fyi, i saw this come from a mail server in the UK: Name: mail.kpf.co.uk Address: 195.152.216.2
http://www.variate.net/deviate/tech/foo/scans/possible_new_worm2.txt here is another one i saw: http://www.variate.net/deviate/tech/foo/scans/possible_new_worm3.txt all 3 of these hit me within a space of 9 days, looks like a possible worm. if i can publish anymore information on scans like these i will. Eoin Miller [EMAIL PROTECTED] > -----Original Message----- > From: Mike Rondello [mailto:[EMAIL PROTECTED]] > Sent: Friday, November 22, 2002 5:32 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Cc: Miller, Eoin; [EMAIL PROTECTED] > Subject: Re: new attack scanner? > > > I received this report from a friend. Looks similar. > comming out of japan. > It was his first one, but he has had others in the last few > days just like it. > > > http://www.variate.net/deviate/tech/foo/scans/possible_new_worm.txt > > source = 61.213.140.76 > > inetnum: 61.200.0.0 - 61.215.255.255 > netname: JPNIC-NET-JP > descr: Japan Network Information Center > country: JP > admin-c: JNIC1-AP > tech-c: JNIC1-AP > rev-srv: ns0.nic.ad.jp > rev-srv: ns.wide.ad.jp > rev-srv: ns0.iij.ad.jp > rev-srv: dns0.spin.ad.jp > rev-srv: ns-jp.sinet.ad.jp > rev-srv: ns-jp.ntt.net > remarks: JPNIC Allocation Block > remarks: Authorative information regarding assignments and > remarks: allocations made from within this block can also be > remarks: queried at whois.nic.ad.jp. To obtain an English > remarks: output query whois -h whois.nic.ad.jp x.x.x.x/e > mnt-by: APNIC-HM > mnt-lower: MAINT-JPNIC > changed: [EMAIL PROTECTED] 20010130 > status: ALLOCATED PORTABLE > source: APNIC > > role: Japan Network Information Center > address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda > address: Chiyoda-ku, Tokyo 101-0047, Japan > country: JP > phone: +81-3-5297-2311 > fax-no: +81-3-5297-2312 > e-mail: [EMAIL PROTECTED] > admin-c: SN108-AP > tech-c: KS218-AP > nic-hdl: JNIC1-AP > mnt-by: MAINT-JPNIC > changed: [EMAIL PROTECTED] 19990629 > changed: [EMAIL PROTECTED] 20011011 > changed: [EMAIL PROTECTED] 20021018 > source: APNIC > > inetnum: 61.213.140.72 - 61.213.140.79 > netname: TRAVEX-NET > descr: Travex Japan > country: JP > admin-c: YK8008JP > tech-c: YK8008JP > remarks: This information has been partially mirrored by > APNIC from > remarks: JPNIC. To obtain more specific information, > please use the > remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to > remarks: Japanese output, use the /e switch for English output) > changed: [EMAIL PROTECTED] 20011127 > remarks: This information has been partially mirrored by > APNIC from > remarks: JPNIC. To obtain more specific information, > please use the > remarks: JPNIC whois server at whois.nic.ad.jp. (This defaults to > remarks: Japanese output, use the /e switch for English output) > changed: [EMAIL PROTECTED] 20021113 > source: JPNIC > > > > > Michael Rondello > Unix Systems Administrator, Network Engineering > SatoTravel, a Navigant International Corporation > [EMAIL PROTECTED] > > This email is intended for the sole use of the intended > recipient(s) and may > contain confidential and privileged material. Review or > distribution by > others is prohibited. Please contact sender and delete all > copies if you > are not the intended receiver. Thank you > > > >>> Michael Scheidell <[EMAIL PROTECTED]> 11/16/02 05:31PM >>> > First time I saw this one was two Friday's ago. > Also reported by someone on the Nesuss list. > Remarked that it had a lot of scans not in the nessus database. > > In fact, each time it hit, it hit destination ip address 1500 times. > Does not look like a 'worm' (not in dshield or mynetwatchman > except for > this target) and was not repeated (except now, different > attack source) > > first attack was from the Bristol CT, Board of Education. > > Second (just now) from Belgium. mail.panatw.com [217.66.5.89] > > PAN OCEAN SHIPPING CO > country: BE > admin-c: RM4340-RIPE > tech-c: DG119-RIPE > status: ASSIGNED PA > mnt-by: SEAGHA-MNT > changed: [EMAIL PROTECTED] 20011205 > > See http://www.mynetwatchman.com/LID.asp?IID=13784474 for > Belgium attack > > Full logs can be sent if needed. > > -- > Michael Scheidell, CEO > SECNAP Network Security, LLC > Sales: 866-SECNAPNET / (1-866-732-6276) > Main: 561-368-9561 / www.secnap.net > Looking for a career in Internet security? > http://www.secnap.net/employment/ > > - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
