Page 1 of 7 123 ... LastLast
Results 1 to 10 of 66

Thread: Serious Offshore Attacks from China

  1. #1
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default Serious Offshore Attacks from China

    I was looking at the packets coming in and out of my network on Wireshark and found that my network is constantly under attack from:
    121.18.13.107 - CNC Group Hebei province network - Hebei

    I Google'd the IP and found a few websites includding an article from SecLists/nMap describing this IP in particular. 'Serious Offshore Probes' is the subject of this matter. The dates that this IP address goes back to Autumn 2007 and still probing to this present day.

    I don't care if its a zombie, somehow/someway this needs addressed. Also needs legally ceased or some network security guy is going to get completely pissed off at these constant attacks that try to install remote access java scripts onto the victims computer. Well at this current time this IP is attacking the entire British Telecom customer IP range as I have just verified this by phoning my friend and asking him to log his packets to see if he got anything...and he did.

    My friend took the liberty of port scanning this IP. I told him not to because I do not want anything coming back to hit me in the face. Im not sure to paste this port scan my friend did but here it is:

    Code:
    Interesting ports on 121.18.13.107:
    Not shown: 1683 closed ports
    PORT     STATE    SERVICE        VERSION
    6/tcp    open     tcpwrapped
    80/tcp   open     http           Microsoft IIS webserver 6.0
    135/tcp  filtered msrpc
    136/tcp  filtered profile
    137/tcp  filtered netbios-ns
    138/tcp  filtered netbios-dgm
    161/tcp  filtered snmp
    593/tcp  filtered http-rpc-epmap
    1025/tcp open     msrpc          Microsoft Windows RPC
    1433/tcp open     ms-sql-s?
    3389/tcp open     microsoft-rdp  Microsoft Terminal Service
    4444/tcp filtered krb524
    5800/tcp filtered vnc-http
    5900/tcp filtered vnc
    No OS matches for host
    Service Info: OS: Windows
    *This forum/website nor I do not take responsibility for my friends actions*

    Any opinions on this 'severe' offshore attack to the entire IP range of B.T [British Telecom] ? Im thinking of reporting this to my ISP.

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Reporting to your ISP will do nothing.

    Best thing you can do is if you will never do any business with the Pacific Rim is to drop all packets from their subnets off at the router. Just route all traffic from them to Null.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Wow what a fast reply streaker69, your on the ball today man

    I tried to do so, My router [2Wire 2700HG] has very little options for my firewall. I tried to look for the settings to do so, read the entire manual and even emailed the support@2wire and never got a response.

    I take it that if I cant customize my firewall settings on my router to block the addresses...Im screwed?

    Yeh... your completely correct about my ISP and any ISP for that matter, they never do anything. Service at it's best ehh streaker? lol

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by The_Denv View Post
    Wow what a fast reply streaker69, your on the ball today man

    I tried to do so, My router [2Wire 2700HG] has very little options for my firewall. I tried to look for the settings to do so, read the entire manual and even emailed the support@2wire and never got a response.

    I take it that if I cant customize my firewall settings on my router to block the addresses...Im screwed?

    Yeh... your completely correct about my ISP and any ISP for that matter, they never do anything. Service at it's best ehh streaker? lol
    Probably not much you can do with that. That's why I'm really picky when it comes to routers. I only buy Cisco's.

    I've had good luck with ISP's in reporting attacks that come from their own country. LIke if I see an attack from the UK, I'll report it to the ISP that it came from. But there's no sense in reporting anything to an ISP in the PRC. They couldn't give a rats ass for dinner about reports.

    I'd suggest you setup Snort on your site so you can really see what kinds of attacks you're getting. It will be a real eye opener.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Let me guess... 99% of the Chinese crap is on ports 1026 / 1027?
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Quote Originally Posted by streaker69 View Post
    Probably not much you can do with that. That's why I'm really picky when it comes to routers. I only buy Cisco's.

    I've had good luck with ISP's in reporting attacks that come from their own country. LIke if I see an attack from the UK, I'll report it to the ISP that it came from. But there's no sense in reporting anything to an ISP in the PRC. They couldn't give a rats ass for dinner about reports.

