OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: large scale distributed scan from Israel
From: mixter2XS.CO.IL
Date: Tue Aug 01 2000 - 19:03:41 CDT

Have you tried contacting the admin of that address block directly
before notifying your local CERT? IMHO, that's the best general
practice, and you have the best chances of a fast reply...
Contact for Israel addresses can best gotten from the ripe.net database
212.179.0.0/17 is listed as ISDN Net Ltd. and is a large dialup
pool, if I'm not mistaken. Probably someone is trying to get away
with scanning/intruding by hopping to a new dynamic address frequently
62.0.55.* should be a small business hosted by Netvision, a large ISP.

On Tue, 1 Aug 2000, Russell Fulton wrote:

> HI,
> This is a slightly edited (and truncated -- I've deleted most
> of the logs) report I have just sent off to AusCERT about this incident.
>
> AusCERT are trying to contact people in Israel...
>
> Summary of my analysis to date:
>
> Duration: 24th Jul 2000 at 19:11 (UTC) to present.
> Frequency: 50 - 100 probes an hour from several different IP
> addresses.
>
> The two addresses in 62.0.55\16 seem to be active intermittently over at
> least 4 days -- my slow scan detector picked this up. The other source
> address are active for quite short periods. Either these people have
> *a lot* (hundreds) of systems at their disposal or possibly they have
> compromised one system at which can 'see' traffic for a large chunk of
> Israel's IP traffic and they are scanning using IP addresses that they
> know are not active and snooping the responses.
>
> Either scenario is cause for concern.
>
> Typically each source IP seems to be 'active' for about half an hour
> and probes a dozen or so addresses in our /16 network (130.216) with
> the same last octet.
>
> e.g. pulling 212.179.30.13 from the log we get:
>
> 31 Jul 00 15:52:10 s tcp 212.179.30.13.23226 -> 130.216.4.18.110 5 0 0 0 s
> 31 Jul 00 15:54:47 tcp 212.179.30.13.20184 <| 130.216.196.18.143 1 1 0 0 sR
> 31 Jul 00 15:58:28 s tcp 212.179.30.13.20600 -> 130.216.20.18.143 5 0 0 0 s
> 31 Jul 00 15:59:37 s tcp 212.179.30.13.20728 -> 130.216.148.18.110 5 0 0 0 s
> 31 Jul 00 16:01:36 s tcp 212.179.30.13.20950 -> 130.216.52.18.110 5 0 0 0 s
> 31 Jul 00 16:02:57 s tcp 212.179.30.13.21101 -> 130.216.116.18.110 5 0 0 0 s
> 31 Jul 00 16:04:09 s tcp 212.179.30.13.21234 -> 130.216.12.18.143 5 0 0 0 s
> 31 Jul 00 16:09:52 s tcp 212.179.30.13.21864 -> 130.216.28.18.143 5 0 0 0 s
> 31 Jul 00 16:12:24 s tcp 212.179.30.13.22140 -> 130.216.60.18.143 5 0 0 0 s
> 31 Jul 00 16:13:48 s tcp 212.179.30.13.22294 -> 130.216.124.18.143 5 0 0 0 s
> 31 Jul 00 16:19:33 tcp 212.179.30.13.22917 <| 130.216.162.18.143 1 1 0 0 sR
> 31 Jul 00 16:18:30 s tcp 212.179.30.13.22804 -> 130.216.34.18.143 2 0 0 0 s
>
> There seem to be two scans running probing different third octets.
>
> Cheers, Russell.
>
> Russell Fulton, The Univesity of Auckland, New Zealand
>

-------------------------------------------------
Personally expressed opinions do not neccessarily
represent the opinions of 2XS Limited.
-------------------------------------------------
Mixter 2xs LTD.
Tel: 972-9-9519980 Fax: 972-9-9519982
Mail: mixter2xs.co.il Web: http://www.2xs.co.il
-------------------------------------------------