialin.net ]
ISP : Deutsche Telekom AG
Organization : Deutsche Telekom AG
Location : DE, Germany
City : Berlin, 16 -
Latitude : 52°51'67" North
Longitude : 13°40'00" East

IP Address : 171.6.83.121 [ 171.6.83.121 ]
ISP : No Record Available

IP Address : 24.64.5.69 [ 24.64.5.69 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

IP Address : 63.179.244.236 [ 63.179.244.236 ]
ISP : Sprint
Organization : Sprint
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Sprint
OrgID: : SPDN
Address: : 12502 Sunrise Valley Dr
City: : Reston
StateProv: : VA
PostalCode: : 20196
Country: : US

IP Address : 188.236.186.251 [ 188.236.186.251 ]
OrgName: : RIPE Network Coordination Centre
OrgID: : RIPE
Address: : P.O. Box 10096
City: : Amsterdam
StateProv: :
PostalCode: : 1001EB
Country: : NL

IP Address : 47.197.41.195 [ 47.197.41.195 ]
ISP : Bell-Northern Research
Organization : Nortel Networks
Location : CA, Canada
City : Ottawa, ON k1y4h7
Latitude : 45°41'67" North
Longitude : 75°70'00" West

IP Address : 24.64.63.248 [ 24.64.63.248 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

IP Address : 132.46.24.227 [ 132.46.24.227 ]
ISP : Columbus Air Force Base
Organization : Columbus Air Force Base
Location : US, United States
City : Columbus, MS 39710
Latitude : 33°51'63" North
Longitude : 88°46'01" West

IP Address : 121.107.129.235 [ KD121107129235.ppp-bb.dion.ne.jp ]
ISP : -
Organization : DION (KDDI CORPORATION)
Location : JP, Japan
City : Tokyo, 40 -
Latitude : 35°68'50" North
Longitude : 139°75'14" East

IP Address : 37.213.216.137 [ 37.213.216.137 ]
OrgName: : Internet Assigned Numbers Authority
OrgID: : IANA
Address: : 4676 Admiralty Way, Suite 330
City: : Marina del Rey
StateProv: : CA
PostalCode: : 90292-6695
Country: : US

IP Address : 15.4.16.227 [ 15.4.16.227 ]
ISP : HEWLETT-PACKARD COMPANY
Organization : Hewlett-Packard Company
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

----Port 1027 ---------------
IP Address : 24.64.5.69 [ 24.64.5.69 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

P Address : 24.64.63.248 [ 24.64.63.248 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 1028 ----------------
IP Address : 24.64.5.69 [ 24.64.5.69 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

P Address : 24.64.63.248 [ 24.64.63.248 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 1433 ------------
IP Address : 69.235.196.112 [ adsl-69-235-196-112.dsl.irvnca.pacbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : Los Angeles, CA -
Latitude : 34°04'16" North
Longitude : 118°29'88" West

----Port 1434 ------------
IP Address : 69.251.102.139 [ c-69-251-102-139.hsd1.md.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Washington, DC -
Latitude : 38°90'97" North
Longitude : 77°02'31" West

IP Address : 219.147.233.30 [ 219.147.233.30 ]
ISP : Data Communication Division
Organization : CHINANET HEILONGJIANG PROVINCE NETWORK
Location : CN, China
City : Zhongshan, 07 -
Latitude : 25°53'61" North
Longitude : 118°78'97" East

IP Address : 148.221.46.92 [ dup-148-221-46-92.prodigy.net.mx ]
ISP : Uninet S.A. de C.V.
Organization : Uninet S.A. de C.V.
Location : MX, Mexico
City : Monterrey, 19 -
Latitude : 25°66'67" North
Longitude : 100°31'67" West

----Port 2967 ------------
IP Address : 58.38.3.178 [
178.3.38.58.broad.xw.sh.dynamic.163data.com.cn ]
ISP : CHINANET Shanghai province network
Organization : ChinaNet Shanghai Province Network
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

IP Address : 69.200.229.199 [ cpe-69-200-229-199.nyc.res.rr.com ]
ISP : Road Runner
Organization : Road Runner
Location : US, United States
City : New York, NY -
Latitude : 40°76'19" North
Longitude : 73°97'63" West

----Port 5168 ------------
IP Address : 58.247.11.242 [ 58.247.11.242 ]
ISP : CNC Group ShangHai province network
Organization : CNC Group ShangHai province network
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

----Port 5900 ------------
IP Address : 189.170.15.107 [ dsl-189-170-15-107.prod-infinitum.com.mx ]
ISP : -
Organization : Uninet S.A. de C.V.
Location : MX, Mexico
City : -, - -
Latitude : 23°00'00" North
Longitude : 102°00'00" West

IP Address : 124.226.234.15 [ 124.226.234.15 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East

IP Address : 217.127.100.8 [ 8.Red-217-127-100.staticIP.rima-tde.net ]
ISP : Telefonica de Espana
Organization : Red de servicios IP
Location : ES, Spain
City : Madrid, 29 -
Latitude : 40°40'00" North
Longitude : 3°68'33" West

IP Address : 80.59.142.164 [ 164.Red-80-59-142.staticIP.rima-tde.net ]
ISP : Telefonica de Espana
Organization : Telefonica de Espana
Location : ES, Spain
City : Viladecáns, 56 -
Latitude : 41°31'67" North
Longitude : 2°00'00" East

IP Address : 123.8.228.123 [ 123.8.228.123 ]
ISP : -
Organization : CNCGROUP Henan province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 211.174.179.32 [ 211.174.179.32 ]
ISP : KRNIC
Organization : ELIMNET-IDC
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East

IP Address : 124.224.128.140 [ 124.224.128.140 ]
ISP : CHINANET ningxia province network
Organization : CHINANET ningxia province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----Port 7212 ------------
IP Address : 218.234.38.69 [ 218.234.38.69 ]
ISP : Hanaro Telecom Co.
Organization : Eunsan
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

----Honey Pot Activity On Port 80 -------
IP Address : 209.128.104.84 [ 209-128-104-084.bayarea.net ]
ISP : Bay Area Internet Solutions
Organization : Go Click Media
Location : US, United States
City : Los Altos, CA 94024
Latitude : 37°34'95" North
Longitude : 122°11'63" West

IP Address : 159.148.97.48 [ 159.148.97.48 ]
ISP : LATNET
Organization : LATNET ISP
Location : LV, Latvia
City : Riga, 25 -
Latitude : 56°95'00" North
Longitude : 24°10'00" East

IP Address : 68.187.226.170 [ 68-187-226-170.dhcp.oxfr.ma.charter.com ]
ISP : CHARTER COMMUNICATIONS
Organization : CHARTER COMMUNICATIONS
Location : US, United States
City : Dudley, MA 01571
Latitude : 42°05'94" North
Longitude : 71°93'56" West

Cyber Center Report - October 24, 2007

2007-10-28T21:55:00.000-04:00

BLSS Cyber Center Report - 24 October 2007
------------------------------------------

Last night's probes/attacks were just as severe as the reports on the 22nd and 23rd of October. All previously reported probes/attacks from China and Korea continue (and increase in frequency, including all previously report ports, 7212, 1026, etc.). We have detected two new (active) ports, which are 5168 and 6588.

New Activity on Port 1026; U.S. (United States Postal Service), Merck and Co., Mexico, Netherlands and China (two new sites).

Port 22; U.S. (one new site), Port 1080; China (new site). Port 1433; South Africa, U.S. (Interesting observation; two U.S. termite control companies are now (both) broadcasting on port 1433). Port 1434; Oman (new site), China (new site). Port 2967; U.S. (2 new sites), China (new site), One IP address that cannot be identified (69.245.257.182). Port 5168; China (2 new sites). Port 5900; China (2 new sites), Spain, U.S. (2 new sites). Port 6588; Korea (new site). Reported probes from users of Comcast Cable ISP; China, Canada and Israel are probing Comcast Cable ISP. Another interesting observation, is that many of the U.S. IPs now broadcasting are from within Comcast Cable. BLSS Honey Pot Activity; Users "surfed" the honey pot. No honey pot attacks last night.

The BLSS honey pot was surfed in Nashville, TN, and from two sites within the United Kingdom (UK).

Below is a listing of the specific details on each port probe/attack and IP
address:

----Port 1026 -------------
IP Address : 56.241.240.196 [ 56.241.240.196 ]
ISP : United States Postal Service.
Organization : United States Postal Service.
Location : US, United States
City : Raleigh, NC 27668
Latitude : 35°79'77" North
Longitude : 78°62'53" West

IP Address : 186.242.205.146
OrgName: : Latin American and Caribbean IP address Regional Registry
OrgID: : LACNIC
Address: : Rambla Republica de Mexico 6125
City: : Montevideo
StateProv: :
PostalCode: : 11400
Country: : UY

IP Address : 95.229.160.163
OrgName: : RIPE Network Coordination Centre
OrgID: : RIPE
Address: : P.O. Box 10096
City: : Amsterdam
StateProv: :
PostalCode: : 1001EB
Country: : NL

IP Address : 54.108.221.74 [ 54.108.221.74 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Merck and Co., Inc.
OrgID: : MERCKA
Address: : 126 East Lincoln Avenue
City: : Rahway
StateProv: : NJ
PostalCode: : 07095
Country: : US

IP Address : 59.56.27.170 [
170.27.56.59.broad.fz.fj.dynamic.163data.com.cn ]
ISP : chinanet fujian province network
Organization : chinanet fujian province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 58.221.33.13 [ 58.221.33.13 ]
ISP : CHINANET jiangsu province network
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----Port 22 ---------------
IP Address : 72.249.66.73 [ 72.249.66.73 ]
ISP : -
Organization : Colo4Dallas LP
Location : US, United States
City : Dallas, TX 75247
Latitude : 32°81'48" North
Longitude : 96°87'06" West

----Port 1080 -------------
IP Address : 219.153.5.169 [
169.5.153.219.broad.cq.cq.dynamic.163data.com.cn ]
ISP : Data Communication Division
Organization : Data Communication Division
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

----Port 1433 -------------
IP Address : 216.135.181.59 [ user-vc8fd9r.biz.mindspring.com ]
ISP : EarthLink
Organization : Higgins Termite Inc
Location : US, United States
City : Rancho Cucamonga, CA -
Latitude : 34°14'60" North
Longitude : 117°57'99" West

IP Address : 196.30.221.68 [ 196.30.221.68 ]
ISP : Verizon South Africa
Organization : Verizon South Africa
Location : ZA, South Africa
City : Cape Town, 11 -
Latitude : 33°91'67" South
Longitude : 18°41'67" East

IP Address : 63.205.221.242 [ 63.205.221.242 ]
ISP : SBC Internet Services
Organization : Zap Termite & Pest Control
Location : US, United States
City : Stockton, CA -
Latitude : 37°98'61" North
Longitude : 121°29'98" West

----Port 1434 --------------
IP Address : 82.178.22.22 [ 82.178.22.22 ]
ISP : Oman
Organization : Muscat Ltd
Location : OM, Oman
City : Muscat, 06 -
Latitude : 23°61'33" North
Longitude : 58°59'33" East

IP Address : 220.191.252.62 [ 220.191.252.62 ]
ISP : Data Communication Division
Organization : Lishui Electronic Government Network
Location : CN, China
City : Lishui, 02 -
Latitude : 28°11'08" North
Longitude : 119°56'39" East

----Port 2967 --------------
IP Address : 69.136.183.203 [ c-69-136-183-203.hsd1.in.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Eatontown, NJ -
Latitude : 40°30'39" North
Longitude : 74°07'03" West

IP Address : 69.245.257.182
: No Records Available

IP Address : 58.241.178.210 [ 58.241.178.210 ]
ISP : CNC Group Jiangsu province network
Organization : PEIXIANYINGYE-COM,XUZHOU,JIANGSU Province
Location : CN, China
City : Xuzhou, 04 -
Latitude : 34°26'69" North
Longitude : 117°19'16" East

IP Address : 69.125.171.226 [ ool-457dabe2.dyn.optonline.net ]
ISP : Optimum Online (Cablevision Systems)
Organization : Optimum Online (Cablevision Systems)
Location : US, United States
City : Hicksville, NY 11801
Latitude : 40°76'70" North
Longitude : 73°52'54" West

----Port 5168 --------------
IP Address : 61.130.134.66 [
66.134.130.61.broad.hz.zj.dynamic.163data.com.cn ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Hangzhou node network
Location : CN, China
City : Hangzhou, 02 -
Latitude : 30°25'53" North
Longitude : 120°16'89" East

IP Address : 61.130.134.66 [
66.134.130.61.broad.hz.zj.dynamic.163data.com.cn ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Hangzhou node network
Location : CN, China
City : Hangzhou, 02 -
Latitude : 30°25'53" North
Longitude : 120°16'89" East

----Port 5900 --------------
IP Address : 222.216.28.178 [ 222.216.28.178 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East

IP Address : 69.248.159.104 [ c-69-248-159-104.hsd1.nj.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Cherry Hill, NJ -
Latitude : 39°90'84" North
Longitude : 74°99'83" West

IP Address : 70.8.51.83 [ h46083353.area4.spcsdns.net ]
ISP : Sprint PCS
Organization : Sprint PCS
Location : US, United States
City : West Bend, WI -
Latitude : 43°42'97" North
Longitude : 88°18'31" West

