I might add that the "quality" of the attacks from the .cn addresses is
different from that *I* see most here in the US. The US generates the
stray probes on NetBios most often. That's pure script kiddie. The ADSL
connection went wonkity tonight - rain in the wires I suspect. I got
knocked off line several times. One address I had was probed continually
on ports that the IANA port list doesn't show as anything for one number
and an obscure service for the other, 4844 and 4856. These were from China.
I also received a systematic probe sequence for 25, 80, 81(!), and 1000(!)
for several minutes - from China - from the same address, 208.178.159.73.
Although I admit this was from ROC rather than the mainland. I also got
a larger than usual number of attacks on NetBios-ns UDP. I figure that's
script kiddie. The 208 address was persistent enough I suspect it was
somebody trying to get back into the machine that had been on that address
that he was into. Ditto the 4844/4856 trials that persisted for a long
time. Asia is a major source of what I see making serious attempts. And
among the Asians the mainland Chinese, .cn type addresses, stand out.
Rather than block individual addresses I simply leave all addresses blocked
and open one or two specific addresses. Life's easier that way. {^_-}
{^_^}
----- Original Message -----
From: "Cochran Robert L (NO)" <Robert.L.Cochran@irs.gov>
> I have to agree with jdow also. I'm getting hit with attacks from 21cn.com
> too. They make up the bulk of the attacks on me. Someone out there has the
> time and resources to do these attacks; every time I block an IP address a
> new one gets used. Maybe I shouldn't be so politically correct when it
comes
> to my own system's security.
>
> And yes I know this is an Outlook email. I sent it in plain text. I'm
sorry
> if Outlook and/or Exchange clobbers it into HTML and tiny fonts. I
couldn't
> hold ym tongue...
>
> Thanks
>
> Robert L. Cochran
> -----Original Message-----
> From: jdow [mailto:jdow@earthlink.net]
> From: "Ed Wilts" <ewilts@ewilts.org>
>
> > On Thu, Nov 07, 2002 at 05:24:14PM -0800, jdow wrote:
> > > The Chinese are at it again, either second hand through a hacked host
or
> > > first hand.
> >
> > I don't think that's called for in this forum. After all, we don't
> > claim "The Americans are at it again" when the majority of the hacker
> > attempts come from US-based systems.
>
> 1) At least a third to a half the attacks on my system's interfaces trace
> back to a .cn address. Should I deny this is the case? I did remark it
> was either them or their hacked insecure systems, which are the two
> possibilities.
> 2) If you notice the map on http://www.incidents.org/ you might note that
> the pie circle over Asia is as big as that over the US, lately. (That
> rather surprised me.) Of course, I freely admit that this merely
> indicates
> the machines doing the attacking are in Asia. The attackers may be
doing
> it through Asian cutouts. (The percentage of attacks traceable to Asia
> in the gateway here that are Chinese is higher than others seem to
> report.
> I am not sure what that tells me. Nonetheless they are Chinese
machines.)
> 3) I categorically refuse to be nice and politically correct and not
profile
> attacks when my own security is at stake.
>
> So a great big
> {`,'} to you, sir.
>
>
>
> --
> Psyche-list mailing list
> Psyche-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/psyche-list
>
--
Psyche-list mailing list
Psyche-list@redhat.com
https://listman.redhat.com/mailman/listinfo/psyche-list
