[Dshield] Re: Dshield digest, Vol 1 #325 - 4 msgs

T C Lipe lipet at basf-corp.com
Thu Nov 8 18:48:04 GMT 2001


I have noticed some port scans from IPs not previously seen.
Is there an IP Table where I can quickly identify the origin of an IP
while off-line?




Send Dshield mailing list submissions to
     dshield at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
     http://www1.dshield.org/mailman/listinfo/dshield
or, via email, send a message with subject or body 'help' to
     dshield-request at dshield.org

You can reach the person managing the list at
     dshield-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."


Today's Topics:

   1. RE: Re[2]: [Dshield] Re: ICMP destination unreachable (Rick Hayes)
   2. Re[2]: [Dshield] Re: ICMP destination unreachable (Johannes B. Ullrich)
   3. Re[2]: [Dshield] Spoofs (security at admin.fulgan.com)
   4. SSH Scans (Pieter-Bas IJdens)

--__--__--

Message: 1
From: "Rick Hayes" <rhayes at vicor-nb.com>
To: <dshield at dshield.org>
Subject: RE: Re[2]: [Dshield] Re: ICMP destination unreachable
Date: Wed, 7 Nov 2001 11:01:35 -0500
Reply-To: dshield at dshield.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

192.0.0.0 - 192.0.255.0 Internet Assigned Numbers Authority, CA
(RESERVED-2)
192.1.0.0 - 192.1.255.0 BBN Corporation, MA (NETBLK-BBN-CNETBLK)
192.2.0.0 - 192.2.255.0 BBN Corporation, MA (NETBLK-BBN-CNETBLK2)
192.3.0.0 - 192.3.255.0 BBN Corporation, MA (NETBLK-BBN-CNETBLK3)
192.4.0.0 - 192.4.255.0 Bell Communications Research, NJ
(NETBLK-BELLCORE-UNUSED)
[192.5]
192.6.0.0 - 192.6.255.0 Hewlett-Packard Company, CA (NETBLK-P-NETS)
192.7.0.0 - 192.7.255.0 ICL, Inc., NY (NETBLK-CCI-1)
192.8.0.0 - 192.8.255.0 Spartacus Computers Inc. (NETBLK-SPARTACUS)
192.9.0.0 - 192.9.255.0 Sun Microsystems, Inc.
192.10.0.0 - 192.10.255.0 Symbolics, Inc.
192.11.0.0 - 192.11.255.0 Lucent Technologies, IL
(NETBLK-LUCENT-192-11-51-C)
[192.12]
192.13.0.0 - 192.14.255.0 DoD Intel Information Systems, Washington DC
(NETBLK-DODIIS-SUBNETS)
192.15.0.0 - 192.15.255.0 World Access, Inc., CO (NETBLK-WORLDACCESS)
[192.16]
192.17.0.0 - 192.17.255.0 University of Illinois (NETBLK-UNIV-IL)
192.18.0.0 - 192.18.255.0 Sun Microsystems, Inc.
192.19.0.0 - 192.19.255.0 Lucent Technologies, IL
(NETBLK-LUCENT-192-19-255-C)
192.20.0.0 - 192.20.255.0 AT&T Bell Laboratories, OH
192.21.0.0 - 192.21.255.0 Formative Technologies, Inc., PA
(NETBLK-FORMATIVE)
192.22.0.0 - 192.22.255.0 Applicon Inc., MI (NETBLK-APPLICON)
192.23.0.0 - 192.23.255.0 Schlumberger Information Network (SINet), CO
(NETBLK-FACTNET)
192.24.0.0 - 192.24.255.0 Chromatics, Inc., GA (NETBLK-CHROMATICS)
192.25.0.0 - 192.25.255.0 Hewlett-Packard Company, CA (NETBLK-HP3)
[192.26]
192.27.0.0 - 192.27.255.0 Hughes Electronics (NETBLK-HAC-VLSI2)
[192.28]
192.29.0.0 - 192.29.255.0 Sun Microsystems, Inc., CA (NETBLK-SUN2)
192.30.0.0 - 192.30.255.0 Hewlett-Packard Company, CA (NETBLK-HP4)
[192.31]
192.32.0.0 - 192.32.255.0 Wellfleet Communications, Inc., MA
(NETBLK-WELLFLEET2)
[192.33]
192.34.0.0 - 192.34.255.0 Hewlett-Packard Company (NETBLK-HP5)
[192.35]
192.36.0.0 - 192.36.255.0 SUNET, Sweden (NET-SUNET5)
192.37.0.0 - 192.37.255.0 CIBA-GEIGY AS, Switzerland (NET-CGCH-NET)<
192.38.0.0 - 192.38.255.0 Danish Computer Center for Research and
