[Dshield] Re: Dshield digest, Vol 1 #325 - 4 msgs

T C Lipe lipet at basf-corp.com
Thu Nov 8 18:48:04 GMT 2001

I have noticed some port scans from IPs not previously seen.
Is there an IP Table where I can quickly identify the origin of an IP
while off-line?

Send Dshield mailing list submissions to
     dshield at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
     dshield-request at dshield.org

You can reach the person managing the list at
     dshield-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."

Today's Topics:

   1. RE: Re[2]: [Dshield] Re: ICMP destination unreachable (Rick Hayes)
   2. Re[2]: [Dshield] Re: ICMP destination unreachable (Johannes B. Ullrich)
   3. Re[2]: [Dshield] Spoofs (security at admin.fulgan.com)
   4. SSH Scans (Pieter-Bas IJdens)


Message: 1
From: "Rick Hayes" <rhayes at vicor-nb.com>
To: <dshield at dshield.org>
Subject: RE: Re[2]: [Dshield] Re: ICMP destination unreachable
Date: Wed, 7 Nov 2001 11:01:35 -0500
Reply-To: dshield at dshield.org

Hash: SHA1 - Internet Assigned Numbers Authority, CA
(RESERVED-2) - BBN Corporation, MA (NETBLK-BBN-CNETBLK) - BBN Corporation, MA (NETBLK-BBN-CNETBLK2) - BBN Corporation, MA (NETBLK-BBN-CNETBLK3) - Bell Communications Research, NJ
[192.5] - Hewlett-Packard Company, CA (NETBLK-P-NETS) - ICL, Inc., NY (NETBLK-CCI-1) - Spartacus Computers Inc. (NETBLK-SPARTACUS) - Sun Microsystems, Inc. - Symbolics, Inc. - Lucent Technologies, IL
[192.12] - DoD Intel Information Systems, Washington DC
[192.16] - University of Illinois (NETBLK-UNIV-IL) - Sun Microsystems, Inc. - Lucent Technologies, IL
(NETBLK-LUCENT-192-19-255-C) - AT&T Bell Laboratories, OH - Formative Technologies, Inc., PA
(NETBLK-FORMATIVE) - Applicon Inc., MI (NETBLK-APPLICON) - Schlumberger Information Network (SINet), CO
(NETBLK-FACTNET) - Chromatics, Inc., GA (NETBLK-CHROMATICS) - Hewlett-Packard Company, CA (NETBLK-HP3)
[192.26] - Hughes Electronics (NETBLK-HAC-VLSI2)
[192.28] - Sun Microsystems, Inc., CA (NETBLK-SUN2) - Hewlett-Packard Company, CA (NETBLK-HP4)
[192.31] - Wellfleet Communications, Inc., MA
[192.33] - Hewlett-Packard Company (NETBLK-HP5)
[192.35] - SUNET, Sweden (NET-SUNET5) - CIBA-GEIGY AS, Switzerland (NET-CGCH-NET)< - Danish Computer Center for Research and
Education (NETBLK-DENET) - Unisys Corporation, PA - Hewlett-Packard Company, CA (NETBLK-HP6)
[192.41], [192.42], [192.43], [192.44] - TRW Space and Defense Sector, CA
(NETBLK-TRW-BLOCK) - Hewlett-Packard Company, CA (NETBLK-HP8)
[192.47], [192.48], [192.49] - Japan Network Information Center
[192.51], [192.52], [192.53], [192.54], [192.55] - Hewlett-Packard Company, CA (NETBLK-HP11) - EDS-NNAM, MI (NETBLK-EDS-BLOCK9)
[192.58] - UNISYS, PA (NETBLK-UNISYS-NET2) - Hewlett-Packard Company, CA (NETBLK-HP16)
[192.65] - Danish Network (NET-DKNET-CNET 1)
[192.67], [192.68] - Hewlett-Packard Company, CA (NETBLK-HPS)
[192.70] - SUNET, Sweden (NET-SUNET3)
[192.72], [192.73], [192.74], [192.75], [192.76], [192.77], [192.78] - Hughes Electronics, CA (NETBLK-EDEN2)
[192.80] - Hewlett-Packard Company, CA (NETBLK-HP19)
[192.82], [192.83], [192.84] - EDS Network Naming and Addressing Management
[192.86], [192.87], [192.88] - Telecom Finland (NETBLK-TELE-DATANET-192-) - Bull, MA (NETBLK-BULL)
[192.91], [192.92] - NIC France (NIC-FR)
192.94] Army, Product Manager, Acquisition Information Management,
VA (NET-BELVOIRNET1) - UNINET Project, South Africa
(NETBLK-UNINET-BLOCKC) - Kraft General Foods, Inc., IL
(NETBLK-KRAFT-C) - Tampere University of Technology, Finland
[192.99 no record]
[192.100], [192.101], [192.102], [192.103], [192.104], [192.105],