IP Address : 124.224.131.132 [ 124.224.131.132 ]
ISP : CHINANET ningxia province network
Organization : CHINANET ningxia province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 80.24.234.121 [ 121.Red-80-24-234.staticIP.rima-tde.net ]
ISP : Telefonica Data Espana
Organization : Telefonica de Espana
Location : ES, Spain
City : Madrid, 29 -
Latitude : 40°40'00" North
Longitude : 3°68'33" West

----Port 6588 --------------
IP Address : 218.234.41.8 [ 218.234.41.8 ]
ISP : Hanaro Telecom Co.
Organization : SEOULMEDIA
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

----Reported Probes Within Comcast Cable-------
IP Address : 24.64.106.160 [ S01060014bfe0176a.cg.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Calgary, AB -
Latitude : 51°08'33" North
Longitude : 114°08'33" West

IP Address : 62.90.138.197 [ 62-90-138-197.interhost.co.il ]
ISP : Barak I.T.C
Organization : Barak I.T.C.
Location : IL, Israel
City : Tel Aviv-Yafo, 05 -
Latitude : 32°06'78" North
Longitude : 34°76'47" East

IP Address : 218.27.148.78 [ 218.27.148.78 ]
ISP : CNCGROUP Jilin province network
Organization : CNCGROUP Jilin province network
Location : CN, China
City : Changchun, 05 -
Latitude : 43°88'00" North
Longitude : 125°32'28" East

----Honey Pot Activity -------------
IP Address : 71.228.243.95 [ c-71-228-243-95.hsd1.tn.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Nashville, TN -
Latitude : 36°14'58" North
Longitude : 86°78'44" West

IP Address : 81.100.113.6 [
spc1-pool7-0-0-cust261.cosh.broadband.ntl.com ]
ISP : NTL Internet
Organization : NTL Internet
Location : GB, United Kingdom
City : Borehamwood, K8 -
Latitude : 51°65'00" North
Longitude : 0°26'67" West

IP Address : 88.110.111.176 [ 88-110-111-176.dynamic.dsl.as9105.com ]
ISP : Tiscali UK Limited
Organization : Tiscali UK Ltd
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

Cyber Center Report - October 23, 2007

2007-10-28T21:54:00.000-04:00

Black Lab Security Cyber Center Report
Tuesday, October 23, 2007 (5:20 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecuirty.com/

Summary of Overnight Internet Activity
---------------------------------------

Last night's probes/attacks were just as severe as yesterday's report for 22 October 2007. All IP addresses reported from China and Korea are continuous probes/attacks against the U.S. New probes/attacks for Port 1026; Netherlands, Australia (new site), U.S. (two new sites, one is unidentifiable (BellSouth ISP) and the second is from within Prudential Securities), Canada (new site), China (three new sites). Port 1027; Canada (new site), China (three new sites). Port 1028; Canada (new site). Port 21; France (new site). Port 22; China (new site), U.S. (new site). Port 1080; Korea (new site). Port 1433; Brazil (new site), Germany (new site), Belgrade (new site). Port 1434: China (four new sites - an interesting observation is that one Chinese Police Bureau is probing/attacking the U.S.) Port 2967; China (new site), U.S. (new site). Port 2968; U.S. (new site).
Port 4899; Bangkok (new site), China (new site), Korea (new site). Port 445; U.S. (new site). Port 5900; India (new site), Columbia (new site), Hungary (new site) U.S. (three new sites). Honey Pot activity; One U.S. site located in Fort Myers, Florida, manually "surfed" the honey pot, then ran a series of programs attacking our honey pot for over two hours. The Fort Myers, FL web site attacked our honey pot on ports 21, 1434, 1080, 1024, 1028, 22 and 25. The Fort Myers, FL attack against our honey pot was completely unsuccessful. One other site located in Canada, manually surfed the honey pot, but did NOT attack the honey pot.

Summary: The overall world-wide probes/attacks appear to be escalating at an alarming rate.

Below is a listing of the specific details on each port probe/attack and IP
address:

----Port 1026 ---------
IP Address : 134.143.150.233 [ 134.143.150.233 ]
ISP : Shell Information Technology International
Organization : SHELL INFORMATION TECHNOLOGY INTERNATIONAL
Location : NL, Netherlands
City : Leidschendam, 11 -
Latitude : 52°08'33" North
Longitude : 4°40'00" East

IP Address : 120.7.19.217 [ 120.7.19.217 ]
OrgName: : Asia Pacific Network Information Centre
OrgID: : APNIC
Address: : PO Box 2131
City: : Milton
StateProv: : QLD
PostalCode: : 4064
Country: : AU

IP Address : 74.185.81.158 [ adsl-074-185-081-158.sip.bhm.bellsouth.net ]
ISP : -
Organization : BellSouth.net
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 24.64.62.245 [ S01060015e968d547.cn.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

IP Address : 48.48.158.238 [ 48.48.158.238 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName: : Prudential Securities Inc.
OrgID: : PRUDEN-1
Address: : 1 New York Plaza
City: : New York
StateProv: : NY
PostalCode: : 10004
Country: : US

IP Address : 218.10.137.142 [ 218.10.137.142 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 221.209.110.20 [ 221.209.110.20 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

----Port 1027 --------
IP Address : 24.64.62.245 [ S01060015e968d547.cn.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

IP Address : 218.10.137.142 [ 218.10.137.142 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 221.209.110.20 [ 221.209.110.20 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

----Port 1028 ---------
IP Address : 24.64.62.245 [ S01060015e968d547.cn.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 21 ----------
IP Address : 88.168.212.117 [ pon89-1-88-168-212-117.fbx.proxad.net ]
ISP : Proxad
Organization : Proxad / Free SAS
Location : FR, France
City : Paris, A8 -
Latitude : 48°86'67" North
Longitude : 2°33'33" East

----Port 22 ----------
IP Address : 202.75.218.145 [ 202.75.218.145 ]
ISP : Hangzhou Silk Road Information Technologies Co.,Lt
Organization : Hangzhou Silk Road Information Technologies Co.,Lt
Location : CN, China
City : Hangzhou, 02 -
Latitude : 30°25'53" North
Longitude : 120°16'89" East

IP Address : 69.60.115.111 [ 111-115-60-69.serverpronto.com ]
ISP : Infolink Information Services
Organization : Serverpronto
Location : US, United States
City : Fort Lauderdale, FL -
Latitude : 26°12'75" North
Longitude : 80°23'31" West

----Port 1080 ----------
IP Address : 222.239.255.43 [ 222.239.255.43 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East

----Port 1433 ----------
IP Address : 201.88.53.138 [
201-10-128-138.gnace304.ipd.brasiltelecom.net.br ]
ISP : -
Organization : Brasil Telecom S/A - Filial Distrito Federal
Location : BR, Brazil
City : -, - -
Latitude : 10°00'00" South
Longitude : 55°00'00" West

IP Address : 87.106.66.212 [ s15242027.onlinehome-server.info ]
ISP : Schlund+Partner AG
Organization : Schlund + Partner AG
Location : DE, Germany
City : Karlsruhe, 01 -
Latitude : 49°00'47" North
Longitude : 8°38'58" East

IP Address : 212.200.228.229 [ sipdc2.telekom.yu ]
ISP : TELEKOM SRBIJA
Organization : TELEKOM SRBIJA
Location : CS, Serbia and Montenegro
City : Belgrade, 02 -
Latitude : 44°81'86" North
Longitude : 20°46'81" East

----Port 1434 ----------
IP Address : 61.189.154.33 [ 61.189.154.33 ]
ISP : Data Communication Division
Organization : CHINANET Guizhou province network
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

IP Address : 218.106.91.25 [ 218.106.91.25 ]
ISP : CNCGROUP IP network
Organization : hefei city
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East

IP Address : 220.191.233.132 [ 220.191.233.132 ]
ISP : Data Communication Division
Organization : Taizhou Electronic Government Network
Location : CN, China
City : Taizhou, 04 -
Latitude : 32°49'33" North
Longitude : 119°90'81" East

IP Address : 220.179.244.138 [ 220.179.244.138 ]
ISP : Data Communication Division
Organization : CHINANET Anhui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East

IP Address : 61.175.243.182 [ 61.175.243.182 ]
ISP : Data Communication Division
Organization : Jinyun Police Bureau (Fangkong And Fangbao)
Location : CN, China
City : Jinyun, 18 -
Latitude : 27°44'67" North
Longitude : 106°30'33" East

----Port 2967 ----------
IP Address : 58.241.178.213 [ 58.241.178.213 ]
ISP : CNC Group Jiangsu province network
Organization : PEIXIANYINGYE-COM,XUZHOU,JIANGSU Province
Location : CN, China
City : Xuzhou, 04 -
Latitude : 34°26'69" North
Longitude : 117°19'16" East

----Port 2968 ----------
IP Address : 69.14.134.88 [ d14-69-88-134.try.wideopenwest.com ]
ISP : WIDEOPENWEST
Organization : WideOpenWest
Location : US, United States
City : Detroit, MI -
Latitude : 42°36'62" North
Longitude : 83°10'15" West

----Port 4899 ----------
IP Address : 58.97.5.64 [ 58-97-5-64.static.asianet.co.th ]
ISP : -
Organization : Fix ip for coporate customer
Location : TH, Thailand
City : Bangkok, 40 -
Latitude : 13°75'00" North
Longitude : 100°51'67" East

IP Address : 222.217.221.214 [ 222.217.221.214 ]
ISP : CHINANET Guangxi province network
Organization : CHINANET Guangxi province network
Location : CN, China
City : Nanning, 16 -
Latitude : 22°81'67" North
Longitude : 108°31'66" East

IP Address : 122.38.90.165 [ 122.38.90.165 ]
ISP : -
Organization : POWERCOMM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

----Port 445 -----------
IP Address : 69.128.208.251 [ lncswibas01-pool0-a251.lncswi.tds.net ]
ISP : TDS TELECOM
Organization : TDS TELECOM
Location : US, United States
City : Madison, WI -
Latitude : 43°07'14" North
Longitude : 89°39'32" West

----Port 5900 ----------
IP Address : 124.124.128.2 [ 124.124.128.2 ]
ISP : Reliance Infocomm Limited,
Organization : Reliance Infocomm Limited
Location : IN, India
City : Bombay, 16 -
Latitude : 18°97'50" North
Longitude : 72°82'58" East

IP Address : 201.221.176.50 [ 201.221.176.50 ]
ISP : -
Organization : Comercial Dinamica
Location : CO, Colombia
City : Barranquilla, 04 -
Latitude : 10°96'39" North
Longitude : 74°79'64" West

IP Address : 213.222.152.109 [ 213.222.152.109 ]
ISP : UPC Magyarorszag Kft.
Organization : UPC Magyarorszag Kft.
Location : HU, Hungary
City : Budapest, 05 -
Latitude : 47°50'00" North
Longitude : 19°08'33" East

IP Address : 216.196.87.181 [ 216.196.87.181 ]
ISP : -
Organization : POLAR COMMUNICATIONS
Location : US, United States
City : Park River, ND 58270
Latitude : 48°38'36" North
Longitude : 97°78'56" West

IP Address : 205.153.244.5 [ gw.tri.net ]
ISP : Tri-Rivers Internet
Organization : Tri-Rivers Internet
Location : US, United States
City : Salina, KS 67401
Latitude : 38°85'22" North
Longitude : 97°61'42" West

IP Address : 69.119.237.210 [ ool-4577edd2.dyn.optonline.net ]
ISP : Optimum Online (Cablevision Systems)
Organization : Optimum Online (Cablevision Systems)
Location : US, United States
City : Yonkers, NY -
Latitude : 40°94'35" North
Longitude : 73°87'13" West

IP Address : 72.54.39.150 [ 72.54.39.150 ]
ISP : CBEYOND COMMUNICATIONS
Organization : CBEYOND COMMUNICATIONS
Location : US, United States
City : Atlanta, GA 30339
Latitude : 33°87'10" North
Longitude : 84°46'35" West

----Port 7212 -----------
IP Address : 218.234.38.69 [ 218.234.38.69 ]
ISP : Hanaro Telecom Co.
Organization : Eunsan
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

IP Address : 221.11.6.197 [ 221.11.6.197 ]
ISP : CNC Group Shannxi province network
Organization : CNC Group Shannxi province network
Location : CN, China
City : Taiyüan, 24 -
Latitude : 37°72'69" North
Longitude : 112°47'08" East

---- Honey Pot Attacks -------
IP Address : 71.3.26.23 [ fl-71-3-26-23.dhcp.embarqhsd.net ]
ISP : Sprint DSL
Organization : Embarq Corporation
Location : US, United States
City : Fort Myers, FL -
Latitude : 26°57'37" North
Longitude : 81°82'69" West

IP Address : 69.157.7.52 [ bas2-hamilton14-1167918900.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Hamilton, ON -
Latitude : 43°25'00" North
Longitude : 79°83'33" West

###

Cyber Center Report - October 22, 2007

2007-10-28T21:53:00.000-04:00

Black Lab Security Cyber Center Report
Monday, October 22, 2007 (10:12 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecuirty.com/

Summary of Overnight Internet Activity
--------------------------------------

BLSS has detected and observed the worst night of probes/attacks since we started reporting internet activity. Last night was a new record (high) for new sites and new ports being probed/attacked. More sites have been established in China and Korea, continuously probing/attacking the U.S. Two U.S. Department Of Defense (DoD) computers were successfully breached, now broadcasting on port 1026. The DoD computers are; 1) IP address 11.104.193.153, located (approximately) in Colorado, which is part of the DoD Network Centric Operations, 2) IP Address 155.147.1.82, Director Of Logistics, located at Fort Rucker, AL. The California Institute Of Health is now broadcasting on port 1433.