Education (NETBLK-DENET)
192.39.0.0 - 192.39.255.0 Unisys Corporation, PA
192.40.0.0 - 192.40.255.0 Hewlett-Packard Company, CA (NETBLK-HP6)
[192.41], [192.42], [192.43], [192.44]
192.45.0.0 - 192.45.255.0 TRW Space and Defense Sector, CA
(NETBLK-TRW-BLOCK)
192.46.0.0 - 192.46.255.0 Hewlett-Packard Company, CA (NETBLK-HP8)
[192.47], [192.48], [192.49]
192.50.0.0 - 192.50.255.0 Japan Network Information Center
(NETBLK-JAPANC-INET-BLOCK1)
[192.51], [192.52], [192.53], [192.54], [192.55]
192.56.0.0 - 192.56.255.255 Hewlett-Packard Company, CA (NETBLK-HP11)
192.57.0.0 - 192.57.255.255 EDS-NNAM, MI (NETBLK-EDS-BLOCK9)
[192.58]
192.59.0.0 - 192.63.255.0 UNISYS, PA (NETBLK-UNISYS-NET2)
192.64.0.0 - 192.64.255.0 Hewlett-Packard Company, CA (NETBLK-HP16)
[192.65]
192.66.0.0 - 192.66.255.0 Danish Network (NET-DKNET-CNET 1)
[192.67], [192.68]
192.69.0.0 - 192.69.255.0 Hewlett-Packard Company, CA (NETBLK-HPS)
[192.70]
192.71.0.0 - 192.71.255.0 SUNET, Sweden (NET-SUNET3)
[192.72], [192.73], [192.74], [192.75], [192.76], [192.77], [192.78]
192.79.0.0 - 192.79.255.0 Hughes Electronics, CA (NETBLK-EDEN2)
[192.80]
192.81.0.0 - 192.81.255.0 Hewlett-Packard Company, CA (NETBLK-HP19)
[192.82], [192.83], [192.84]
192.85.0.0 - 192.85.255.0 EDS Network Naming and Addressing Management
- - EDS-NNAM (NETBLK-EDS-BLOCK10)
[192.86], [192.87], [192.88]
192.89.0.0 - 192.89.255.0 Telecom Finland (NETBLK-TELE-DATANET-192-)
192.90.0.0 - 192.90.255.0 Bull, MA (NETBLK-BULL)
[192.91], [192.92]
192.93.0.0 - 192.93.255.0 NIC France (NIC-FR)
192.94]
192.95.65.0 Army, Product Manager, Acquisition Information Management,
VA (NET-BELVOIRNET1)
192.96.0.0 - 192.96.255.0 UNINET Project, South Africa
(NETBLK-UNINET-BLOCKC)
192.97.0.0 - 192.97.255.0 Kraft General Foods, Inc., IL
(NETBLK-KRAFT-C)
192.98.0.0 - 192.98.255.0 Tampere University of Technology, Finland
(NETBLK-FINLAND-CBLOCK)
[192.99 no record]
[192.100], [192.101], [192.102], [192.103], [192.104], [192.105],
[192.106], [192.107], [192.108]
192.109.0.0 - 192.109.255.0 DE-NIC, Germany (NET-UNIDOBLOCK)
[192.110], [192.111], [192.112]
192.113.0.0 - 192.113.255.0 Ideta b.v., Netherlands
(NETBLK-IDETA-CNETS)
192.114.0.0 - 192.118.255.0 Israeli Network Information Center
(NETBLK-ISRAELC-BLOCK)
192.119.1.0 Steven Bjork, Palo Alto, CA (NET-LOIHI)
192.120.1.0 - 192.120.192.0 Hewlett-Packard, CA (NETBLK-HP120)
192.121.0.0 - 192.121.255.0 SUNET, Sweden (NET-SUNET4)
[192.122]
192.123.0.0 - 192.123.255.0 Kraft General Foods, Inc., IL
(NETBLK-KGF-CNETS)
[192.124]
192.125.0.0 - 192.125.255.0 Hartmann & Braun AG, Germany
(NETBLK-HARTMANN)
[192.126]
192.127.0.0 - 192.127.255.0 NCR Corporation WTC-1, OH
(NETBLK-NCRWIN-C)
192.128.0.0 - 192.128.255.0 AT&T ITS, FL (NETBLK-ATT-INET1)
[192.129]
192.130.0.0 - 192.130.255.0 Telecom Finland
(NETBLK-TELE-DATANET-192-3)
[192.131], [192.132], [192.133]
192.134.0.0 - 192.134.255.0 NIC - France (NIC-2-FR)
[192.135], [192.136]
192.137.0.0 - 192.137.255.0 Hewlett-Packard Company (NETBLK-HP-BLOCK)
[192.138], [192.139]
192.140.1.0 - 192.145.230.0 France Telecom (NETBLK-FRANCETEL)
[192.146], [192.147], [192.148], [192.149], [192.150], [192.151],
[192.152], [192.153], [192.154], [192.155], [192.156], [192.157],
[192.160], [192.161]
192.162.0.0 - 192.162.255.0 European Regional Internet Registry/RIPE