[192.106], [192.107], [192.108] - DE-NIC, Germany (NET-UNIDOBLOCK)
[192.110], [192.111], [192.112] - Ideta b.v., Netherlands
(NETBLK-IDETA-CNETS) - Israeli Network Information Center
(NETBLK-ISRAELC-BLOCK) Steven Bjork, Palo Alto, CA (NET-LOIHI) - Hewlett-Packard, CA (NETBLK-HP120) - SUNET, Sweden (NET-SUNET4)
[192.122] - Kraft General Foods, Inc., IL
[192.124] - Hartmann & Braun AG, Germany
[192.126] - NCR Corporation WTC-1, OH
[192.129] - Telecom Finland
[192.131], [192.132], [192.133] - NIC - France (NIC-2-FR)
[192.135], [192.136] - Hewlett-Packard Company (NETBLK-HP-BLOCK)
[192.138], [192.139] - France Telecom (NETBLK-FRANCETEL)
[192.146], [192.147], [192.148], [192.149], [192.150], [192.151],
[192.152], [192.153], [192.154], [192.155], [192.156], [192.157],
[192.160], [192.161] - European Regional Internet Registry/RIPE
[192.163] - European Regional Internet Registry/RIPE
NCC (NETBLK-RIPE-NCC): - Unix User Group Austria (NET-AT-ZZ-192-) - SUNET, Sweden (NET-SUNET2) - Last Resort Local Registry, Germany
(NET-DE-ZZ) - GARR-NIS/CNUCE Instituto del CNR, Italy
(NET-GARR-NIS) - Internet Assigned Numbers Authority, CA
(IANA-CBLK-RESERVED) - reserved for private internet use (see RFC
[192.169], [192.170], [192.171], [192.172], [192.173], [192.174],
[192.175], [192.176] - Royal Institute of Technology - SUNET,
[192.177 - 192.186 no record] Bull HN Information Systems, Inc., MN (NET-BULLMINNNET)
[192.187], [192.188], [192.189], [192.190] - Automatic Data Processing, Inc., OR
(NETBLK-ADP-C) - Ministry of Education Computer Center,
Republic of China (NETBLK-TANET-C) - Citicorp Global Information Network, NY
(NETBLK-CITICORP-C) - Telecom Finland
[192.195] - EDF-GDF (Electricite de France)
[192.197], [192.198], [192.199], [192.200] - MCI Telecommunications Corporation, TX
[192.203] - PREPnet, PA (NETBLK-PREPNET-C) - AT&T Data Communications Services, NJ
[192.206], [192.207], [192.208], [192.209], [192.210] - Southern California Edison (NETBLK-SCE) - CERFnet, CA (NETBLK-TBLK-CERFNET) - BBN BARRNET, Inc., CA
(NETBLK-TBLK-CICNET-BLOCK) - Japan Network Information Center
(NETBLK-TBLK-JAPAN-INET) - Canadian Research Network
[192.222], [192.223] - ADP Dealer Services Group, IL
[192.225], [192.226], [192.227], [192.228], [192.229], [192.230],
[192.231], [192.232] - NEARNET/Bolt Beranek and Newman, Inc.
[192.234], [192.235], [192.236], [192.237], [192.238] - SURAnet, MD (NETBLK-TBLK-SURA-NEW-NET)
[192.240], [192.241] - Vortech Data, Inc., TX (NETBLK-VORTECH)
[192.243] - Japan Network Information Center
[192.245] - Performance Systems International, Inc.
[192.247] - Lanka Educational, Academic and Reasearch
Network, University of Moratuwa, S (NETBLK-LEARN) - City of Riverside, CA (NETBLK-RIVCTY)
[192.249], [192.250], [192.251], [192.252] - ARPA DSI JPO, VA (NETBLK-DSI-TOXIC-BLOCK4)

For more information see: http://www.ipindex.net/c/indexc.html

- -----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of security at admin.fulgan.com
Sent: Wednesday, November 07, 2001 8:24 AM
To: Maarten Ruigrok
Subject: Re[2]: [Dshield] Re: ICMP destination unreachable

MR> Not to be a bother but I read somewhere that 192.x.x.x was used in

MR> europe. And that I think it is since I surfed on sites starting
MR> 192 it is in use, I am from europe. I cannot produce any sites on
MR> top of my head however (I like using DNS ;-). IF this range is
MR> assigned to europe then it is not covered by IANA but by RIPE.
MR> (whois.ripe.net I believe). I cannot whois from this place but if
MR> someone could it may give you an answer.

