[nsp-sec] dlink router worm or dlink compromise leadstoinfectedPCs?

White, Gerard Gerard.White at aliant.ca
Mon Mar 24 19:46:12 EDT 2008 

> 
> So this whole vector could be nasty. SP to customer: "Yo customers,
you
> home gateway is owned by some rerow badguy in China. You need to
unplug
> it, throw it away and get a new one." Customer to SP: "yea right, you
> are just trying to sell me your stuff. You already charge me too much
> and your service sucks - I've got lousy performance."
> 

Oh the irony...

If you take the "Dark IP Seeding" system I have in place here (i.e.
Seeding across your IP space
with /31's) and look at the last 8 hours for what's been scanning for
TCP/23 against two of our
/16's, you get this:

AS      | IP               | AS Name
24138   | 61.233.11.69     | CRNET_BJ_IDC-CNNIC-AP China Tietong
Telecommunicati
4134    | 61.153.176.176   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.131.10.66     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 59.42.177.60     | CHINANET-BACKBONE No.31,Jin-rong Street
4812    | 222.69.60.119    | CHINANET-SH-AP China Telecom (Group)
4837    | 222.141.220.198  | CHINA169-BACKBONE CNCGROUP China169
Backbone
9318    | 218.38.28.147    | HANARO-AS Hanaro Telecom Inc.
4538    | 210.41.163.3     | ERX-CERNET-BKB China Education and Research
Network
24138   | 61.233.11.69     | CRNET_BJ_IDC-CNNIC-AP China Tietong
Telecommunicati
4134    | 61.153.176.176   | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 61.131.10.66     | CHINANET-BACKBONE No.31,Jin-rong Street
4134    | 59.42.177.60     | CHINANET-BACKBONE No.31,Jin-rong Street
4812    | 222.69.60.119    | CHINANET-SH-AP China Telecom (Group)
4837    | 222.141.220.198  | CHINA169-BACKBONE CNCGROUP China169
Backbone
9318    | 218.38.28.147    | HANARO-AS Hanaro Telecom Inc.
4538    | 210.41.163.3     | ERX-CERNET-BKB China Education and Research
Network
3786    | 210.108.47.31    | LGDACOM LG DACOM Corporation
9911    | 202.27.17.234    | CONNECTPLUS-AP Singapore Telecom
4134    | 202.100.68.17    | CHINANET-BACKBONE No.31,Jin-rong Street
1659    | 192.192.72.66    | ERX-TANET-ASN1 Tiawan Academic Network
(TANet) Info
4766    | 121.159.55.135   | KIXS-AS-KR Korea Telecom

See anything "common" about this source list?  Hmmmm....

Incidently the TCP/23 sweeps are being done across /24's within the IP
space segments
I sampled...

GW
855 - Aliant

More information about the nsp-security mailing list