NCC (NETBLK-EUNET-C)
[192.163]
192.164.0.0 - 192.167.255.0 European Regional Internet Registry/RIPE
NCC (NETBLK-RIPE-NCC):
192.164.0.0 - 192.164.255.0 Unix User Group Austria (NET-AT-ZZ-192-)
192.165.0.0 - 192.165.255.0 SUNET, Sweden (NET-SUNET2)
192.166.0.0 - 192.166.255.0 Last Resort Local Registry, Germany
(NET-DE-ZZ)
192.167.0.0 - 192.167.255.0 GARR-NIS/CNUCE Instituto del CNR, Italy
(NET-GARR-NIS)
192.168.0.0 - 192.168.255.0 Internet Assigned Numbers Authority, CA
(IANA-CBLK-RESERVED) - reserved for private internet use (see RFC
1918)
[192.169], [192.170], [192.171], [192.172], [192.173], [192.174],
[192.175], [192.176]
192.176.0.0 - 192.176.255.0 Royal Institute of Technology - SUNET,
Sweden (NETBLK-SUNET-C)
[192.177 - 192.186 no record]
192.184.4.0 Bull HN Information Systems, Inc., MN (NET-BULLMINNNET)
[192.187], [192.188], [192.189], [192.190]
192.191.0.0 - 192.191.255.0 Automatic Data Processing, Inc., OR
(NETBLK-ADP-C)
192.192.0.0 - 192.192.255.0 Ministry of Education Computer Center,
Republic of China (NETBLK-TANET-C)
192.193.0.0 - 192.193.255.0 Citicorp Global Information Network, NY
(NETBLK-CITICORP-C)
192.194.0.0 - 192.194.255.0 Telecom Finland
(NETBLK-TELE-DATANET-192-2)
[192.195]
192.196.1.0 - 192.196.155.0 EDF-GDF (Electricite de France)
(NETBLK-EDF-C)
[192.197], [192.198], [192.199], [192.200]
192.201.0.0 - 192.201.255.0 MCI Telecommunications Corporation, TX
(NETBLK-MCI-TEXAS)
192.202.0.0 - 192.202.255.0 U.S. STRATEGIC COMMAND, OFFUTT AFB, NE
(NETBLK-STRATCOM)
[192.203]
192.204.0.0 - 192.204.255.0 PREPnet, PA (NETBLK-PREPNET-C)
192.205.0.0 - 192.205.255.0 AT&T Data Communications Services, NJ
(NETBLK-ATT)
[192.206], [192.207], [192.208], [192.209], [192.210]
192.212.0.0 - 192.214.96.0 Southern California Edison (NETBLK-SCE)
192.215.0.0 - 192.215.255.0 CERFnet, CA (NETBLK-TBLK-CERFNET)
192.216.0.0 - 192.216.255.0 BBN BARRNET, Inc., CA
(NETBLK-TBLK-BARRNET)
192.217.0.0 - 192.217.255.0 CICNet, Inc., MI
(NETBLK-TBLK-CICNET-BLOCK)
192.218.0.0 - 192.218.255.0 Japan Network Information Center
(NETBLK-TBLK-JAPAN-INET)
192.219.0.0 - 192.219.255.0 Canadian Research Network
(NETBLK-TBLK-CANET)
192.220.0.0 - 192.220.255.0 NorthWestNet, WA (NETBLK-ETBLK-NWNET)
192.221.0.0 - 192.221.255.0 SURAnet, MD (NETBLK-TBLK-SURA-SUB-PRJ)
[192.222], [192.223]
192.224.0.0 - 192.224.255.0 ADP Dealer Services Group, IL
(NETBLK-BLK-CADP)
[192.225], [192.226], [192.227], [192.228], [192.229], [192.230],
[192.231], [192.232]
192.233.0.0 - 192.233.255.0 NEARNET/Bolt Beranek and Newman, Inc.
(NETBLK-TBLK-NEARNET-C)
[192.234], [192.235], [192.236], [192.237], [192.238]
192.239.0.0 - 192.239.255.0 SURAnet, MD (NETBLK-TBLK-SURA-NEW-NET)
[192.240], [192.241]
192.242.0.0 - 192.242.255.0 Vortech Data, Inc., TX (NETBLK-VORTECH)
[192.243]
192.244.0.0 - 192.244.255.0 Japan Network Information Center
(NETBLK-TBLK-JAPAN-INET-C)
[192.245]
192.246.0.0 - 192.246.255.255 Performance Systems International, Inc.
(NETBLK-TBLK-PSINET-C2)
[192.247]
192.248.0.0 - 192.248.127.0 Lanka Educational, Academic and Reasearch
Network, University of Moratuwa, S (NETBLK-LEARN)
192.248.128.0 - 192.248.255.0 City of Riverside, CA (NETBLK-RIVCTY)
[192.249], [192.250], [192.251], [192.252]
192.253.1.0 - 192.253.200.0 ARPA DSI JPO, VA (NETBLK-DSI-TOXIC-BLOCK4)
[192.254]

