[Dshield] It almost makes me weep...

John Sage jsage at finchhaven.com
Thu Sep 18 15:36:36 GMT 2003


...for the good old days!

(For those of you who may not get what I'm talking about, this is
essentially a -> NON-MICRO$OFT <- probe. This is what we used to see a
lot of, back before Micro$oft screwed up the Internet).

References:
[jsage at sparky /home] $ grep 515 /etc/services
printer     515/tcp         spooler         # line printer spooler
printer     515/udp         spooler         # line printer spooler
[jsage at sparky /home] $ grep 53 /etc/services
domain      53/tcp                          # name-domain server
domain      53/udp
[jsage at sparky /home] $ grep 113 /etc/services
auth        113/tcp         authentication tap ident
auth        113/udp         authentication tap ident
[jsage at sparky /home] $ grep 23 /etc/services
telnet      23/tcp
telnet      23/udp

and for those who are really into nostalgia, of course it's from
Korea!

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:14.103512 211.236.5.118:4423 -> 12.82.144.75:515
TCP TTL:48 TOS:0x0 ID:12159 IpLen:20 DgmLen:60 DF
******S* Seq: 0x44ED2DDF  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 23416774 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:14.423538 211.236.5.118:4423 -> 12.82.144.75:515
TCP TTL:48 TOS:0x0 ID:13010 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x44ED2DE0  Ack: 0xA9A7E7F9  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 23416809 1004187316 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:14.494060 211.236.5.118:1035 -> 12.82.144.75:53
UDP TTL:48 TOS:0x0 ID:13012 IpLen:20 DgmLen:58
Len: 38
19 80 01 00 00 01 00 00 00 00 00 00 07 56 45 52  .............VER
53 49 4F 4E 04 42 49 4E 44 00 00 10 00 03        SION.BIND.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:19.484050 211.236.5.118:1035 -> 12.82.144.75:53
UDP TTL:48 TOS:0x0 ID:13950 IpLen:20 DgmLen:58
Len: 38
19 80 01 00 00 01 00 00 00 00 00 00 07 56 45 52  .............VER
53 49 4F 4E 04 42 49 4E 44 00 00 10 00 03        SION.BIND.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:29.515082 211.236.5.118:1298 -> 12.82.144.75:113
TCP TTL:48 TOS:0x0 ID:14871 IpLen:20 DgmLen:60 DF
******S* Seq: 0x45EFF305  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 23418318 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:29.845114 211.236.5.118:1299 -> 12.82.144.75:23
TCP TTL:48 TOS:0x0 ID:14873 IpLen:20 DgmLen:60 DF
******S* Seq: 0x464B1425  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 23418352 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:32.845412 211.236.5.118:1299 -> 12.82.144.75:23
TCP TTL:48 TOS:0x0 ID:14875 IpLen:20 DgmLen:60 DF
******S* Seq: 0x464B1425  Ack: 0x0  Win: 0x7D78  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 23418652 0 NOP WS: 0 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:33.855513 211.236.5.118:4423 -> 12.82.144.75:515
TCP TTL:48 TOS:0x0 ID:14957 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x44ED2DE0  Ack: 0xA9A7E7F9  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 23418753 1004187316 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

09/17-12:45:34.165564 211.236.5.118:4423 -> 12.82.144.75:515
TCP TTL:48 TOS:0x0 ID:15961 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x44ED2DE1  Ack: 0xA9A7E7FA  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 23418784 1004189291 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Run time for packet processing was 26.36365 seconds

===============================================================================

Snort processed 9 packets.
Breakdown by protocol:                Action Stats:

    TCP: 7          (77.778%)         ALERTS: 0         
    UDP: 2          (22.222%)         LOGGED: 0         
   ICMP: 0          (0.000%)          PASSED: 0         
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)

===============================================================================


[jsage at sparky /home] $ whois 211.236.5.118
BW whois 3.4 by Bill Weinman (http://whois.bw.org/)
Copyright 1999-2003 William E. Weinman

Request: 211.236.5.118

connected to whois.arin.net [63.146.182.181:43] ...
connected to whois.apnic.net [202.12.29.13:43] ...

% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
 
inetnum:      211.232.0.0 - 211.255.255.255
netname:      KRNIC-KR
descr:        KRNIC
descr:        Korea Network Information Center
country:      KR
admin-c:      HM127-AP
tech-c:       HM127-AP
remarks:      ******************************************
remarks:      KRNIC is the National Internet Registry
remarks:      in Korea under APNIC. If you would like to
remarks:      find assignment information in detail
remarks:      please refer to the KRNIC Whois DB
remarks:      http://whois.nic.or.kr/english/index.html
remarks:      ******************************************
mnt-by:       APNIC-HM
mnt-lower:    MNT-KRNIC-AP
changed:      hostmaster at apnic.net 20000908
changed:      hostmaster at apnic.net 20010627
status:       ALLOCATED PORTABLE
source:       APNIC

person:       Host Master
address:      11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address:      Seoul, Korea, 137-857
country:      KR
phone:        +82-2-2186-4500
fax-no:       +82-2-2186-4496
e-mail:       hostmaster at nic.or.kr
nic-hdl:      HM127-AP
mnt-by:       MNT-KRNIC-AP
changed:      hostmaster at nic.or.kr 20020507
source:       APNIC



- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.




More information about the list mailing list