The following new countries are probing/attacking on port 1026; China (new sites), Tunisia, Canada (new site), U.S. (new site) and Italy. Port 1027; China (new site), Canada (new site). Port 1028; Canada (new site). Port 21; UK (London). Port 22; UK (London), Port 25; Japan (Tokyo). Port 445; China (new site), U.S., (new site). Port 1433: U.S. (new site). Port 1434; India, Romania, China (2 new sites), Taiwan. Port 1080; China (new site), Korea (new site). Port 2967; China (new site). Port 4899; Turkey, China (new site). Port 5900; Italy, China (new site). Port 7212; Korea (new site).
Port 8180; Slovakia. The BLSS Honey Pot; Web surfed (only) by Australia and U.S. - no attempted attacks by web surfers on the BLSS honey pot.

Below is a listing of the specific details on each port probe/attack and IP
address:

----Port 1026
IP Address : 218.10.137.142 [ 218.10.137.142 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

IP Address : 221.209.110.20 [ 221.209.110.20 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

IP Address : 155.147.1.82 [ 155.147.1.82 ]
ISP : DIRECTORATE OF LOGISTICS
Organization : DIRECTORATE OF LOGISTICS
Location : US, United States
City : Fort Rucker, AL 36362
Latitude : 31°34'97" North
Longitude : 85°68'46" West

IP Address : 41.225.91.172 [ 41.225.91.172 ]
ISP : -
Organization : Agence Tunisienne Internet - ATI
Location : TN, Tunisia
City : -, - -
Latitude : 34°00'00" North
Longitude : 9°00'00" East

IP Address : 24.64.255.53 [ 24.64.255.53 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

IP Address : 8.63.130.197 [ 8.63.130.197 ]
ISP : Level 3 Communications
Organization : Level 3 Communications
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 11.104.193.153 [ 11.104.193.153 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West
OrgName : DoD Network Information Center
OrgID : DNIC
Address : 3990 E. Broad Street
City : Columbus
StateProv : OH
PostalCode : 43218
Country : US

IP Address : 77.93.236.103 [ 77-93-236-103.dcpool.ip.kpnqwest.it ]
ISP : -
Organization : KPNQwest Italia S.p.a.
Location : IT, Italy
City : Milan, 09 -
Latitude : 45°46'67" North
Longitude : 9°20'00" East

----Port 1027
IP Address : 221.209.110.20 [ 221.209.110.20 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

IP Address : 24.64.255.53 [ 24.64.255.53 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

----Port 1028
IP Address : 24.64.255.53 [ 24.64.255.53 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

-----Port 21
IP Address : 78.86.141.137 [ 78-86-141-137.zone2.bethere.co.uk ]
ISP : -
Organization : Be Un Limited
Location : GB, United Kingdom
City : London, H9 -
Latitude : 51°50'00" North
Longitude : 0°11'67" West

----Port 22
IP Address : 78.86.141.137 [ 78-86-141-137.zone2.bethere.co.uk ]
ISP : -
Organization : Be Un Limited
Location : GB, United Kingdom
City : London, H9 -
Latitude : 51°50'00" North
Longitude : 0°11'67" West

----Port 25
IP Address : 219.166.34.82 [ piano.tokyo-club.com ]
ISP : OCN Provided By NTT-Communications which is ISP
Organization : Tokyo Printing inc.
Location : JP, Japan
City : Tokyo, 40 -
Latitude : 35°68'50" North
Longitude : 139°75'14" East

----Port 445
IP Address : 124.114.116.18 [
18.116.114.124.broad.xa.sn.dynamic.163data.com.cn ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

IP Address : 69.128.208.251 [ lncswibas01-pool0-a251.lncswi.tds.net ]
ISP : TDS TELECOM
Organization : TDS TELECOM
Location : US, United States
City : Madison, WI -
Latitude : 43°07'14" North
Longitude : 89°39'32" West

----Port 1433
IP Address : 75.8.241.35 [ 75.8.241.35 ]
ISP : SBC Internet Services
Organization : Ca Inst Of Hlth Soc
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 69.121.3.83 [ ool-45790353.dyn.optonline.net ]
ISP : Optimum Online (Cablevision Systems)
Organization : Optimum Online (Cablevision Systems)
Location : US, United States
City : Mamaroneck, NY 10543
Latitude : 40°95'21" North
Longitude : 73°73'82" West

----Port 1434
IP Address : 203.94.243.191 [ 203.94.243.191 ]
ISP : Mahanagar Telephone Nigam Ltd., ISP Division, New
Organization : Mahanagar Telephone Nigam Ltd., ISP Division, New
Location : IN, India
City : New Delhi, 07 -
Latitude : 28°60'00" North
Longitude : 77°20'00" East

IP Address : 82.78.22.22 [ 82-78-22-22.rdsnet.ro ]
ISP : RCS & RDS SA
Organization : SC TELCOR COMMUNICATIONS SRL
Location : RO, Romania
City : Bucharest, 10 -
Latitude : 44°43'33" North
Longitude : 26°10'00" East

IP Address : 219.147.233.40 [ 219.147.233.40 ]
ISP : Data Communication Division
Organization : CHINANET HEILONGJIANG PROVINCE NETWORK
Location : CN, China
City : Zhongshan, 07 -
Latitude : 25°53'61" North
Longitude : 118°78'97" East

IP Address : 218.75.199.50 [ 218.75.199.50 ]
ISP : Data Communication Division
Organization : CHINANET-HN Zhuzhou node network
Location : CN, China
City : Hunan, 07 -
Latitude : 25°97'14" North
Longitude : 119°64'86" East

IP Address : 218.165.8.32 [ 218-165-8-32.dynamic.hinet.net ]
ISP : CHTD, Chunghwa Telecom Co.,Ltd.
Organization : Chunghwa Telecom Data communication Business Group
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

----Port 1080
IP Address : 222.169.226.169 [ 222.169.226.169 ]
ISP : CHINANET Jilin province network
Organization : CHINANET JILIN PROVINCE NETWORK
Location : CN, China
City : Changchun, 05 -
Latitude : 43°88'00" North
Longitude : 125°32'28" East

IP Address : 222.239.255.43 [ 222.239.255.43 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East

----Port 2967
IP Address : 61.130.50.150 [ 61.130.50.150 ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Quzhou node network
Location : CN, China
City : Quzhou, 02 -
Latitude : 28°95'93" North
Longitude : 118°86'86" East

---Port 4899
IP Address : 221.158.228.40 [ 221.158.228.40 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

IP Address : 88.248.17.231 [ dsl88-248-4583.ttnet.net.tr ]
ISP : Turk Telekom
Organization : Turk Telekom
Location : TR, Turkey
City : Ankara, 68 -
Latitude : 39°92'72" North
Longitude : 32°86'44" East

----Port 5900
IP Address : 82.91.191.37 [
host37-191-static.91-82-b.business.telecomitalia.it ]
ISP : Telecom Italia Wireline Services
Organization : Telecom Italia Wireline Services
Location : IT, Italy
City : Chieti, 01 -
Latitude : 42°35'00" North
Longitude : 14°16'67" East

IP Address : 124.114.116.18 [
18.116.114.124.broad.xa.sn.dynamic.163data.com.cn ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----8180
IP Address : 85.248.121.12 [ 85.248.121.12 ]
ISP : GTS INEC a.s.
Organization : LightStorm Communications s.r.o.
Location : SK, Slovakia
City : Bratislava, 02 -
Latitude : 48°15'00" North
Longitude : 17°11'67" East

----Port 7212
IP Address : 221.141.127.137 [ 221.141.127.137 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Ilsan, 21 -
Latitude : 35°50'00" North
Longitude : 129°43'33" East

----Honey Port Web Surf
IP Address : 61.69.212.98 [ C-61-69-212-98.for.connect.net.au ]
ISP : AAPT Limited
Organization : AAPT Limited
Location : AU, Australia
City : Tuggeranong, 01 -
Latitude : 35°43'33" South
Longitude : 149°15'00" East

IP Address : 24.236.179.1 [ 24-236-179-1.dhcp.mrqt.mi.charter.com ]
ISP : CHARTER COMMUNICATIONS
Organization : CHARTER COMMUNICATIONS
Location : US, United States
City : Houghton, MI 49931
Latitude : 47°15'44" North
Longitude : 88°64'71" West

###

Cyber Center Report - October 21, 2007

2007-10-28T21:52:00.000-04:00

Black Lab Security Cyber Center Report
Sunday, October 21, 2007 (9:17 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecuirty.com/

Summary of Overnight Internet Activity
--------------------------------------
All previously reported probes/attacks from China, on all reported ports still continue from China. All previously reported probes/attacks from Korea, on all reported ports still continue from Korea.

New probes/attacks on port 1026 from another unknown computer at 113.86.139.71. We can only conclude this is a government agency computer, which is intended to function on the Internet in a "stealth" environment, and is now broadcasting. Therefore, the computer must have been compromised because it is now broadcasting over the Internet. New probes/attacks on port 1433 from a new site in China, which is the Wuhan Institute of Science and Technology, and a probe/attack on port 1433 from inside the U.S., located in the Bronx, NY. New probes/attacks on port 1434 from Shanghai, China and Changsha, China. A new Probe/Attack on port 2968 was detected from Emeryville, CA. A new probe/attack on port 4715 was detected from East Northport, NY. A new probe/attack on port 4899 was detected from Portsmouth, VA. Port 25 continues to be probed/attacked from Taipei, Taiwan. BLSS Honey Pot Activity: One computer from within the U.S. attacked our honey pot for several hours last night. The attacking computer IP address was 74.138.235.20, located in Louisville, KY and executed programs in attempt to gain access by probing 59 different ports. The attempt to breach our honey pot was completely unsuccessful. None of the attempted exploits worked. The attacking computer ran programs against the following BLSS Honey Pot ports:

13722, 27665, 829, 863, 1369, 914, 838, 834, 5902, 236, 50002, 2011, 479, 940, 27001, 974, 871, 267, 3005, 5432, 326, 1534, 1370, 32777, 15, 950, 559, 6667, 4480, 715, 1420, 468, 18, 61441, 664, 292, 32770, 98, 749, 7070, 19150, 665, 5302, 502, 1139, 129, 227, 331, 599, 249, 225, 1650, 1520, 692, 2032, 6009, 930, 1353

Below is a listing of the specific details on each port probe/attack and IP
address:

----Port 1026
IP Address : 113.86.139.271
: No Record

----Port 1433
IP Address : 211.67.58.203 [ 211.67.58.203 ]
ISP : China Education and Research Network
Organization : Wuhan Institute of Science and Technology
Location : CN, China
City : Wuhan, 12 -
Latitude : 30°58'33" North
Longitude : 114°26'67" East

IP Address : 69.119.135.173 [ ool-457787ad.dyn.optonline.net ]
ISP : Optimum Online (Cablevision Systems)
Organization : Optimum Online (Cablevision Systems)
Location : US, United States
City : Bronx, NY -
Latitude : 40°84'99" North
Longitude : 73°87'69" West

----Port 1434
IP Address : 61.134.56.18 [ 61.134.56.18 ]
ISP : Data Communication Division
Organization : Data Communication Division
Location : CN, China
City : Shanghai, 23 -
Latitude : 31°00'50" North
Longitude : 121°40'86" East

IP Address : 58.20.228.52 [ 58.20.228.52 ]
ISP : CNC Group HuNan province network
Organization : CNC Group HuNan province network
Location : CN, China
City : Changsha, 11 -
Latitude : 28°17'92" North
Longitude : 113°11'36" East

----Port 2968
IP Address : 69.107.113.217 [ adsl-69-107-113-217.dsl.pltn13.pacbell.net ]
ISP : SBC Internet Services
Organization : SBC Internet Services
Location : US, United States
City : Emeryville, CA -
Latitude : 37°83'42" North
Longitude : 122°28'97" West

----Port 4715
IP Address : 69.118.128.82 [ ool-45768052.dyn.optonline.net ]
ISP : Optimum Online (Cablevision Systems)
Organization : Optimum Online (Cablevision Systems)
Location : US, United States
City : East Northport, NY 11731
Latitude : 40°86'18" North
Longitude : 73°31'51" West

----Port 25
IP Address : 122.116.17.133 [ 122-116-17-133.HINET-IP.hinet.net ]
ISP : -
Organization : Chunghwa Telecom Data communication Business Group
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

---4899
IP Address : 71.241.11.185 [ pool-71-241-11-185.norf.east.verizon.net ]
ISP : Verizon Internet Services
Organization : Verizon Internet Services
Location : US, United States
City : Portsmouth, VA -
Latitude : 36°83'39" North
Longitude : 76°34'00" West

----Attack On Honey Pot
IP Address : 74.138.235.20 [ 74-138-235-20.dhcp.insightbb.com ]
ISP : INSIGHT COMMUNICATIONS COMPANY, L.P.
Organization : Insight Communications Company
Location : US, United States
City : Louisville, KY -
Latitude : 38°20'85" North
Longitude : 85°69'18" West

###

Cyber Center Report - October 20, 2007

2007-10-28T21:49:00.000-04:00

Black Lab Security Cyber Center Report
Saturday, October 20, 2007 (10:12 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecuirty.com/

Summary of Overnight Internet Activity
--------------------------------------
All previously reported probes/attacks from China, on all reported ports still continue from China. All previously reported probes/attacks from Korea, on all reported ports still continue from Korea.

New probes/attacks were detected on port 1026 from Mexico, U.S. Naval Ocean Systems Center, France and Korea (new site in Korea), which all of the new sites on port 1026 are the same characteristics as previously recorded (and on-going) with China.

Elli Lilly was detected on port 1026 again. Canada was detected on ports 1026, 1027 and 1028, probing/attacking (sequentially) on all three ports.

A new computer in Dublin, Ireland was detected probing/attacking on port 5900.

Japan and Oman were detected probing/attack on port 1434. One new site in the U.S. and was probing/attacking on port 25.

One new site in Canada was probing/attacking on port 21.

Honey Pot Activity: Four computers from four different countries (U.S., Canada France and United Kingdom) connected to our BLSS Honey Pot through port 80. But each connection was from an actual user "surfing" and performing an analysis of our honey pot. No attacks were launched. The U.S., Canada, France and the United Kingdom (all) had a user manually reviewing our web site and it's sub-systems via Port 80. Each user performed a careful analysis of our honey pot.

Port 1026 (New)
--------------
Mexico - Montevideo
U.S. - Naval Ocean Systems Center
France - Bordeaux
Korea - unknown

Port 1026 (Recurring)
--------------------
U.S. - Indianapolis - Eli Lilly and Company

Port 1026, 1027 and 1028 (Recurring)
------------------------------------
Canada - unknown

Port 1024 (New)
--------------
U.S. - Houston, TX

Port 5900 (New)
---------------
Ireland - Dublin

Port 3128 (New)
---------------
Korea - Seocho

Port 1434 (New)
---------------
Japan - Unknown
Oman - Muscat

Port 1434 (Recurring)
---------------------
Korea - Seocho

Port 25 (New)
-------------
U.S. - Kansas - Wichita

Port 21 (New)
-------------
Canada - Calgary

Port 3072 and 1024 continuous
----------------------------
U.S. - Houston, TX

Direct Activity On BLSS Honey Pot
---------------------------------
France
United Kingdom
Canada
U.S.

Below is a listing of the specific details on each port probe/attack and IP
address:

---- Port 1026
OrgName: Latin American and Caribbean IP address Regional Registry
OrgID: LACNIC
Address: Rambla Republica de Mexico 6125
City: Montevideo
StateProv:
PostalCode: 11400
Country: UY

IP Address : 40.220.102.110 [ 40.220.102.110 ]
ISP : Eli Lilly and Company
Organization : Eli Lilly and Company
Location : US, United States
City : Indianapolis, IN 46285
Latitude : 39°77'95" North
Longitude : 86°13'28" West

IP Address : 140.54.211.52 [ 140.54.211.52 ]
ISP : Naval Ocean Systems Center
Organization : Naval Ocean Systems Center
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 82.66.13.50 [ cau33-1-82-66-13-50.fbx.proxad.net ]
ISP : Proxad
Organization : Proxad / Free SAS
Location : FR, France
City : Bordeaux, 97 -
Latitude : 44°83'33" North
Longitude : 0°56'67" West

IP Address : 58.77.32.183 [ 58.77.32.183 ]
ISP : Dacom
Organization : POWERCOMM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

----Port 1026, 1027, 1028
IP Address : 24.64.40.117 [ 24.64.40.117 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

---- Port 1024
IP Address : 67.15.83.36 [ ronaldsrecordclub.com ]
ISP : Everyones Internet
Organization : Everyones Internet
Location : US, United States
City : Houston, TX 77060
Latitude : 29°93'42" North
Longitude : 95°40'57" West

--- port 5900
IP Address : 87.192.228.237 [ 87.192.228.237 ]
ISP : Irish Broadband Internet Services Limited.
Organization : Irish Broadband Internet Services Limited.
Location : IE, Ireland
City : Dublin, 07 -
Latitude : 53°33'31" North
Longitude : 6°24'89" West

--- Port 3128
IP Address : 218.50.1.119 [ 218.50.1.119 ]
ISP : Hanaro Telecom Co.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

--- port 1434
IP Address : 116.80.88.168 [ ntsitm382168.sitm.nt.ftth.ppp.infoweb.ne.jp ]
ISP : -
Organization : InfoWeb(Fujitsu Ltd.)
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 82.178.22.22 [ 82.178.22.22 ]
ISP : Oman
Organization : Muscat Ltd
Location : OM, Oman
City : Muscat, 06 -
Latitude : 23°61'33" North
Longitude : 58°59'33" East

IP Address : 218.232.95.60 [ 218.232.95.60 ]
ISP : Hanaro Telecom Co.
Organization : Hanaro Telecom Co.
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

---- Port 25
IP Address : 216.174.63.97 [ 97.gotexchange.com ]
ISP : TELCOVE
Organization : Kansas Hosting, LLC
Location : US, United States
City : Wichita, KS -
Latitude : 37°69'10" North
Longitude : 97°32'92" West

--- Port 21
IP Address : 72.2.24.134 [ h72-2-24-134.bigpipeinc.com ]
ISP : Big Pipe
Organization : Big Pipe
Location : CA, Canada
City : Calgary, AB t2p4l4
Latitude : 51°08'33" North
Longitude : 114°08'33" West

--- Port 3072, 1024 continous
IP Address : 67.15.83.36 [ ronaldsrecordclub.com ]
ISP : Everyones Internet
Organization : Everyones Internet
Location : US, United States
City : Houston, TX 77060
Latitude : 29°93'42" North
Longitude : 95°40'57" West

---- Port 80 Surf Of The Honey Pot
IP Address : 213.186.44.52 [ siomproject.com ]
ISP : Ovh Systems
Organization : OVH SAS
Location : FR, France
City : Roubaix, B4 -
Latitude : 50°70'00" North
Longitude : 3°16'67" East

IP Address : 4.91.128.52 [
dialup-4.91.128.52.Dial1.Philadelphia1.Level3.net ]
ISP : Level 3 Communications
Organization : Level 3 Communications
Location : US, United States
City : -, - - (Appoximately Colorado)
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 82.20.37.157 [ client-82-20-37-157.manc.adsl.virgin.net ]
ISP : NTL Internet
Organization : NTL Internet
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

IP Address : 99.230.53.49 [
CPE0012171a58a3-CM001947479cb0.cpe.net.cable.rogers.com ]
ISP : -
Organization : Rogers Cable
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West

Attacking IP Addresses and Ports with Focus on China for Week Ending 19 Oct 2007

2007-10-28T21:35:00.000-04:00

Black Lab Security Cyber Center Report
October 19, 2007 (09:00 AM CMT)

Black Lab Security Systems, Inc.
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacksecurity.com/

Our BLSS Cyber Report is experimenting with a new format. As you have requested and will see below, more categories with less narrative in an attempt to get directly to the point.

Summary of Overnight Internet Activity
-----------------------------------------------------

1) New probes/attacks were detected on port 1026 from Italy and the Univ. Of Utah (same characteristics as previously recorded with China).
2) Continued probes/attacks on port 1026 were sustained by China, Germany (Daimler Chrysler - Automobile Corporation), France and Israel.
3) New computers with no known record have begun to probe/attack on port 1026. The first computer with no record is 162.226.138.24 and was located by satellite on the coast of the United Kingdom. The second computer with no record is 96.84.183.29 and could NOT be located by satellite. Both internet addresses (computers) with no records are now broadcasting over the Internet. We can only conclude these are government agency computers, which have been configured to remain 100% stealth (silent) while on the Internet and have been "hi-jacked" over port 1026 and now broadcasting.
4) New probe/attack on port 1024 from Turkey.
5) New Probe/Attack on Port 21 from Brazil, which BLSS detected and logged two sites within Brazil executing their probe/attack on port 21 almost at the same exact time.
6) Finally, three computers connected to our BLSS Honey Port through port 80, then began to manually attack our honey pot. When the manual attacks were not successful, they executed a series of programs, which scanned over 2000 possible ports in an attempt to gain entry and hack our honey port. The hackers connected to our honey pot via port 80, remain connected while they executed their programs, then disconnected from our honey port after about 30 minutes of continuous penetration attempts.

New on Port 1026
-----------------------
Italy
Univ Of Utah (U.S.).

Previously recorded and still probing/attacking Port 1026
----------------------------------------------------------------------------
More computers in the U.K. with no record Germany France Israel

New on Port 1024
-----------------------
Turkey

New on Port 21
---------------------
Brazil - detected two sites coordinated together probing/attacking port 21

New Probes/Attacks from China
-----------------------------
New probe/attack from China on port 949
New probe/attack from China on port 22
New probe/attack from China on port 2967 New probe/attack from China on port 42

New Sites Detected From China
-----------------------------
New probe/attack from China on port 1434 from a new IP New probe/attack from China on port 2967 from a new IP New probe/attack from Rep Of Korea on port 4899

New Probes/Attacks from Korea
-----------------------------
New probe/attack from Rep Of Korea on port 7212 - same as previously recorded with China

Noticeably Higher Volume Than Normal
------------------------------------
Noticeably high volume of probes/attacks on port 8180 from U.S.
Noticeably high volume of probes/attacks on port 3128 from Korea

Hackers Connecting And Attacking Our BLSS Honey Pot
---------------------------------------------------
Actually connecting through port 80, then attacking our honey pot:
Canada
U.S. - Somewhere approximately in Colorado

Hackers Attack Summary
----------------------
The hackers connected via port 80, then manually executed a series of attacks. Once the manual attacks were not successful, the hackers executed a series of program, which scanned/probed and attempting to hack by accessing over 2000 ports. While the port attempts list is too long to actually list in this e-mail, some of the ports probes/attacked by the hackers are the following:

80, 1, 35019, 44285, 1026, 4137, 777, 5550, 4987, 830, 941, 716, 829, 49400, 61, 65, 295, 1355, 985, 680, 1664, 798, 1478, 704, 407, 1413, 902, 5060, 9991, 6147, 6006, 1984, 6112, 846, 2040, 150, 178, 297, 71, 20, 2044, 541, 1987, 910, 18184, 883, 1399, 1430, 329, 1004, 1494, 6142, 364, 528, 124, 4480, 791, 812, 1441, 640, 1352, 478, 431, 1025, 748, 8888, 3397, 1472, 347, 426, 27010, 794, 43, 274, 2628, 1350, 3455, 89, 13717, 341, 689, 500, 1485, 230, 292, 10000, 730, 784, 368, 792, 2602, 396, etc. etc. etc..... approximately 2000 ports (some scanned probed/attacked more than once)

Below is a listing of the specific details on each port probe/attack and IP address:

---- Port 1026
IP Address : 90.131.246.209 [ d90-131-246-209.cust.tele2.it ]
ISP : -
Organization : Tele2 Italy S.A
Location : IT, Italy
City : -, - -
Latitude : 42°83'33" North
Longitude : 12°83'33" East

IP Address : 155.98.155.83 [ 155.98.155.83 ]
ISP : University of Utah
Organization : University of Utah
Location : US, United States
City : Salt Lake City, UT 84108
Latitude : 40°78'55" North
Longitude : 111°73'67" West

162.226.138.24 [ 162.226.138.24 ]
No Record

IP Address : 96.84.183.29 [ 96.84.183.29 ]
No Record

IP Address : 194.164.169.63 [ 194.164.169.63 ]
ISP : Mistral Internet
Organization : Mistral Internet
Location : GB, United Kingdom
City : Brighton, E2 -
Latitude : 50°83'33" North
Longitude : 0°15'00" West

IP Address : 30.182.61.121 [ 30.182.61.121 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 53.139.242.162 [ 53.139.242.162 ]
ISP : DaimlerChrysler AG
Organization : DAIMLERCHRYSLER AG
Location : DE, Germany
City : Stuttgart, 01 -
Latitude : 48°76'67" North
Longitude : 9°18'33" East

IP Address : 86.67.144.204 [ 204.144.67-86.rev.gaoland.net ]
ISP : LDCOM
Organization : LDCOM
Location : FR, France
City : Billancourt, A8 -
Latitude : 48°83'33" North
Longitude : 2°25'00" East

IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East

---- Port 1024
IP Address : 85.111.0.240 [ 85.111.0.240 ]
ISP : Turk Telekom
Organization : Turk Telekom
Location : TR, Turkey
City : Ankara, 68 -
Latitude : 39°92'72" North
Longitude : 32°86'44" East

--- Port 8180 (identified due to continuous hits)
IP Address : 208.109.78.71 [ wh120.prod.mesa1.secureserver.net ]
ISP : Go Daddy Software
Organization : GoDaddy.com
Location : US, United States
City : Scottsdale, AZ 85260
Latitude : 33°61'19" North
Longitude : 111°89'07" West

IP Address : 72.20.41.204 [ yourescortagency.com ]
ISP : Staminus Communications
Organization : Staminus Communications
Location : US, United States
City : Fullerton, CA 92832
Latitude : 33°86'82" North
Longitude : 117°92'93" West

---- Port 949
IP Address : 58.56.77.122 [ 58.56.77.122 ]
ISP : CHINANET shandong province network
Organization : CHINANET shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East

IP Address : 218.92.50.85 [ 218.92.50.85 ]
ISP : Data Communication Division
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

---- Port22
IP Address : 221.122.59.2 [ 221.122.59.2 ]
ISP : CETC-CHINACOMM COMMUNICATIONS Co.,Ltd.
Organization : CETC-CHINACOMM COMMUNICATIONS Co.,Ltd.
Location : CN, China
City : -, - -
Latitude : 35°00'00" North
Longitude : 105°00'00" East

---- Port 4899
IP Address : 122.38.90.165 [ 122.38.90.165 ]
ISP : -
Organization : POWERCOMM
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" East

