[nsp-sec] China contact?

Yonglin ZHOU yonglin.zhou at gmail.com
Sun Mar 6 06:31:00 EST 2011 

Krista,

We will deal with it soon.

BTW: For incidents involving IPs or Domain names in Chinese network, you
could contact me or our incident handling service: cncert at cert.org.cn. We
will try to coordinate relevant entities to handle, in case you could not
contact the entities who own or manage directly.

Yonglin.
CNCERT/CC



On Sat, Mar 5, 2011 at 3:38 AM, Krista Hickey <Krista.Hickey at cogeco.com>wrote:

> ----------- nsp-security Confidential --------
>
> Hi All
>
> Does anyone have any trusted contacts that can take a look at 222.35.34.132
>
> AS      | IP               | AS Name
> 4808    | 222.35.34.132    | CHINA169-BJ CNCGROUP IP network China169
> Beijing Province Network
> 24138   | 222.35.34.132    | CRNET_BJ_IDC-CNNIC-AP China Tietong
> Telecommunication Corporation
> 38356   | 222.35.34.132    | NETEON Beijing Neteon Tech Co, Ltd.
>
> I've just concluded an investigation whereby this IP was relaying a large
> amount of pharmaceutical spam via destination port 35 on exploited
> Grandstream HT-502 VOIP Adapters that some of our subscribers use to receive
> 3rd party VOIP services. I do not have in-depth information but apparently
> these Grandstream devices were vulnerable to an external hack prior to
> firmware 1.0.57 that allowed miscreants to use them for DNS purposes (I do
> not have further details on that) or as a mail relay since approx Aug 2010.
>
> I have worked with the 3rd VOIP provider that provides service to our
> subscribers to eliminate this threat from our network but IP 222.35.34.132
> is still making a few attempts as it has since at least January 2011 when I
> started investigating, my investigation revealed that vulnerable hosts were
> relaying approx 5000 pharma spam messages per host per day - a spam
> researcher I spoke to about this theorized the spam looked like Bagle-CB
> spambot but I did not confirm this however if there's interest I can
> probably get you in touch for further discussion.
>
> If anyone would like further information let me know, you may want to take
> a look at your network for activity to/from 222.35.34.132, port 35 and if
> you have ability to correlate it might be prudent to take a quick peek at
> what hosts with MAC address beginning with 000B82 are doing on your network.
>
> Krista
> 7992
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>



-- 
----------------- Enjoy the life --------------------
Yonglin ZHOU
Fix line: + 86 10 8299 0355  Fax: +86 10 8299 0399
Email: zyl at cert.org.cn,  yonglin.zhou at gmail.com
-------------------------------------------------------------------------

More information about the nsp-security mailing list