[Dshield] TCP:27374 burst - ACID Incident Report

John Sage jsage at finchhaven.com
Wed Jul 10 16:01:39 GMT 2002


Had a rather odd burst of activity against TCP:27374 last night:

8 source hosts total, 5 of those from the 211.x.x.x net, and one each
from 12.x.x.x, 68.x.x.x, and 209.x.x.x

They all seem to be DSL or cable, as far as connectivity goes.

Timestamps: PDT, synch by xntpd

----- Forwarded message from ACID Alert <acid at finchhaven.com> -----

Date: Wed, 10 Jul 2002 07:49:18 -0700
Subject: ACID Incident Report

Generated by ACID v0.9.6b21 on Wed July 10, 2002 07:49:17

#10-51| [2002-07-09 22:48:31] 12.225.36.231:4980 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-52| [2002-07-09 22:48:34] 12.225.36.231:4980 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-53| [2002-07-09 22:48:40] 12.225.36.231:4980 -> 12.82.129.30:27374  TCP to 27374 SubSeven

[toot at sparky /]# host 12.225.36.231
231.36.225.12.in-addr.arpa. domain name pointer 12-225-36-231.client.attbi.com.


#10-54| [2002-07-09 23:03:52] 68.39.178.28:3957 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-55| [2002-07-09 23:03:55] 68.39.178.28:3957 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-56| [2002-07-09 23:04:01] 68.39.178.28:3957 -> 12.82.129.30:27374  TCP to 27374 SubSeven

[toot at sparky /]# host 68.39.178.28
28.178.39.68.in-addr.arpa. domain name pointer bgp596795bgs.mnhwkn01.nj.comcast.net.


#10-57| [2002-07-09 23:25:53] 211.207.230.230:4258 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-58| [2002-07-09 23:25:56] 211.207.230.230:4258 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-59| [2002-07-09 23:26:02] 211.207.230.230:4258 -> 12.82.129.30:27374  TCP to 27374 SubSeven

KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address
information. 
IP Address         : 211.207.228.0-211.207.231.255
Network Name       : HANANET-XDSL-INCHONNAMDONG
Connect ISP Name   : HANANET
Connect Date       : 20010430
Registration Date  : 20010430 
[ Organization Information ]
Orgnization ID     : ORG205428
Org Name           : HANARO Telecom
State              : SEOUL
Address            : 1445-3 Seocho-Dong Seocho-Ku
Zip Code           : 137-728


#10-60| [2002-07-09 23:56:04] 211.224.76.149:2968 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-61| [2002-07-09 23:56:07] 211.224.76.149:2968 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-62| [2002-07-09 23:56:13] 211.224.76.149:2968 -> 12.82.129.30:27374  TCP to 27374 SubSeven

KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address
information. 
IP Address         : 211.224.76.0-211.224.77.255
Network Name       : KORNET-XDSL-POHANG
Connect ISP Name   : KORNET
Connect Date       : 20001018
Registration Date  : 20010824 [ Organization Information ]
Orgnization ID     : ORG201916
Org Name           : POHANG NODE
State              : KYONGBUK
Address            : 135-19 DAEDODONG NAMKU POHANGSI
Zip Code           : 790-140


#10-63| [2002-07-09 23:57:04] 209.74.26.161:2771 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-64| [2002-07-09 23:57:07] 209.74.26.161:2771 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-65| [2002-07-09 23:57:14] 209.74.26.161:2771 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-66| [2002-07-09 23:57:26] 209.74.26.161:2771 -> 12.82.129.30:27374  TCP to 27374 SubSeven

[toot at sparky /]# host 209.74.26.161
161.26.74.209.in-addr.arpa. domain name pointer clsm-209-74-26-161.ppp.clsm.epix.net.

BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman 
epix Internet Services (NETBLK-EPIX-2BLK)
   100 CTE Drive
   Dallas, PA 18612
   US    
Netname: EPIX-2BLK
   Netblock: 209.74.0.0 - 209.74.63.255
   Maintainer: EPIX


#10-67| [2002-07-10 00:12:43] 211.229.130.178:3341 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-68| [2002-07-10 00:12:46] 211.229.130.178:3341 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-69| [2002-07-10 00:12:52] 211.229.130.178:3341 -> 12.82.129.30:27374  TCP to 27374 SubSeven

KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address
information. 
IP Address         : 211.229.130.0-211.229.143.255
Network Name       : KORNET-XDSL-NAMDAEGU
Connect ISP Name   : KORNET
Connect Date       : 20010228
Registration Date  : 20010228 
[ Organization Information ]
Orgnization ID     : ORG200856
Org Name           : NAMDAEGU NODE
State              : TAEGU
Address            : 913-1 DAEMYUNG9DONG NAMKU
Zip Code           : 705-039

#10-70| [2002-07-10 00:39:04] 211.44.152.237:1212 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-71| [2002-07-10 00:39:07] 211.44.152.237:1212 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-72| [2002-07-10 00:39:13] 211.44.152.237:1212 -> 12.82.129.30:27374  TCP to 27374 SubSeven

KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address
information. 
IP Address         : 211.44.152.0-211.44.152.255
Network Name       : HANANET
Connect ISP Name   : HANANET
Connect Date       : 20000217
Registration Date  : 20000306 
[ Organization Information ]
Orgnization ID     : ORG78211
Org Name           : HANARO Telecom
State              : SEOUL
Address            : 1445-3 Seocho-Dong Seocho-Ku
Zip Code           : 137-728


#10-73| [2002-07-10 00:44:13] 211.208.231.120:3557 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-74| [2002-07-10 00:44:16] 211.208.231.120:3557 -> 12.82.129.30:27374  TCP to 27374 SubSeven
#10-75| [2002-07-10 00:44:22] 211.208.231.120:3557 -> 12.82.129.30:27374  TCP to 27374 SubSeven

KRNIC is not ISP but National Internet Registry similar with APNIC.
Please see the following end-user contacts for IP address
information. 
IP Address         : 211.208.228.0-211.208.231.255
Network Name       : HANANET-CATV-KWANAKSO
Connect ISP Name   : HANANET
Connect Date       : 20010423
Registration Date  : 20010423 
[ Organization Information ]
Orgnization ID     : ORG207658
Org Name           : HANARO Telecom
State              : SEOUL
Address            : 1445-3 Seocho-Dong Seocho-Ku
Zip Code           : 137-728


----- End forwarded message -----


- John
-- 
"Obviously, we do not want to leave zombies around."

PGP key      http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 




More information about the list mailing list