---- Port 2967
IP Address : 60.174.69.246 [ 60.174.69.246 ]
ISP : CHINANET Anhui province network
Organization : CHINANET Anhui province network
Location : CN, China
City : Hefei, 01 -
Latitude : 31°86'39" North
Longitude : 117°28'08" East

---- Port 42
IP Address : 210.42.88.252 [ 210.42.88.252 ]
ISP : China Education and Research Network
Organization : Hubei Communications School
Location : CN, China
City : Wuhan, 12 -
Latitude : 30°58'33" North
Longitude : 114°26'67" East

---- port 3128
IP Address : 218.50.1.119 [ 218.50.1.119 ]
ISP : Hanaro Telecom Co.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

---- Port 7212
IP Address : 59.18.87.10 [ 59.18.87.10 ]
ISP : Korea Telecom
Organization : Korea Telecom
Location : KR, Korea, Republic of
City : -, - -
Latitude : 37°00'00" North
Longitude : 127°50'00" E

---- Port 1434
IP Address : 218.108.70.246 [ 218.108.70.246 ]
ISP : WASU TV & Communication Holding Co.,Ltd.
Organization : wangJiangFeng
Location : CN, China
City : Chaoyang, 19 -
Latitude : 41°57'03" North
Longitude : 120°45'86" East

---- Port 2967
IP Address : 202.113.121.152 [ 202.113.121.152 ]
ISP : China Education and Research Network
Organization : Heibei University of Technology
Location : CN, China
City : Tianjin, 28 -
Latitude : 39°14'22" North
Longitude : 117°17'67" East

---- Port 21
IP Address : 200.252.113.5 [ 200.252.113.5 ]
ISP : EMBRATEL-EMPRESA BRASILEIRA DE TELECOMUNICAÇÕES SA
Organization : CESB - Centro de Educacao Superior de Brasilia
Location : BR, Brazil
City : Brasília, 07 -
Latitude : 15°78'33" South
Longitude : 47°91'67" West

IP Address : 200.102.170.171 [200-102-170-171.paemt705.dsl.brasiltelecom.net.br ]
ISP : Brasil Telecom S/A - Filial Distrito Federal
Organization : Brasil Telecom S/A - Filial Distrito Federal
Location : BR, Brazil
City : Porto Alegre, 23 -
Latitude : 30°03'33" South
Longitude : 51°20'00" West

---- Port 80, then attacking our honey pot
IP Address : 70.68.54.161 [ S01060014a580e595.vf.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Victoria, BC -
Latitude : 48°43'33" North
Longitude : 123°35'00" West

IP Address : 69.157.7.252 [ bas2-hamilton14-1167919100.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Hamilton, ON -
Latitude : 43°25'00" North
Longitude : 79°83'33" West

IP Address : 4.91.133.221 [dialup-4.91.133.221.Dial1.Philadelphia1.Level3.net ]
ISP : Level 3 Communications
Organization : Level 3 Communications
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

###
Black Lab Security Cyber Center Report
Thursday, October 18, 2007 (10:00 AM CMT)

Black Lab Security Systems, Inc.
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

BLSS Cyber Center Observations About Chinese Sites

In performing an in-depth analysis of the Chinese probes/attacks, we have reached the following conclusion:

Of all the active Chinese sites, the top nine most active sites, include two sites that are much more active than the remaining seven IP sites. The two sites which "break the curve" and are continuously probing/attacking every three-to-five minutes are the following:

Site Port
------------- ----
121.18.13.107 7212
121.18.12.197 7212

The remaining seven sites probing/attacking are the following:

Site Port
-------------- ----
221.208.208.83 1027
221.208.208.91 1027
221.208.208.95 1026 and 1027
221.208.208.98 1026
202.97.238.202 1026
218.50.1.119 3128
222.239.255.43 1080

We have detected a new computer in France joining the probe/attack on Port 1026. The information on the French computer is the following:

---- Port 1026
IP Address : 82.66.13.50 [ cau33-1-82-66-13-50.fbx.proxad.net ]
ISP : Proxad
Organization : Proxad / Free SAS
Location : FR, France
City : Bordeaux, 97 -
Latitude : 44°83'33" North
Longitude : 0°56'67" West

###
Black Lab Security Cyber Center Report
Thursday, October 18, 2007 (5:18 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

1) BLSS has detected and observed a major shift overnight, to a more positive period of overall internet activity. All probes/attacks from China still continue, but many Chinese sites appear to be much less frequent.
2) A few Chinese sites are still as aggressive, but not all Chinese sites are exhibiting the same level of aggressive activity.
3) The best news is that there has been a "shift" in computers participating in the probe/attack of ports 1026 (and at times 1027) and Port 1434. The "shift" is all new countries, (except for the U.S.), which now includes Japan, Israel, Taiwan, Switzerland and Sweden.
4) The worst news of the night, is that Performance Systems International (U.S.), Morgan Stanley Group (U.S.), Oracle (U.S.), Oracle Japan and Sweden's "The Swatch Group" are now participating in the probe/attack on port 1026. South Korea is now probing/attacking on Port 22.

We have utilized a satellite IP address locator, http://www.seomoz.org/ip2loc, in an attempt to identify the IP address 154.191.242.60 (yesterday's Cyber Report) and it is physically located on the coast of the United Kingdom. The location has been found, but the identity is still unknown.

In our professional opinion, last night's overall Internet activity is a major improvement in compared to Tuesday night's Internet activity.

Port 1026 (and at times port 1027)
----------------------------------

Japan
U.S.
Israel
Taiwan
Switzerland

Port 1434
---------
Sweden

Port 22
-------
South Korea

The specific details on each IP is below.

---- Port 1026
IP Address : 133.160.34.234 [ 133.160.34.234 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 24.211.81.202 [ cpe-024-211-081-202.sc.res.rr.com ]
ISP : Road Runner
Organization : Road Runner
Location : US, United States
City : Mamers, NC 27552
Latitude : 35°42'01" North
Longitude : 78°93'43" West

IP Address : 67.116.31.77 [ adsl-67-116-31-77.dsl.snfc21.pacbell.net ]
ISP : SBC Internet Services
Organization : PRINT SMITH
Location : US, United States
City : Moraga, CA -
Latitude : 37°83'81" North
Longitude : 122°10'26" West

IP Address : 133.121.131.115 [ 133.121.131.115 ]
ISP : -
Organization : -
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

IP Address : 38.66.244.63 [ 38.66.244.63 ]
ISP : Performance Systems International
Organization : Performance Systems International
Location : US, United States
City : Washington, DC 20007
Latitude : 38°91'44" North
Longitude : 77°07'63" West

IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East

IP Address : 138.20.91.183 [ 138.20.91.183 ]
ISP : Morgan Stanley Group
Organization : Morgan Stanley Group
Location : US, United States
City : New York, NY 10036
Latitude : 40°76'05" North
Longitude : 73°99'33" West

IP Address : 148.87.242.224 [
reserved-for-dhcp-148-87-242-224.oracle.com ]
ISP : Oracle Datenbanksysteme GmbH
Organization : Oracle Datenbanksysteme GmbH
Location : US, United States
City : Redwood City, CA 94065
Latitude : 37°53'31" North
Longitude : 122°24'71" West

IP Address : 124.11.42.31 [ 124-11-42-31.static.tfn.net.tw ]
ISP : Taiwan Fixed Network CO.,LTD.
Organization : Taiwan Fixed Network CO.,LTD.
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

IP Address : 21.137.44.14 [ 21.137.44.14 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 149.133.181.115 [ 149.133.181.115 ]
ISP : THE SWATCH GROUP
Organization : THE SWATCH GROUP
Location : CH, Switzerland
City : Biel, 05 -
Latitude : 47°16'67" North
Longitude : 7°25'00" East

IP Address : 146.56.56.108 [ 146.56.56.108 ]
ISP : Oracle Corporation Japan
Organization : Oracle Corporation Japan
Location : JP, Japan
City : -, - -
Latitude : 36°00'00" North
Longitude : 138°00'00" East

---- Port 1434
IP Address : 84.112.179.164 [ chello084112179164.31.11.vie.surfer.at ]
ISP : Chello Broadband GmbH
Organization : Chello Broadband GmbH
Location : SE, Sweden
City : -, - -
Latitude : 62°00'00" North
Longitude : 15°00'00" East

---- Port 22
IP Address : 58.120.21.229 [ 58.120.21.229 ]
ISP : Hanaro Telecom, Inc.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seoul, 11 -
Latitude : 37°56'64" North
Longitude : 126°99'97" East

###
Black Lab Security Cyber Center Report
Wednesday, October 17, 2007 (5:41 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

Because ports 1026 and 1027 were the most common ports exploited overnight, we decided to provide an end-of-day report on these specific ports.

The most interesting probe/attack, comes from an IP address of 154.191.242.60, which is not recorded in any of the 10 "whois" communication databases BLSS utilizes as reference at this time. It is an actual IP address and it is conducting probes/attacks on port 1026 UDP. We can only conclude that the IP must belong to a computer within a government agency.

We have detected and observed two new countries probing/attacking on the following ports (same as previously reported by China):

---- Port 1026
IP Address : 161.71.93.139 [ ip-161-71-0-0.euro.3com.com ]
ISP : Isolan House
Organization : Isolan House
Location : GB, United Kingdom
City : Hemel Hempstead, F8 -
Latitude : 51°75'00" North
Longitude : 0°46'67" West

---- Port 1027
IP Address : 82.166.13.50 [ 82-166-13-50.barak-online.net ]
ISP : Barak I.T.C
Organization : Barak I.T.C
Location : IL, Israel
City : -, - -
Latitude : 31°50'00" North
Longitude : 34°75'00" East

###
Black Lab Security Cyber Center Report
Wednesday, October 17, 2007 (9:00 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

1) BLSS has detected and observed the worst night of probes/attacks since we started reported internet activity.
2) All probes/attacks from China continue and the frequency of China probes/attacks has gotten much shorter (worse) and China is "bombarding" the U.S. internet infrastructure.
3) It is also the same scenario for South Korea. South Korea is probing/attacking with a greater frequency (same previously reported probes/attacks).
4) Within a 15 hour period since yesterday, many other countries have "suddenly started" probing/attacking the same ports as China/South Korea.

In summary, after days of continuous probes/attacks from China/South Korea, suddenly within a 15 hour period we (BLSS) have detected and observed Argentina, New Zealand, Russia, Belgium, Mexico, Africa, India, Taiwan, Sweden, Oman, Spain, Brazil and Germany joined in on the same probes/attacks on the U.S. Internet infrastructure. This does not include the U.S. computers that have joined the same attack, including a computer within the U.S. Army's Information Systems headquarters located at Fort Huachuca, AZ.

As the U.S. is concerned about a possible penetration into U.S. power (electric) companies, it has happened below with WISCONSIN ENERGY CONSERVATION CORPORATION (port 2967).

Within the past 15 hours, the following countries/organizations have joined in probing/attacking the U.S. Internet infrastructure:

Port 1026
---------
140.200.226.166 New Zealand
17.202.238.133 U.S. - APPLE COMPUTER
17.91.7.155 U.S. - APPLE COMPUTER
17.202.238.133 Russia Russian Federation
190.174.3.188 Argentina
97.70.91.231 U.S. - Bright Networks, Brandon, FL
152.18.12.22 U.S. Univ Of North Carolina At Asheville
147.93.101.5 Belgium
200.66.140.237 Mexico
35.16.46.36 U.S. An Arbor, Michigan
41.147.113.229 Africa
130.5.134.185 AT&T Bell Laboratories, Lake Mary, FL
68.51.170.66 Comcast Cable, Savannah, GA

Port 4899
---------
59.163.49.6 India, Bombay
143.80.159.231 Headquarters, USAAISC, Fort Huachuca, AZ

Port 25
-------
219.81.161.121 Taiwan

Port 1433
---------
95.198.208.188 Sweden

Port 1434
---------
82.178.22.22 Oman

Port 2967
---------
69.128.111.252 WISCONSIN ENERGY CONSERVATION CORPORATION

Port 5900
---------
85.155.70.239 Spain
201.88.2.10 Brazil

Port 5475
---------
87.106.15.165 Germany

The IANA continues its normal activity of probing/scanning computers throughout the U.S. Internet infrastructure.

The specifics on each defined IP (above) is listed below.