    I'd suggest you setup Snort on your site so you can really see what kinds of attacks you're getting. It will be a real eye opener.
    Roger Wilco, Thats a date...Im going to buy a Cisco router as soon as I get the chance. Yeh your correct about the PRC, I wouldn't waste my VoIP credits on them even if I was made to. I will set up Snort now to see what happens, never done that before, never needed to...I guess I was ignorant in the past and just used Wireshark. Thanks for the tip streaker, your knowledge is wide and always appreciated

  7. #7
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    If you have big problems with a range, i suggest blocking that range either via the
    firewall or a .htaccess script. (.htaccess scripts will only protect the http service though)

    You can also as streaker69 said, route them to null.

    I also suggest you might have to set up your iptables another way.
    Such as f.ex. Mirror'ing malicious packets (if your server kernel supports that),
    or maybe just rejecting them or dropping the packets. It's all up to what
    your kernel supports, and also what you think would be the best to do.

    Another good idea is to think, what services do you need to have externally?
    If you only need the apache server externally, i suggest you only have that
    externally. If you need more, f.ex. plesk, i suggest moving that higher up to
    a non default port and at a much higher port, or to another just to confuse
    the attackers.

    Another way to get more secured is to set up your apache configuration in
    a way which wouldn't allow bigger malicious things. Well i could go on forever
    i bet but lets keep it simple.

    I hope you get it solved out
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  8. #8
    Member The_Denv's Avatar
    Join Date
    Nov 2006
    Posts
    364

    Default

    Quote Originally Posted by swc666 View Post
    Let me guess... 99% of the Chinese crap is on ports 1026 / 1027?
    It appears that 121.18.13.107 is sending it's packets from Port:12200 and sending 3 separate packets. The first packet goes to Port: 7212, second packet goes to Port:7788 and the third to Port:9788. The packets are RST [Reset] and ACK [Acknowledgment's], but they = '0' so looks like my firewall didn't accept them I think/hope.

    Quote Originally Posted by MaXe Legend View Post
    If you have big problems with a range, i suggest blocking that range either via the
    firewall or a .htaccess script. (.htaccess scripts will only protect the http service though)

    You can also as streaker69 said, route them to null.

    I also suggest you might have to set up your iptables another way.
    Such as f.ex. Mirror'ing malicious packets (if your server kernel supports that),
    or maybe just rejecting them or dropping the packets. It's all up to what
    your kernel supports, and also what you think would be the best to do.

    Another good idea is to think, what services do you need to have externally?
    If you only need the apache server externally, i suggest you only have that
    externally. If you need more, f.ex. plesk, i suggest moving that higher up to
    a non default port and at a much higher port, or to another just to confuse
    the attackers.

    Another way to get more secured is to set up your apache configuration in
    a way which wouldn't allow bigger malicious things. Well i could go on forever
    i bet but lets keep it simple.

    I hope you get it solved out
    I don't have Apache, its my home router being attacked and I only have one client nowadays running BackTrack/XP with no hosting services running. No ports are open in my computer and the only port that has got filtering on it is FTP/21. I have never got attacked via port 21 before.

    Yeh, I think the best option is to buy a good Cisco router, one that I can configure and control quite well. Also, after this post I'm going to install Snort again. I ran it whilst running a Live DVD version of B|T3b and it ate the memory after I configured the 'conf' file, so it looks like Im going to have to take a few GB's of this laptop onto DVD, then transfer my 4GB datastick's data onto the laptop then create a USB bootable version of B|T3b.

    I'll post the snort results as soon as I do the above.

  9. #9
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    I guess this is another IP added to the route to null on all ports.

  10. #10
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by The_Denv View Post
    It appears that 121.18.13.107 is sending it's packets from Port:12200 and sending 3 separate packets. The first packet goes to Port: 7212, second packet goes to Port:7788 and the third to Port:9788. The packets are RST [Reset] and ACK [Acknowledgment's], but they = '0' so looks like my firewall didn't accept them I think/hope.
    Probably trying to finger your OS, as each will respond in unique ways to traffic such as that.

    Quote Originally Posted by The_Denv View Post
    the only port that has got filtering on it is FTP/21. I have never got attacked via port 21 before.
    A good hardware firewall or IDS log will show you otherwise
    dd if=/dev/swc666 of=/dev/wyze

Page 1 of 7 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •