Chinese hackers? - SCO

This is a discussion on Chinese hackers? - SCO ; Several of my customers syslog files are registering thousands of entries like: Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10 [211.40.52.10] Jun 11 08:27:29 aa500 last message repeated 4 times Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Chinese hackers?

  1. Chinese hackers?

    Several of my customers syslog files are registering thousands of
    entries like:

    Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10
    [211.40.52.10]
    Jun 11 08:27:29 aa500 last message repeated 4 times
    Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from
    211.40.52.10 [211.40.52.10]

    Most (if not all) of this ip addresses lead to

    inetnum: 211.40.0.0 - 211.40.255.255
    netname: BORANET-NET-211-40
    descr: DACOM Corp.
    descr: Facility-based Telecommunication Service Provider
    descr: providing Internet leased-ine, on-line service, BLL etc.
    country: KR
    admin-c: DB50-AP
    tech-c: DB50-AP
    mnt-by: APNIC-HM
    mnt-lower: MNT-KRNIC-AP
    changed: hm-changed@apnic.net 20021025
    status: ALLOCATED PORTABLE
    source: APNIC

    role: DACOM BORANET
    address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku
    address: Seoul
    country: KR

    Anybody else getting the same ?

    --

    Ygnacio Moreno.

    Please remove TheObvious from my email address to respond.

  2. Re: Chinese hackers?

    On Jun 11, 1:46 pm, Y Moreno wrote:
    > Several of my customers syslog files are registering thousands of
    > entries like:
    >
    > Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10
    > [211.40.52.10]
    > Jun 11 08:27:29 aa500 last message repeated 4 times
    > Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from
    > 211.40.52.10 [211.40.52.10]
    >
    > Most (if not all) of this ip addresses lead to
    >
    > inetnum: 211.40.0.0 - 211.40.255.255
    > netname: BORANET-NET-211-40
    > descr: DACOM Corp.
    > descr: Facility-based Telecommunication Service Provider
    > descr: providing Internet leased-ine, on-line service, BLL etc.
    > country: KR
    > admin-c: DB50-AP
    > tech-c: DB50-AP
    > mnt-by: APNIC-HM
    > mnt-lower: MNT-KRNIC-AP
    > changed: hm-chan...@apnic.net 20021025
    > status: ALLOCATED PORTABLE
    > source: APNIC
    >
    > role: DACOM BORANET
    > address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku
    > address: Seoul
    > country: KR
    >
    > Anybody else getting the same ?
    >
    > --
    >
    > Ygnacio Moreno.
    >
    > Please remove TheObvious from my email address to respond.


    Anyone who runs any service exposed to the Internet gets lots of
    interest. Sounds like your customers really, really need to harden
    their systems and networks. Do they really need to accept FTP
    connections from everywhere?

    BTW, AFAIK China has not and has no immediate plans to annex Seoul,
    Korea.

    --RLR


  3. Re: Chinese hackers?

    ThreeStar wrote:
    > On Jun 11, 1:46 pm, Y Moreno wrote:
    >> Several of my customers syslog files are registering thousands of
    >> entries like:
    >>
    >> Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10
    >> [211.40.52.10]
    >> Jun 11 08:27:29 aa500 last message repeated 4 times
    >> Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from
    >> 211.40.52.10 [211.40.52.10]
    >>
    >> Most (if not all) of this ip addresses lead to
    >>
    >> inetnum: 211.40.0.0 - 211.40.255.255
    >> netname: BORANET-NET-211-40
    >> descr: DACOM Corp.
    >> descr: Facility-based Telecommunication Service Provider
    >> descr: providing Internet leased-ine, on-line service, BLL etc.
    >> country: KR
    >> admin-c: DB50-AP
    >> tech-c: DB50-AP
    >> mnt-by: APNIC-HM
    >> mnt-lower: MNT-KRNIC-AP
    >> changed: hm-chan...@apnic.net 20021025
    >> status: ALLOCATED PORTABLE
    >> source: APNIC
    >>
    >> role: DACOM BORANET
    >> address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku
    >> address: Seoul
    >> country: KR
    >>
    >> Anybody else getting the same ?
    >>
    >> --
    >>
    >> Ygnacio Moreno.
    >>
    >> Please remove TheObvious from my email address to respond.

    >
    > Anyone who runs any service exposed to the Internet gets lots of
    > interest. Sounds like your customers really, really need to harden
    > their systems and networks. Do they really need to accept FTP
    > connections from everywhere?
    >

    They don't, that's why the logins failed. Then again are you suggesting
    filtering ip addresses fot ftp?

    > BTW, AFAIK China has not and has no immediate plans to annex Seoul,
    > Korea.


    Says you

    >
    > --RLR
    >

    Thanks for your answer.



    --

    Ygnacio Moreno.

    Please remove TheObvious from my email address to respond.

  4. Re: Chinese hackers?

    In article ,
    Y Moreno wrote:
    >Several of my customers syslog files are registering thousands of
    >entries like:
    >
    >Jun 11 08:27:18 aa500 ftpd[11458]: failed login from 211.40.52.10
    >[211.40.52.10]
    >Jun 11 08:27:29 aa500 last message repeated 4 times
    >Jun 11 08:27:29 aa500 ftpd[11458]: repeated login failures from
    >211.40.52.10 [211.40.52.10]
    >
    >Most (if not all) of this ip addresses lead to
    >
    >inetnum: 211.40.0.0 - 211.40.255.255
    >netname: BORANET-NET-211-40
    >descr: DACOM Corp.
    >descr: Facility-based Telecommunication Service Provider
    >descr: providing Internet leased-ine, on-line service, BLL etc.
    >country: KR
    >admin-c: DB50-AP
    >tech-c: DB50-AP
    >mnt-by: APNIC-HM
    >mnt-lower: MNT-KRNIC-AP
    >changed: hm-changed@apnic.net 20021025
    >status: ALLOCATED PORTABLE
    >source: APNIC
    >
    >role: DACOM BORANET
    >address: DACOM Bldg., 706-1, Yoeksam-dong, Kangnam-ku
    >address: Seoul
    >country: KR
    >
    >Anybody else getting the same ?
    >
    >--
    >
    >Ygnacio Moreno.
    >
    >Please remove TheObvious from my email address to respond.


    In my server log files - directly connected to a tier-1 backbone -
    I've seen as high as 20,000+ attempts on some days. I have 100Mbit
    links into a 40GB backbone - so things can come in quite fast
    and rather furiously

    They come from all over - with most from Asian countries but also
    with a large amount from some European places.

    On my FreeBSD servers I run 'denyhosts' which tracks the logs and
    adds the IPs to a list of IPs to refuse.

    It's just part of todays internet. Make sure your customers
    marnines are hardened and make sure they are behind some firewall.

    Bill
    --
    Bill Vermillion - bv @ wjv . com

+ Reply to Thread