---- Port 1026
IP Address : 9.239.123.165 [ 9.239.123.165 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

IP Address : 140.200.226.166 [ 140.200.226.166 ]
ISP : The University of Waikato
Organization : Network Provider
Location : NZ, New Zealand
City : Wellington, 00 -
Latitude : 41°30'00" South
Longitude : 174°78'33" East

IP Address : 17.202.238.133 [ 17.202.238.133 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West

IP Address : 17.91.7.155 [ 17.91.7.155 ]
ISP : APPLE COMPUTER
Organization : APPLE COMPUTER
Location : US, United States
City : Cupertino, CA 95014
Latitude : 37°30'42" North
Longitude : 122°09'46" West

IP Address : 77.34.95.139 [ 77.34.95.139 ]
ISP : -
Organization : Open Joint Stock Company Far East Telecommunicatio
Location : RU, Russian Federation
City : Vladivostok, 59 -
Latitude : 43°13'33" North
Longitude : 131°90'00" East

IP Address : 190.174.3.188 [ 190-174-3-188.speedy.com.ar ]
inetnum: 190.174/15
status: allocated
owner: Telefonica de Argentina
ownerid: AR-TEAR7-LACNIC
responsible: Agustín Gomez Dhers
address: AV. ING. HUERGO - OBS. JUDICIALES, 723,
address: 1065 - Buenos Aires - CF
country: AR
phone: +54 11 4332-2220 []
owner-c: TEA
tech-c: TEA
inetrev: 190.174/15
nserver: DNS1.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
nserver: DNS2.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
nserver: DNS3.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
nserver: DNS4.MRSE.COM.AR
nsstat: 20071015 AA
nslastaa: 20071015
created: 20071005
changed: 20071005

IP Address : 97.70.91.231 [ 97.70.91.231 ]
OrgName: bright house NETWORKS
OrgID: BHN-2
Address: 1219 Millennium Parkway
City: Brandon
StateProv: FL
PostalCode: 33511
Country: US

IP Address :[ 152.18.12.22 ]
ISP : University of North Carolina at Asheville
Organization : University of North Carolina at Asheville
Location : US, United States
City : Asheville, NC 28804
Latitude : 35°64'73" North
Longitude : 82°55'12" West

IP Address : 147.93.101.5 [ 147.93.101.5 ]
ISP : Landsbond der Christelijke Mutualiteiten
Organization : Landsbond der Christelijke Mutualiteiten
Location : BE, Belgium
City : Brussel, 11 -
Latitude : 50°83'33" North
Longitude : 4°33'33" East

IP Address : 200.66.140.237 [ dup-200-66-140-237.prodigy.net.mx ]
ISP : Uninet S.A. de C.V.
Organization : Uninet S.A. de C.V.
Location : MX, Mexico
City : -, - -
Latitude : 23°00'00" North
Longitude : 102°00'00" West

IP Address : 35.16.46.36 [ 35.16.46.36 ]
ISP : Merit Network
Organization : Merit Network
Location : US, United States
City : Ann Arbor, MI 48104
Latitude : 42°27'34" North
Longitude : 83°71'33" West

IP Address : 41.147.113.229 [ 41.147.113.229 ]
organisation: ORG-AFNC1-AFRINIC
org-name: AfriNIC - The African Network Information Centre
org-type: RIR
country: MU
address: =======================================
address: Office 03B3, 3rd Floor Cyber Tower
address: Port Louis
address: Mauritius
address:
phone: +230 466 6616
fax-no: +230 466 6758
remarks:
e-mail: contact@afrinic.net
admin-c: TEAM-AFRINIC
tech-c: TEAM-AFRINIC

IP Address : 130.5.134.185 [ 130.5.134.185 ]
ISP : AT&T Bell Laboratories
Organization : AT&T Bell Laboratories
Location : US, United States
City : Lake Mary, FL 32746
Latitude : 28°75'78" North
Longitude : 81°33'97" West

IP Address : 68.51.170.66 [ c-68-51-170-66.hsd1.ga.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Savannah, GA -
Latitude : 32°04'33" North
Longitude : 81°11'67" West

IP Address : 77.184.52.56 [ 77.184.52.56 ]
ISP : -
Organization : 1&1 Internet AG
Location : DE, Germany
City : Karlsruhe, 01 -
Latitude : 49°00'47" North
Longitude : 8°38'58" East

---- Port 4899
IP Address : 59.163.49.6 [ 59.163.49.6.static.vsnl.net.in ]
ISP : Videsh Sanchar Nigam Ltd - India.
Organization : Videsh Sanchar Nigam Ltd
Location : IN, India
City : Bombay, 16 -
Latitude : 18°97'50" North
Longitude : 72°82'58" East

IP Address : 143.80.159.231 [ 143.80.159.231 ]
ISP : Headquarters, USAAISC
Organization : Headquarters, USAAISC
Location : US, United States
City : Fort Huachuca, AZ 85613
Latitude : 31°52'73" North
Longitude : 110°36'07" West

---- Port 25
IP Address : 219.81.161.121 [ 219-81-161-121.dynamic.tfn.net.tw ]
ISP : Taiwan Fixed Network CO.,LTD.
Organization : Taiwan Fixed Network CO.,LTD.
Location : TW, Taiwan
City : Taipei, 03 -
Latitude : 25°03'92" North
Longitude : 121°52'50" East

---- Port 990
IP Address : 75.126.114.34 [ vipeax.info ]
ISP : -
Organization : SoftLayer Technologies
Location : US, United States
City : Dallas, TX 75207
Latitude : 32°78'25" North
Longitude : 96°82'07" West

---- Port 1433
IP Address : 195.198.208.188 [ 195-198-208-188.customer.telia.com ]
ISP : TeliaSonera AB
Organization : Kanal-Data AB
Location : SE, Sweden
City : Kungälv, 28 -
Latitude : 57°86'67" North
Longitude : 11°96'67" East

---- Port 1434
IP Address : 82.178.22.22 [ 82.178.22.22 ]
ISP : Oman
Organization : Muscat Ltd
Location : OM, Oman
City : Muscat, 06 -
Latitude : 23°61'33" North
Longitude : 58°59'33" East

---- Port 2967
IP Address : 69.128.111.252 [ http://www.energyfinancesolutions.com/ ]
ISP : TDS TELECOM
Organization : WISCONSIN ENERGY CONSERVATION CORPORATION
Location : US, United States
City : Janesville, WI -
Latitude : 42°68'10" North
Longitude : 89°04'38" West

---- Port 5900
IP Address : 85.155.70.239 [ 85.155.70.239.dyn.user.ono.com ]
ISP : CABLETELCA, S.A.
Organization : AUNA CANARIAS
Location : ES, Spain
City : Barcelona, 56 -
Latitude : 41°38'33" North
Longitude : 2°18'33" East

IP Address : 201.88.2.10 [ 201-88-2-10.pvoce301.ipd.brasiltelecom.net.br ]
ISP : -
Organization : Brasil Telecom S/A - Filial Distrito Federal
Location : BR, Brazil
City : -, - -
Latitude : 10°00'00" South
Longitude : 55°00'00" West

IP Address : 201.40.16.202 [ 201.40.16.202 ]
ISP : Brasil Telecom S/A - Filial Distrito Federal
Organization : Brasil Telecom S/A - Filial Distrito Federal
Location : BR, Brazil
City : -, - -
Latitude : 10°00'00" South
Longitude : 55°00'00" West

---- Port 5475
IP Address : 87.106.15.165 [ s15210777.onlinehome-server.info ]
ISP : Schlund+Partner AG
Organization : Schlund + Partner AG
Location : DE, Germany
City : Karlsruhe, 01 -
Latitude : 49°00'47" North
Longitude : 8°38'58" East

###
Black Lab Security Cyber Center Report
Tuesday, October 16, 2007 (3:00 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

We have detected and observed that Russia is now probing/attacking port 1434 with multiple "short burst" probes/attacks. As a reminder, port 1434 is primarily associated with Microsoft SQL databases.

IP Address : 78.106.211.115 [ 78-106-211-115.broadband.corbina.ru ]
ISP : -
Organization : Investelektrosviaz Ltd.
Location : RU, Russian Federation
City : Moscow, 48 -
Latitude : 55°75'22" North
Longitude : 37°61'56" East

###
Black Lab Security Cyber Center Report
Tuesday, October 16, 2007 (7:26 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com

1) We have detected and observed that China is still continuously probing/attacking all previously reported ports. The frequency of probes/attacks from China seem to have (arguably) "leveled off", however the frequency is still very short, with multiple "short burst" probes/attacks throughout the night. All China IP addresses continue to "cycle" with "short bursts" with no apparent end in sight.
2) We have also detected and observed several new computers probing/attacking the internet. Specifically, several new computers have joined in on the probe/attack of port 1026 UDP, which has a known vulnerability for the Microsoft Messenger service.
3) As stated in the previous BLSS Cyber Center reports, port 1026 UDP has been continuously probed/attacked by China and continues at this time, to be probed/attacked by China. The alarming news, is that computers within the United Kingdom Department Of Defense and U.S. Postal Service have now joined the probe/attack on port 1026 UDP.
4) To further clarify the IANA listed in today's BLSS Cyber Report; The IANA probe/scan is a normal scan that routinely comes through port 1026 UDP."Also received normal probes/scans on Port 1026 UDP from the IANA", with the intent to communicate that this is normal for the IANA and not a probe/attack.

Port 1026 UDP----------
25.95.83.237 UK Ministry Of Defense
56.38.164.130 United States Postal Service
86.166.238.67 British Telecommunications
51.71.178.188 United Kingdom
24.64.72.203 Shaw Communications, Canada
31.194.10.185 Approx somewhere in Colorado
68.215.198.222 Bellsouth, Marietta, GA
75.126.114.34 SoftLayer Technologies, Dallas, TX

Also received normal probes/scans on port 1026 UDP from the IANA-----
46.229.8.88 Internet Assigned Numbers Authority (IANA) - Received two scans/probes overnight

Port 1027 UDP, 1028 UDP -------
24.64.72.203 Shaw Communications, Canada

Port 1024 TCP ----------------
86.166.238.67 British Telecommunications

Specific IP Data is the following:

------ Port 1026 UDP --------------
IP Address : 25.95.83.237 [ 25.95.83.237 ]
ISP : UK Ministry of Defence
Organization : DINSA, Ministry of Defence
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

------ Port 1026 UDP --------------
IP Address : 56.38.164.130 [ 56.38.164.130 ]
ISP : United States Postal Service.
Organization : United States Postal Service.
Location : US, United States
City : Raleigh, NC 27668
Latitude : 35°79'77" North
Longitude : 78°62'53" West

------ Port 1026 UDP -------------
IP Address 46.229.8.88
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695

------- Port 1026 UDP -------------
IP Address : 86.166.238.67 [host86-166-238-67.range86-166.btcentralplus.com ]
ISP : British Telecommunications
Organization : British Telecommunications
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

-------- Port 1024 TCP ------------
IP Address : 86.166.238.67 [host86-166-238-67.range86-166.btcentralplus.com ]
ISP : British Telecommunications
Organization : British Telecommunications
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

--------- Port 1026, 1027, 1028 UDP -------
IP Address : 24.64.72.203 [ 24.64.72.203 ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : Penhold, AB -
Latitude : 52°13'33" North
Longitude : 113°86'67" West

--------- Port 1026 UDP --------------
IP Address : 51.71.178.188 [ 51.71.178.188 ]
ISP : -
Organization : -
Location : GB, United Kingdom
City : -, - -
Latitude : 54°00'00" North
Longitude : 2°00'00" West

--------- Port 1026 UDP ----------
IP Address : 31.194.10.185 [ 31.194.10.185 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

-------- Port 1026 UDP ---------
IP Address : 68.215.198.222 [ adsl-215-198-222.aep.bellsouth.net ]
ISP : BellSouth.net
Organization : BellSouth.net
Location : US, United States
City : Marietta, GA -
Latitude : 33°95'32" North
Longitude : 84°51'77" West

-------- Port 1026 UDP ---------
IP Address : 75.126.114.34 [ vipeax.info ]
ISP : -
Organization : SoftLayer Technologies
Location : US, United States
City : Dallas, TX 75207
Latitude : 32°78'25" North
Longitude : 96°82'07" West

###
Black Lab Security Cyber Center Report
Sunday, October 14, 2007 (3:00 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

1) Same previous ports that have been reported are still being scanned...
2) China - more frequent probes/attacks on all previously defined ports, including increased frequency on port 4899 (TCP). China is now probing/attacking port 25 (TCP), which directly affects Microsoft Internet Information Services (ISS), which is the "back-bone" of a Microsoft server.
3) We can some computer in Houston, probing port 1024 (TCP).
4) We also have a computer, located in Herndon, VA probing/attacking port 5038 (TCP), attempting to access the Microsoft console server.
5) South Korea (same previously reported IP), is now probing/attacking port 3128 in an attempt to find a "back door" to a firewall. To obtain more information on port 3128, use the following search parameters on search: "Microsoft port 3128 firewall" (without quotes).

----- Port 4899 ------------
IP Address : 58.215.65.237 [ 58.215.65.237 ]
ISP : CHINANET jiangsu province network
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----- Houston Probing Port 1024 ---
IP Address : 67.15.83.36 [ ronaldsrecordclub.com ]
ISP : Everyones Internet
Organization : Everyones Internet
Location : US, United States
City : Houston, TX 77060
Latitude : 29°93'42" North
Longitude : 95°40'57" West

----- Herndon, VA Probing Port 5038 Attempting to access the console server -----
IP Address : 70.62.253.83 [ rrcs-70-62-253-83.central.biz.rr.com ]
ISP : Road Runner Business
Organization : Road Runner Business
Location : US, United States
City : -, NC -
Latitude : 35°57'64" North
Longitude : 79°52'87" West

OrgName: Road Runner HoldCo LLC
OrgID: RCMS
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US

http://security-world.blogspot.com/2007_07_09_archive.html

The script works by logging into the console server on port 5038/TCP on localhost. It then issues an 'Action: Originate' command which is used to setup the bridged call.