Here is what I got from a recursive WhoIs query:

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: -
netname:      IANA-BLK
descr:        The whole IPv4 address space
country:      NL
admin-c:      IANA1-RIPE
tech-c:       IANA1-RIPE
remarks:      The country is really worldwide.
remarks:      This address space is assigned at various other places
remarks:      the world and might therefore not be in the RIPE
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    RIPE-NCC-HM-MNT
mnt-routes:   RIPE-NCC-NONE-MNT
changed:      bitbucket at ripe.net 20010529
source:       RIPE

After some intensive testing (i.e. trying a few addresses at random),
I was able to find several domain registered in the 192.* range. Her's

Symbolics, Inc. (NETBLK-SYMBOLICS1)
   c/o Ropes & Gray (Attn C.I.
   Boston, MA 02110-2624

   Netname: SYMBOLICS1
   Netblock: -

      Schmidt, David  (DS1781-ARIN)  dkschmidt at compuserve.com
      703-455-0430 (FAX) 703-440-0388

   Record last updated on 16-Apr-2001.
   Database last updated on 7-Nov-2001 03:07:45 EDT.

Good luck,

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

Version: PGPfreeware 6.0.2i



Message: 2
Date: Wed, 7 Nov 2001 11:18:39 -0500 (EST)
From: "Johannes B. Ullrich" <jullrich at euclidian.com>
To: Maarten Ruigrok <dshield at dshield.org>
Subject: Re[2]: [Dshield] Re: ICMP destination unreachable
Reply-To: dshield at dshield.org

Hash: SHA1

Quick note about this: RIPE always returns
for addresses assigned by APNIC and ARIN. The 'best' (?) way to do a
recorsive whois querie is to use ARIN first. It will tell you which
other registry is responsible if they are not.

> Here is what I got from a recursive WhoIs query:
> C:\bin>ipchk
> % This is the RIPE Whois server.

> inetnum: -
> netname:      IANA-BLK
> descr:        The whole IPv4 address space

- --
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org



Message: 3
Date: Thu, 8 Nov 2001 11:02:59 +0100
From: security at admin.fulgan.com
Organization: fulgan.com
To: "L. Fung" <dshield at dshield.org>
Subject: Re[2]: [Dshield] Spoofs
Reply-To: dshield at dshield.org

LF> Stephane,

LF> RE:  In any case, you should try to catch the outgoing
>> SYN packet: it will
>> tell you what protocol is concerned and you'll be
>> able to act on that.
LF> Could yo tell how I can act once I know the protocol?

Well, it really depends on what the SYN will tell you. Basically, you
have two choices: Bane the guilty application by closing it's outgoing
port (the target port in the SYN packet) or try to work out a behavior
rule for the application, if it can be applied (Some applications
allow you to specify that you're behind a NAT router and will stop
sending internal addresses).

Another thing you can do is to filter packet to private IP ranges at
your router: that way, they won't be reaching the external network.
Depending on how your router's filter behave, you might still get the
network unreachable packets, but only from your own router.

Good luck,


Message: 4
From: "Pieter-Bas IJdens" <pbijdens at emea.mi4.org.uk>
To: <dshield at dshield.org>
Date: Thu, 8 Nov 2001 14:45:26 +0100
Subject: [Dshield] SSH Scans
Reply-To: dshield at dshield.org


The last couple of days I have seen an increasing amount of ssh version
scans on our servers.

When I check these, they all seem to originate from systems running
SSH-1.99-OpenSSH_2.1.1 [apparently some exploit in that version is abused].
Contacting the admins of these systems has confirmed these were compromized.

Am I the only one to notice this increase [i.e. is it incidental and pure
co-incidence] or is some kind of worm suddenly active (again)?



Dshield mailing list
Dshield at dshield.org

End of Dshield Digest

More information about the list mailing list