[nsp-sec] dlink router worm or dlink compromise leadstoinfectedPCs?

John Fraizer john at op-sec.us
Mon Mar 24 19:49:00 EDT 2008 

so, what is your point grasshopper? :)


John Fraizer
Senior Internetworking Engineer
NOC Engineering
NuVox Communications, Inc
(864)331-7575 work
-Sent from my Treo SmartPhone
-----Original Message-----
From: "White, Gerard" <Gerard.White at aliant.ca>
Date: Monday, Mar 24, 2008 7:46 pm
Subject: Re: [nsp-sec] dlink router worm or dlink compromise 	leadstoinfectedPCs?
To: "Barry Greene (bgreene)" <bgreene at cisco.com>,        "Rob Thomas" <robt at cymru.com>,        "Smith, Donald" <Donald.Smith at qwest.com>
CC: nsp-security at puck.nether.net

----------- nsp-security Confidential --------
>
>
>> 
> So this whole vector could be nasty. SP to customer: "Yo customers, you
> home gateway is owned by some rerow badguy in China. You need to
>unplug
> it, throw it away and get a new one." Customer to SP: "yea right, you
> are just trying to sell me your stuff. You already charge me too much
> and your service sucks - I've got lousy performance."
> 
>
>Oh the irony...
>
>If you take the "Dark IP Seeding" system I have in place here (i.e. Seeding across your IP space
>with /31's) and look at the last 8 hours for what's been scanning for TCP/23 against two of our
>/16's, you get this:
>
>AS      | IP               | AS Name
>24138   | 61.233.11.69     | CRNET_BJ_IDC-CNNIC-AP China Tietong
>Telecommunicati
>4134    | 61.153.176.176   | CHINANET-BACKBONE No.31,Jin-rong Street
>4134    | 61.131.10.66     | CHINANET-BACKBONE No.31,Jin-rong Street
>4134    | 59.42.177.60     | CHINANET-BACKBONE No.31,Jin-rong Street
>4812    | 222.69.60.119    | CHINANET-SH-AP China Telecom (Group)
>4837    | 222.141.220.198  | CHINA169-BACKBONE CNCGROUP China169
>Backbone
>9318    | 218.38.28.147    | HANARO-AS Hanaro Telecom Inc.
>4538    | 210.41.163.3     | ERX-CERNET-BKB China Education and Research Network
>24138   | 61.233.11.69     | CRNET_BJ_IDC-CNNIC-AP China Tietong
>Telecommunicati
>4134    | 61.153.176.176   | CHINANET-BACKBONE No.31,Jin-rong Street
>4134    | 61.131.10.66     | CHINANET-BACKBONE No.31,Jin-rong Street
>4134    | 59.42.177.60     | CHINANET-BACKBONE No.31,Jin-rong Street
>4812    | 222.69.60.119    | CHINANET-SH-AP China Telecom (Group)
>4837    | 222.141.220.198  | CHINA169-BACKBONE CNCGROUP China169
>Backbone
>9318    | 218.38.28.147    | HANARO-AS Hanaro Telecom Inc.
>4538    | 210.41.163.3     | ERX-CERNET-BKB China Education and Research Network
>3786    | 210.108.47.31    | LGDACOM LG DACOM Corporation
>9911    | 202.27.17.234    | CONNECTPLUS-AP Singapore Telecom
>4134    | 202.100.68.17    | CHINANET-BACKBONE No.31,Jin-rong Street
>1659    | 192.192.72.66    | ERX-TANET-ASN1 Tiawan Academic Network
>(TANet) Info
>4766    | 121.159.55.135   | KIXS-AS-KR Korea Telecom
>
>See anything "common" about this source list?  Hmmmm....
>
>Incidently the TCP/23 sweeps are being done across /24's within the IP space segments
>I sampled...
>
>GW
>855 - Aliant
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.n

More information about the nsp-security mailing list