---- Direct attack on Port 25 against Internet Information Services
(IIS) ----
IP Address : 221.218.180.21 [ 221.218.180.21 ]
ISP : CNCGROUP Beijing province network
Organization : CNCGROUP Beijing Province Network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

https://technet.microsoft.com/en-us/library/aa998114.aspx

----- South Korea Probe on Port 3128 ------------
IP Address : 218.50.1.119 [ 218.50.1.119 ]
ISP : Hanaro Telecom Co.
Organization : Hanaro Telecom, Inc.
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

Netherlands probing/attacking port 10000 TCP. Sans Institute reports that port 10000 TCP is vulnerable to remote code execution via "VERITAS Backup Exec Windows Agent Remote File Access Exploit (0day)"

IP Address : 217.148.183.125 [ backup.vsm-hosting.nl ]
ISP : We Dare B.V.
Organization : We Dare B.V.
Location : NL, Netherlands
City : Rotterdam, 11 -
Latitude : 51°91'67" North
Longitude : 4°50'00" East

URL:

http://isc.sans.org/diary.html?date=2005-08-11

###
Black Lab Security Cyber Center Report
Saturday, October 13, 2007 (9:56 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

1) We are observing a gradual increase in the frequency of the "short burst” probes/attacks as reported within the 12 Oct 2007 BLSS Cyber Center report.
2) However, we have detected and are now observing two new countries with "short burst" probes/attacks on port 4899, which looks for known vulnerabilities within the Microsoft radmin server 2.0 and 2.1. The countries are Sri Lanka and Turkey:

----Port 4899 ----------------------------------------------
IP Address : 220.247.214.66 [ mail.zmvertiko.com ]
ISP : Sri Lanka Telecom
Organization : Z.M.Vertico Ltd
Location : LK, Sri Lanka
City : Padukka, 36 -
Latitude : 6°83'25" North
Longitude : 80°09'86" East

IP Address : 85.98.240.125 [ dsl85-98-61565.ttnet.net.tr ]
ISP : Turk Telekom
Organization : Turk Telekom
Location : TR, Turkey
City : Türk, 15 -
Latitude : 37°05'00" North
Longitude : 29°70'00" East

The Sans Storm Center URL is below, along with posted comments from the URL:

http://isc.sans.org/port.html?port=4899

As stated just above, there´s a known vulnerability related to this service (radmin).

There is a known remote exploitable vulnerability in radmin server versions 2.0 and 2.1 that allows code execution.

###
Black Lab Security Cyber Center Report
Friday, October 12, 2007 (10:40 AM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

The past 24 hours, we have detected continuous "short burst" probes/attacks on ports 1026, 1027, 1434, 7212, 5900 and 5901, from the same previous IPs reported by BLSS. These "short burst" probes/attack, continued to "cycle on and off" our honey pot all night and continue as I write this e-mail.

Additionally, we have picked up attempted probes/attacks on ports 1080, 2967, 3072 and 5110, all which have been previously reported via Sans Institute, etc., with various security warnings:

Port 1080 - Attempt to gain access to proxy servers Port 2967 - Port is used by Symantec and is commonly scanned for port information Port 3072 - Attempted connection directly to port 3072 Port 5110 - Attempt to gain access to incoming mail

And last but not least, we were probed again by the IANA!! :)

----- Port 2967 ----------------
IP Address : 69.248.27.110 [ c-69-248-27-110.hsd1.nj.comcast.net ]
ISP : Comcast Cable
Organization : Comcast Cable
Location : US, United States
City : Edison, NJ -
Latitude : 40°53'78" North
Longitude : 74°37'14" West

IP Address : 221.0.56.16 [ 221.0.56.16 ]
ISP : CNCGROUP Shandong province network
Organization : CNCGROUP Shandong province network
Location : CN, China
City : Jinan, 25 -
Latitude : 36°66'83" North
Longitude : 116°99'72" East

IP Address : 81.136.182.62 [ host81-136-182-62.in-addr.btopenworld.com ]
ISP : British Telecommunications
Organization : British Telecommunications
Location : GB, United Kingdom
City : Uxbridge, F9 -
Latitude : 51°55'00" North
Longitude : 0°48'34" West

----- Port 3072 ------------
IP Address : 67.15.83.36 [ ronaldsrecordclub.com ]
ISP : Everyones Internet
Organization : Everyones Internet
Location : US, United States
City : Houston, TX 77060
Latitude : 29°93'42" North
Longitude : 95°40'57" West

----- Port 5110 ------------
IP Address : 69.157.156.64 [ bas6-quebec14-1167957056.dsl.bell.ca ]
ISP : Bell Canada
Organization : Sympatico
Location : CA, Canada
City : Quebec, QC -
Latitude : 46°80'00" North
Longitude : 71°25'00" West

----- Port 1080 -------------
IP Address : 208.77.45.13 [ 208.77.45.13 ]
ISP : -
Organization : AKANOC Solutions
Location : US, United States
City : Fremont, CA 94538
Latitude : 37°50'79" North
Longitude : 121°95'99" West

----- Probed again by the IANA -----
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

Within the past hour, new probe from South Korea and a new probe from China have begun on ports 6588 and 5471 (both tcp). These parts are also well recognized as being a potential threat from numerous security web sites on the internet;

----- Port 6588 TCP ------------------
IP Address : 218.234.41.8 [ 218.234.41.8 ]
ISP : Hanaro Telecom Co.
Organization : SEOULMEDIA
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

----- Port 5471 TCP ------------------
IP Address : 58.221.28.143 [ 58.221.28.143 ]
ISP : CHINANET jiangsu province network
Organization : CHINANET jiangsu province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

###
Black Lab Security Cyber Center Report
Thursday, October 11, 2007 (5:43 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

Within the last 20 minutes, our honey pot as detected 3 separate Chinese sites (IPs), from 3 different ISPs, probing and attacking on port 5900 TCP.
The Sans Institute Storm Center has recognized recent attacks on this port and further documented that a probe/attack on port 5900 TCP, is because RealVNC successfully achieves unauthorized direct connections to a machine (computer).

We are seeing an incredible spike with China attempting to connect directly to port 5900.

--- Chinese sites (IPs) attempting an unauthorized direct TCP Connection -------

IP Address : 220.185.215.36 [
36.215.185.220.broad.tz.zj.dynamic.163data.com.cn ]
ISP : Data Communication Division
Organization : CHINANET-ZJ Taizhou node network
Location : CN, China
City : Taizhou, 04 -
Latitude : 32°49'33" North
Longitude : 119°90'81" East

IP Address : 211.160.163.85 [ 211.160.163.85 ]
ISP : Haidian District, Beijing
Organization : FibrLINK Communications Co., Ltd.
Location : CN, China
City : Chaoyang, 19 -
Latitude : 41°57'03" North
Longitude : 120°45'86" East

IP Address : 124.114.94.10 [10.94.114.124.broad.xa.sn.dynamic.163data.com.cn ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

###
Black Lab Security Cyber Center Report
Thursday, October 11, 2007 (4:29 PM CMT)

Black Lab Security Systems, Inc. (BLSS)
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
info@blacklabsecurity.com
http://www.blacklabsecurity.com/

Probes/Attacks on ports 7212, 1026 and 1027 continue throughout today. It appears that two more U.S. computers are participating in the probes/attacks on ports 1026 and 1027; 1) An Amateur Radio Station located somewhere
(approximately) in Colorado (Isn't it interesting that it's an amateur radio station? I wonder if they are talking to China? -hint, hint), and 2) A computer within the DuPont industry.

France has one IP that is probing/attacking port 5901 TCP. Below is a URL which documents the fact that 5901 has been probed, and the URL suggests that the probe on port 5901 could mean a new release of attack tools. Fyi, see below.

----- Radio Station --------------
IP Address : 44.229.178.141 [ 44.229.178.141 ]
ISP : -
Organization : -
Location : US, United States
City : -, - -
Latitude : 38°00'00" North
Longitude : 97°00'00" West

OrgName: Amateur Radio Digital Communications
OrgID: ARDC
Address:
City:
StateProv:
PostalCode:
Country: US

------ Du Pont Computer --------
IP Address : 52.58.172.162 [ 52.58.172.162 ]
ISP : E.I. du Pont de Nemours and Co.
Organization : E.I. du Pont de Nemours and Co.
Location : US, United States
City : Wilmington, DE 19893
Latitude : 39°56'45" North
Longitude : 75°59'70" West

OrgName: E.I. du Pont de Nemours and Co., Inc.
OrgID: EDPDNC
Address: E.I. du Pont de Nemours and Co., Inc.
Address: 1007 market Street
City: Wilmington
StateProv: DE
PostalCode: 19893
Country: US

---- Port 5901 Probe/Attack -------------

IP Address : 217.128.199.223 [
LNeuilly-152-23-105-223.w217-128.abo.wanadoo.fr ]
ISP : France Telecom
Organization : France Telecom
Location : FR, France
City : Saint-Orens-de-Gameville, B3 -
Latitude : 43°55'00" North
Longitude : 1°53'33" East

Port 5901 Information (url) is the following:

http://forums.spywareinfo.com/index.php?showtopic=101999&mode=linearplus

Offshore CyberProbes/CyberAttacks: New Sophisticated Coordination

2007-10-28T21:21:00.000-04:00

Black Lab Security Alert
October 11, 2007

Rating: Extremely Serious

Black Lab Security Systems, Inc
9250 Bendix Road, North Suite 225
Columbia, MD 21045
Toll Free: 888-352-1119
Web: http://www.blacklabsecurity.com/
info@blacklabsecurity.com

Offshore CyberProbes/CyberAttacks: New Sophisticated Coordination Using
Distributed Short-Burst Stealth (C-DSSB) Attack Techniques

Upon further investigation of the recent off-shore cyber probes/attacks, Black Lab Security Systems (BLSS) has detected a new offshore attack capability consisting of sophisticated coordination utilizing short-burst attack techniques. This attack capability is even more advanced than the security industry’s recorded coordinated Distributed Denial of Service (DDoS) attacks in recent years. The objective of these C-DSSB attacks is not Denial of Service (DoS), but intrusion and code injection leading to ultimate control of the system and information extraction.

In closely spaced timeframes, multiple sites from China that are consistently attempting to exploit the same inbound ports (on computer under attack) along with Chinese computers are all consistently using the same outbound port as their local port (on the attacking computer) to the United States. BLSS believes that the probes on the same ports from multiple sites within China are too consistent to be a coincidence and present a high probability of a well coordinated cyber probe/attack.

A coordinating attack site (single attack IP) starts with a couple of “burst packets” of TCP or UDP. The attackers then coordinate the reminder of the Chinese and other compromised sites to hit the targeted site with “burst packets” in random order. The attackers will send attacks from site to site and then repeat. This technique hides or “stealths” the attack from looking like a standard DoS attack because COMM is broken which allows the other attacking sites to pick up where the previous attack site left off. One of the attacking IPs will continuously hang onto the attacking site for hours before taking a short break and then reconnecting.

Based on the number of diverse Chinese-based attack origination locations (11 cities and 9 provinces), our intelligence believes these attacks require resources much greater than a small criminal hacking team such as Chinese hackfest champion (and suspected PLA member) Tan Dailan (aka Wicked Rose) and his Network Crack Program Hacker (NCPH) Team. NCPH was last reported working out of the Sichuan province near the Sichuan University of Science & Engineering. However, the NCPH’s involvement in these Window’s based cyber attacks is likely. Tan Dailan has reportedly taken a leave of absence from the University, is receiving monthly funding from an unknown source and has received PLA training. Recently, NCPH was thought to be behind a barrage of attacks against several US government agencies using 35 versions of the exploit and siphoning millions of documents back to China.

One other known Chinese hacking cybercriminal: the Fujacks worm (aka as worm.whboy and Panda burning joss sticks first seen in January 2007) criminals Li Jun (age 25), Wang Lei, Zhang Shun and Lei Lei were convicted (September 2007) in a people's court in Hubei Province. The Fujacks worms were capable of: allowing others to access the computer, downloading code, remote code execution and access, modifying data, and modifying the Registry. According to Chinese media, Li Jun was sentenced to four years in prison. Wang Wanxiong, Li Jun’s lawyer, reported that Li Jun has received ten job offers for his "precious genius” including one offer from offer to become Jushu Technology’s (based in Hangzhou City, Zhejiang Province) Technology Director ($1M Chinese yuan or approximately $135,000 $US).

Previous Chinese-based systematic attacks lasting for at least two years and investigated by the FBI under code named “Titan Rain” were launched from Guangdong province.

Please note:
(1) Hubei, Guangdong, and Sichuan Provinces, mentioned above, are involved in the cyber attacks profiled in this alert.
(2) In 2003, Microsoft consented to sharing its operating systems code with the Chinese government in return for access to the Chinese market. The computer security community now fears the PLA may be putting this O/S code knowledge to use in their cyber warfare preparation efforts.
(3) The attacks profiled in this alert required significant coordination and resources. No direct proof pointing at the top-level PLA information warfare command (Fourth Department of the PLA General Staff Headquarters) or other Chinese Government organizations has been done.

Extremely Serious Rating
BLSS defines an extremely serious rating as attacks meeting two conditions:
(1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each attacking IP address.
(2) An attacking IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the communications, continuously within a 12 hour period.

BACKGROUND
(1) We are a Cyber Security Software firm.
(2) We have established honey pot websites site on the Internet.
(3) Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have successfully detected, stopped and gathered detail forensics information profiling the cyber probes/attacks and traced the probes/attacks back to China and other locations.
(4) We are detecting very detailed interrelated events because our packet monitor and port monitor are designed and developed using “raw sockets” methodology.
(5) All events that take place within a Shadow protected computer are correlated in a real-time environment to determine the exact forensics while Shadow protects the computer and will not allow unauthorized modifications to execute and any remote code execution including unknown vulnerabilities (see picture below of actual China attack captured in real-time).

