I received this report from a friend. Looks similar. comming out of japan. It was his first one, but he has had others in the last few days just like it.
http://www.variate.net/deviate/tech/foo/scans/possible_new_worm.txt source = 61.213.140.76 inetnum: 61.200.0.0 - 61.215.255.255 netname: JPNIC-NET-JP descr: Japan Network Information Center country: JP admin-c: JNIC1-AP tech-c: JNIC1-AP rev-srv: ns0.nic.ad.jp rev-srv: ns.wide.ad.jp rev-srv: ns0.iij.ad.jp rev-srv: dns0.spin.ad.jp rev-srv: ns-jp.sinet.ad.jp rev-srv: ns-jp.ntt.net remarks: JPNIC Allocation Block remarks: Authorative information regarding assignments and remarks: allocations made from within this block can also be remarks: queried at whois.nic.ad.jp. To obtain an English remarks: output query whois -h whois.nic.ad.jp x.x.x.x/e mnt-by: APNIC-HM mnt-lower: MAINT-JPNIC changed: [EMAIL PROTECTED] 20010130 status: ALLOCATED PORTABLE source: APNIC role: Japan Network Information Center address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda address: Chiyoda-ku, Tokyo 101-0047, Japan country: JP phone: +81-3-5297-2311 fax-no: +81-3-5297-2312 e-mail: [EMAIL PROTECTED] admin-c: SN108-AP tech-c: KS218-AP nic-hdl: JNIC1-AP mnt-by: MAINT-JPNIC changed: [EMAIL PROTECTED] 19990629 changed: [EMAIL PROTECTED] 20011011 changed: [EMAIL PROTECTED] 20021018 source: APNIC inetnum: 61.213.140.72 - 61.213.140.79 netname: TRAVEX-NET descr: Travex Japan country: JP admin-c: YK8008JP tech-c: YK8008JP remarks: This information has been partially mirrored by APNIC from remarks: JPNIC. To obtain more specific information, please use the remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to remarks: Japanese output, use the /e switch for English output) changed: [EMAIL PROTECTED] 20011127 remarks: This information has been partially mirrored by APNIC from remarks: JPNIC. To obtain more specific information, please use the remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to remarks: Japanese output, use the /e switch for English output) changed: [EMAIL PROTECTED] 20021113 source: JPNIC Michael Rondello Unix Systems Administrator, Network Engineering SatoTravel, a Navigant International Corporation [EMAIL PROTECTED] This email is intended for the sole use of the intended recipient(s) and may contain confidential and privileged material. Review or distribution by others is prohibited. Please contact sender and delete all copies if you are not the intended receiver. Thank you >>> Michael Scheidell <[EMAIL PROTECTED]> 11/16/02 05:31PM >>> First time I saw this one was two Friday's ago. Also reported by someone on the Nesuss list. Remarked that it had a lot of scans not in the nessus database. In fact, each time it hit, it hit destination ip address 1500 times. Does not look like a 'worm' (not in dshield or mynetwatchman except for this target) and was not repeated (except now, different attack source) first attack was from the Bristol CT, Board of Education. Second (just now) from Belgium. mail.panatw.com [217.66.5.89] PAN OCEAN SHIPPING CO country: BE admin-c: RM4340-RIPE tech-c: DG119-RIPE status: ASSIGNED PA mnt-by: SEAGHA-MNT changed: [EMAIL PROTECTED] 20011205 See http://www.mynetwatchman.com/LID.asp?IID=13784474 for Belgium attack Full logs can be sent if needed. -- Michael Scheidell, CEO SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