For more information see: http://www.ipindex.net/c/indexc.html

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of security at admin.fulgan.com
Sent: Wednesday, November 07, 2001 8:24 AM
To: Maarten Ruigrok
Subject: Re[2]: [Dshield] Re: ICMP destination unreachable


MR> Not to be a bother but I read somewhere that 192.x.x.x was used in

MR> europe. And that I think it is since I surfed on sites starting
with
MR> 192 it is in use, I am from europe. I cannot produce any sites on
MR> top of my head however (I like using DNS ;-). IF this range is
MR> assigned to europe then it is not covered by IANA but by RIPE.
MR> (whois.ripe.net I believe). I cannot whois from this place but if
MR> someone could it may give you an answer.

Here is what I got from a recursive WhoIs query:

C:\bin>ipchk 192.0.0.1
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      0.0.0.0 - 255.255.255.255
netname:      IANA-BLK
descr:        The whole IPv4 address space
country:      NL
admin-c:      IANA1-RIPE
tech-c:       IANA1-RIPE
status:       ALLOCATED UNSPECIFIED
remarks:      The country is really worldwide.
remarks:      This address space is assigned at various other places
in
remarks:      the world and might therefore not be in the RIPE
database.
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    RIPE-NCC-HM-MNT
mnt-routes:   RIPE-NCC-NONE-MNT
changed:      bitbucket at ripe.net 20010529
source:       RIPE