REAL-TIME CAPTURE OF ON-GOING ATTACK

ADDITIONAL Attack Details
BLSS is detecting cyber probes and cyber attacks from multiple coordinated sites originating from China and other countries using similar techniques, payloads, and source transmission ports (predominately port 6000) from the attacking computer. The attacking computers located in countries outside of China as suspected to have successfully hacked by the Chinese hackers and are now remotely controlled zombie computers.

The attacks will continuously cycle through these inbound ports. Ports under attack include:
139 NetBIOS Session Service and file shares
1026 Calendar Access Protocol port
1027 Calendar Access Protocol port
1434 Monitors and manages Microsoft SQL databases
5168 Used by TrendMicro ServerProtect to receive pushed signature updates.
7212 Unassigned. Used by GhostSurf™ open proxy and RealPlayer™.

Based on our investigation, both TCP and UDP command packets are being sent to exploit ports. Therefore, BLSS believes that listed ports are categorized as a significant threat and appropriate actions should be taken within your network firewalls immediately.

The cyber attacks are attempting to execute “system wide” java scripts (*.js) and other malware programs to gain overall control of the attacked computer. The Java Scripts include: RAClient.exe, RAServer.js and RAControl.js.

There was no logon, no buffer over flow, nothing of any nature that would indicate capturing of the internal system name, password, etc.

BLSS has been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer depends on a successful ping (ICMP), and now begins with a defined IP address, and cycles through every possible IP combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.

Please note: during the "security hardening" of our honey pot website, we intentionally removed the four remote access java scripts because they are considered a security threat. You can read about these scripts as being classified as potential spyware at http://www.spywared.com/files/1320/12/1. RAClient.exe, RAServer.js and RAControl.js are listed in the middle of the page. Additionally, if you utilize a search engine, such as google.com, you will find that Chinese sites are discussing in great detail, how to use RAClient.js, RAServer.js and RAControl.js. If you will run a Google search with the following parameters "china [java script name]" (without quotes), you might be amazed at the results. If you run a google search on the specific java script file name(s), you will find many experts recommending the deletion of these specific scripts, as part of "security hardening".

BLSS is using our solution (Shadow) to monitor all communications, (port activity), process activity, shell activity, and user (login activity). Essentially, we have designed a new security solution to simultaneously monitor what we feel are all the critical sub-systems within a Microsoft PC or Server. Shadow has the ability to perform an analysis on a Microsoft computer, assign a unique ID to each specific executable, including all compiled binary files and O/S scripts, (.bat, .vbs, .js, etc.), and will authenticate each executable and script before it is allowed to execute. Shadow also continuously cycles all of the internal hard drives, continuously analyzing each authorized executable (binary and O/S script) to detect an unauthorized modification to any authorized compiled binary file and O/S script. Shadow will detect an unauthorized modification without the need for the executable payload to execute. Shadow will also detect new (unauthorized) executable payloads without the requirement for the payload to execute. Shadow also places a "secure environment" around all Microsoft admin tools, CMD.EXE and PowerShell.exe, when any of these utilities are executing.

IP ADDRESSES DETECTED
The detailed information the Chinese IP addresses include:

IP
ISP
Organization
Location
City
Province
Latitude
Longitude

125.76.238.164
CHINANET Shanxi(SN) province network
CHINANET Shanxi(SN) province network
CN, China
Beijing, 22
Beijing
39°92'89" North
116°38'83" East

219.148.119.2
Data Communication Division
CHINANET hebei province network
CN, China
Beijing, 22
Beijing
39°92'89" North
116°38'83" East

116.18.161.55

ChinaNet Guangdong Province Network
CN, China
Guangzhou, 30
Guangdong
23°11'67" North
113°25'00" East

219.147.233.30
Data Communication Division
CHINANET HEILONGJIANG PROVINCE NETWORK
CN, China
Zhongshan, 07
Guangdong
25°53'61" North
118°78'97" East

222.216.28.161
CHINANET Guangxi province network
CHINANET Guangxi province network
CN, China
Nanning, 16
Guangxi Zhuang
22°81'67" North
108°31'66" East

222.217.240.248
CHINANET Guangxi province network
CHINANET Guangxi province network
CN, China
Nanning, 16
Guangxi Zhuang
22°81'67" North
108°31'66" East

121.18.13.107

CNC Group Hebei province network
CN, China
Hebei, 10
Hebei
39°88'97" North
115°27'50" East

218.10.137.130
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.101
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.3
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
45°75'00" North

221.208.208.83
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.91
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.95
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.208.208.98
CNCGROUP Heilongjiang province network
CNCGROUP Heilongjiang province network
CN, China
Harbin, 08
Heilongjiang
45°75'00" North
126°65'00" East

221.209.110.50
CNCGROUP Heilongjiang province network
Mudanjiang Internet Division
CN, China
Mudanjiang, 08
Heilongjiang
44°58'33" North
129°60'00" East

218.3.134.250
Data Communication Division
Network Center of Fast China Shipbuilding institut
CN, China
Zhenjiang, 04
Jiangsu
32°20'92" North
119°43'42" East

59.72.128.14
China Education and Research Network
Beihua University
CN, China
Jilin, 05
Jilin
43°85'08" North
126°56'03" East

58.247.50.243
CNC Group ShangHai province network
CNC Group ShangHai province network
CN, China
Shanghai, 23
Shanghai
31°00'50" North
121°40'86" East

222.215.136.52
CHINANET Sichuan province network
CHINANET Sichuan province network
CN, China
Chengdu, 32 -
Sichuan
30°66'67" North
104°06'66" East

Cyber Center Report - October 1, 2007

2007-10-01T23:12:00.000-04:00

Black Lab Security Alert
October 1, 2007

We have had 11 extremely serious probes/attacks in the past 4 days on our "honey pot" and Shadow successfully detected and stopped all of the probes/attacks.

Extremely serious is defined as two conditions;
(1) Continuous communications (either UDP or TCP) being received for more than 4 hours from each IP address below.
(2) An IP address that sent communications (TCP, UDP, or RAW), then stopped communications and restarted the communications, continuously within a 12 hour period.

We have provided information that is very detailed information where we have successfully traced the Point-Of-Origin of the probes/attacks from China and other non-US locations

BACKGROUND
We are a Cyber Security Software firm and have been probed by offshore interests quite often since our genesis.
We have established a honey pot site on the Internet.
Using the Shadow Security Suite (our product) as the (only) security solution active on the web server/network, we have successfully detected and stopped the probes/attacks and traced the probes/attacks back to China and other non-US locations.

DETAILS
(1) There are seven active sites in China. The following IP connections which have met our reporting criteria and of all the connections that met our criteria, we have detected IP 121.18.13.107, using Port 139 TCP, that installed four ".js" java scripts:

221.209.110.50 - CNCGROUP Heilongjiang province network -Mudanjiang
116.18.161.55 - ChinaNet Guangdong Province Network - Guangzhou
219.148.119.2 - Data Communication Division - Beijing
221.208.208.3 - CNCGROUP Heilongjiang province network - Mudanjiang
121.18.13.107 - CNC Group Hebei province network - Hebei
125.76.238.164 - CHINANET Shanxi(SN) province network - Beijing
218.3.134.250 - Data Communication Division, Network Center of Fast China Shipbuilding institute - Zhenjiang

Of the seven sites listed above, 121.18.13.107 has attempted the most intense attack, installing Remote Access Java Scripts. The Java Scripts include . RAClient.exe, RAServer.js and RAControl.js. None of the seven sites above were successful against Shadow. All probes/attacks were detected and stopped.

(2) There was no logon, no buffer over flow, nothing of any nature that would indicate capturing the internal system name, password, etc. All probes used Port 139 TCP.

(3) Shadow has been detecting and securing our web site/network from 7 simultaneous probes/attacks from China, each from a different city in China.

(4) We have been able to determine, the probes/attacks are evolving to a very advanced methodology, which no longer depends on a successful ping (ICMP), and now start with a defined IP address, and cycles through every possible IP combination within the IP address range. As an example, a probe starts with "100.100.100.001", launches a UDP packet and/or TCP packet, then goes to "100.100.100.002", then "100.100.100.003", so forth and so on.

(5) The other probes/attacks were from the following:

219.240.44.147 - Hanaro Telecom Co. - South Korea - Seocho
138.79.215.61 - CPSOFT - Australia - No City Identified
81.188.3.50 - Easynet Belgium, Cypres - Belgium - Brussel
24.64.132.11 - Shaw Communications - Canada - No City Identified

(6) Please note: during the "security hardening" of our honey pot website, we intentionally removed the four remote access java scripts because they are considered a security threat. You can read about these scripts as being classified as potential spyware at http://www.spywared.com/files/1320/12/1. RAClient.exe, RAServer.js and RAControl.js are listed in the middle of the page. Additionally, if you utilize a search engine, such as google.com, you will find that Chinese sites are discussing in great detail, how to use RAClient.js, RAServer.js and RAControl.js. If you will run a Google search with the following parameters "china [java script name]" (without quotes), you might be amazed at the results. If you run a google search on the specific java script file name(s), you will find many experts recommending the deletion of these specific scripts, as part of "security hardening".

(7) We are using our solution (Shadow) to monitor all communications, (port activity), process activity, shell activity, and user (login activity). Essentially, we have designed a new security solution to simultaneously monitor what we feel are all the critical sub-systems within a Microsoft PC or Server. Shadow has the ability to perform an analysis on a Microsoft computer, assign a unique ID to each specific executable, including all compiled binary files and O/S scripts, (.bat, .vbs, .js, etc.), and will authenticate each executable and script before it is allowed to execute. Shadow also continuously cycles all of the internal hard drives, continuously analyzing each authorized executable (binary and O/S script) to detect an unauthorized modification to any authorized compiled binary file and O/S script. Shadow will detect an unauthorized modification without the need for the executable payload to execute. Shadow will also detect new (unauthorized) executable payloads without the requirement for the payload to execute. Shadow also places a "secure environment" around all Microsoft admin tools, CMD.EXE and PowerShell.exe, when any of these utilities are executing.

IMMEDIATE RECOMMENDATION
------------------------

1) Immediately block the following IP Addresses within your network firewall(s) (This is a temporary fix since these IP addresses will change on a high frequency):

121.18.13.107 <-- Most Dangerous Attack
221.209.110.50
116.18.161.55
219.148.119.2
221.208.208.3

2) If Shadow is not installed on a Microsoft server, turn off (disable) java scripting immediately.

IP ADDRESSES DETECTED

The detailed information on each IP address is below.

---- China, Mudanjiang --------
IP Address : 221.209.110.50 [ 221.209.110.50 ]
ISP : CNCGROUP Heilongjiang province network
Organization : Mudanjiang Internet Division
Location : CN, China
City : Mudanjiang, 08 -
Latitude : 44°58'33" North
Longitude : 129°60'00" East

---- China, Guangzhou ---------
IP Address : 116.18.161.55 [ 116.18.161.55 ]
ISP : -
Organization : ChinaNet Guangdong Province Network
Location : CN, China
City : Guangzhou, 30 -
Latitude : 23°11'67" North
Longitude : 113°25'00" East

---- China, Beijing -----------
IP Address : 219.148.119.2 [ 219.148.119.2 ]
ISP : Data Communication Division
Organization : CHINANET hebei province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

----- China, Harbin -----------
IP Address : 221.208.208.3 [ 221.208.208.3 ]
ISP : CNCGROUP Heilongjiang province network
Organization : CNCGROUP Heilongjiang province network
Location : CN, China
City : Harbin, 08 -
Latitude : 45°75'00" North
Longitude : 126°65'00" East

----- China, Hebei -----------
IP Address : 121.18.13.107 [ 121.18.13.107 ]
ISP : -
Organization : CNC Group Hebei province network
Location : CN, China
City : Hebei, 10 -
Latitude : 39°88'97" North
Longitude : 115°27'50" East

----- China Beijing -------------------
IP Address : 125.76.238.164 [ 125.76.238.164 ]
ISP : CHINANET Shanxi(SN) province network
Organization : CHINANET Shanxi(SN) province network
Location : CN, China
City : Beijing, 22 -
Latitude : 39°92'89" North
Longitude : 116°38'83" East

---- China, Zhenjiang ------------------------
IP Address : 218.3.134.250 [ 218.3.134.250 ]
ISP : Data Communication Division
Organization : Network Center of Fast China Shipbuilding institut
Location : CN, China
City : Zhenjiang, 04 -
Latitude : 32°20'92" North
Longitude : 119°43'42" East

----- Korea, Seocho -----------
IP Address : 219.240.44.147 [ 219.240.44.147 ]
ISP : Hanaro Telecom Co.
Organization : Ilifezone
Location : KR, Korea, Republic of
City : Seocho, 11 -
Latitude : 37°48'33" North
Longitude : 127°01'67" East

------ Australia ------------
IP Address : 138.79.215.61 [ 138.79.215.61 ]
ISP : CPSOFT
Organization : CPSOFT
Location : AU, Australia
City : -, - -
Latitude : 27°00'00" South
Longitude : 133°00'00" East

----- Belgium Brussels ---------------
IP Address : 81.188.3.50 [ 81-188-3-50.sdsl.easynet.be ]
ISP : Easynet Belgium
Organization : Cypres
Location : BE, Belgium
City : Brussel, 11 -
Latitude : 50°83'33" North
Longitude : 4°33'33" East

----- Canada -------------------------
IP Address : 24.64.132.11 [ S010600095b0f1aa1.lb.shawcable.net ]
ISP : Shaw Communications
Organization : Shaw Communications
Location : CA, Canada
City : -, - -
Latitude : 60°00'00" North
Longitude : 95°00'00" West