After some intensive testing (i.e. trying a few addresses at random),
I was able to find several domain registered in the 192.* range. Her's
one:


Symbolics, Inc. (NETBLK-SYMBOLICS1)
   c/o Ropes & Gray (Attn C.I.
   Armistead)
   Boston, MA 02110-2624
   US

   Netname: SYMBOLICS1
   Netblock: 192.10.0.0 - 192.10.255.255

   Coordinator:
      Schmidt, David  (DS1781-ARIN)  dkschmidt at compuserve.com
      703-455-0430 (FAX) 703-440-0388

   Record last updated on 16-Apr-2001.
   Database last updated on 7-Nov-2001 03:07:45 EDT.


Good luck,
Stephane

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBO+la306dKXAzPT9/EQKemACg7kQ2XnZeAkhODbji2BulIhhC0Z8AoJcM
7Jr3PkwqSTldo+M/qGrC+SH2
=vynI
-----END PGP SIGNATURE-----


--__--__--

Message: 2
Date: Wed, 7 Nov 2001 11:18:39 -0500 (EST)
From: "Johannes B. Ullrich" <jullrich at euclidian.com>
To: Maarten Ruigrok <dshield at dshield.org>
Subject: Re[2]: [Dshield] Re: ICMP destination unreachable
Reply-To: dshield at dshield.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Quick note about this: RIPE always returns 0.0.0.0-255.255.255.255
for addresses assigned by APNIC and ARIN. The 'best' (?) way to do a
recorsive whois querie is to use ARIN first. It will tell you which
other registry is responsible if they are not.

> Here is what I got from a recursive WhoIs query:
> C:\bin>ipchk 192.0.0.1
> % This is the RIPE Whois server.

> inetnum:      0.0.0.0 - 255.255.255.255
> netname:      IANA-BLK
> descr:        The whole IPv4 address space

- --
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE76V7hVOIizK5pIDMRAv9ZAJ4lAEXxIHmNjUoLlunqLjwAKWN6EwCcClaZ
FboTV7bwjpWKBBdZCz81+ig=
=SI/z
-----END PGP SIGNATURE-----


--__--__--

Message: 3
Date: Thu, 8 Nov 2001 11:02:59 +0100
From: security at admin.fulgan.com
Organization: fulgan.com
To: "L. Fung" <dshield at dshield.org>
Subject: Re[2]: [Dshield] Spoofs
Reply-To: dshield at dshield.org

LF> Stephane,

LF> RE:  In any case, you should try to catch the outgoing
>> SYN packet: it will
>> tell you what protocol is concerned and you'll be
>> able to act on that.
>>
LF> Could yo tell how I can act once I know the protocol?

Well, it really depends on what the SYN will tell you. Basically, you
have two choices: Bane the guilty application by closing it's outgoing
port (the target port in the SYN packet) or try to work out a behavior
rule for the application, if it can be applied (Some applications
allow you to specify that you're behind a NAT router and will stop
sending internal addresses).

Another thing you can do is to filter packet to private IP ranges at
your router: that way, they won't be reaching the external network.
Depending on how your router's filter behave, you might still get the
network unreachable packets, but only from your own router.


Good luck,
Stephane


--__--__--

Message: 4
From: "Pieter-Bas IJdens" <pbijdens at emea.mi4.org.uk>
To: <dshield at dshield.org>
Date: Thu, 8 Nov 2001 14:45:26 +0100
Subject: [Dshield] SSH Scans
Reply-To: dshield at dshield.org

Hello,

The last couple of days I have seen an increasing amount of ssh version
scans on our servers.

When I check these, they all seem to originate from systems running
SSH-1.99-OpenSSH_2.1.1 [apparently some exploit in that version is abused].
Contacting the admins of these systems has confirmed these were compromized.

Am I the only one to notice this increase [i.e. is it incidental and pure
co-incidence] or is some kind of worm suddenly active (again)?

  Pieter-Bas





--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org
http://www1.dshield.org/mailman/listinfo/dshield


End of Dshield Digest










More information about the list mailing list