8-4Six-Core Intel® Xeon® MP X7460 2.66GHz Servers were placed on loan to groups wishing to end the assault on Sql based servers. Each one of the servers will wind up in eight cities, the ninth will wind up in Seattle. All of the software including DDos flooders will make it virtually impossible for the following addresses to access the internet in a crackdown on the use of damaging exploits and internet harassment like DoS HGOD SynKiller Flooding, DoS MS-SQL Slammer Worm and EXPLOIT Microsoft Color Management Module Buffer Overflow targeting innocent, unskilled and unsuspecting internet users.
The servers themselves will feature there own very expensive firewalls and port mirroring delivering a whopping 15,000 GB bandwidth.
Those targeted are:
DoS HGOD SynKiller Flooding 212.89.8.138
DoS MS-SQL Slammer Worm 219.148.64.202
DoS MS-SQL Slammer Worm 221.233.242.4
DoS HGOD SynKiller Flooding 219.232.46.76
DoS MS-SQL Slammer Worm 125.95.12.242
DoS MS-SQL Slammer Worm 198.87.3.30
DoS HGOD SynKiller Flooding 218.23.53.228
DoS MS-SQL Slammer Worm 222.82.249.235
DoS HGOD SynKiller Flooding 222.216.28.161
DoS MS-SQL Slammer Worm 61.139.54.94
DoS MS-SQL Slammer Worm 211.137.203.6
DoS MS-SQL Slammer Worm 61.153.245.213
DoS HGOD SynKiller Flooding 218.76.66.135
DoS HGOD SynKiller Flooding 221.233.40.25
DoS HGOD SynKiller Flooding 116.252.185.77
DoS HGOD SynKiller Flooding 221.195.40.169
DoS HGOD SynKiller Flooding 218.23.53.228
DoS HGOD SynKiller Flooding 121.134.108.4
DoS HGOD SynKiller Flooding 218.70.166.20
DoS MS-SQL Slammer Worm 211.137.181.105
DoS MS-SQL Slammer Worm 222.183.230.81
DoS HGOD SynKiller Flooding 66.165.232.62
DoS HGOD SynKiller Flooding 218.23.53.228
DoS MS-SQL Slammer Worm 202.109.129.46
DoS HGOD SynKiller Flooding 58.51.84.3
DoS MS-SQL Slammer Worm 218.75.199.50
DoS HGOD SynKiller Flooding 121.14.142.60
DoS MS-SQL Slammer Worm 58.50.133.27
EXPLOIT Microsoft Color Management Module Buffer Overflow 68.142.214.111
EXPLOIT Microsoft Color Management Module Buffer Overflow 68.142.213.135
DoS HGOD SynKiller Flooding 222.187.220.174
DoS MS-SQL Slammer Worm 219.133.37.42
DoS MS-SQL Slammer Worm 211.103.139.193
DoS MS-SQL Slammer Worm 218.75.84.150
DoS HGOD SynKiller Flooding 222.179.126.31
DoS MS-SQL Slammer Worm 61.153.180.10
DoS MS-SQL Slammer Worm 202.99.11.99
DoS MS-SQL Slammer Worm 222.183.226.198
DoS MS-SQL Slammer Worm 211.103.139.192
DoS HGOD SynKiller Flooding 218.213.228.187
DoS MS-SQL Slammer Worm 61.139.54.94
DoS HGOD SynKiller Flooding 218.23.53.228
DoS HGOD SynKiller Flooding 163.23.205.118
DoS HGOD SynKiller Flooding 118.123.5.96
DoS HGOD SynKiller Flooding 118.123.5.109
DoS MS-SQL Slammer Worm 211.103.139.193
DoS HGOD SynKiller Flooding 222.187.220.174
DoS HGOD SynKiller Flooding 163.23.205.118
DoS HGOD SynKiller Flooding 61.153.40.3
DoS HGOD SynKiller Flooding 218.23.53.228
DoS HGOD SynKiller Flooding 218.104.83.242
DoS HGOD SynKiller Flooding 218.25.59.161
DoS MS-SQL Slammer Worm 222.82.249.235
DoS HGOD SynKiller Flooding 222.84.225.161
DoS MS-SQL Slammer Worm 122.29.26.4
DoS HGOD SynKiller Flooding 118.123.5.109
DoS MS-SQL Slammer Worm 211.137.181.105
DoS HGOD SynKiller Flooding 218.23.53.228
Plans to make more of these servers available in the future. HGOD flooding involve the use of slammer and worms in a lynix environment. When flooded, it injects the worm into the system. The lynix operating system is unaffected by most viruses.
Yeah… 218.23.53.228 tried to get in my stuff. My computer was compromised recently and I had to remove it… Scarry stuff, I have spent the last couple days changing all my passwords and working from another computer. I am become more aware of these threats and do not like it.
One other thing… immediately after the attempt was blocked several other IP addresses sent various different requests to the destination computer. I am taking this seriously and have locked down my computer, using firefox, script controll now and only reputable sights on the computer as if they compromised my acounts I would not be liking it.
SiteTheory had this to say about the IP:
Analysis: Possible MS Baster or various other Worm Attack
06:12:16 Host: 2.b2.374a.static.theplanet.com/74.55.178.2
Port: 1433 TCP Blocked
Analysis: Probable Scan for MS SQL Server – Most likely malicious
_____________________________
SANS institute says about the IP listed above: see detailed sans results below my ZoneAlarm output.
Reports: 91384 (how many people have reported it.
Targets: 55345
That is how I found this forum, after googling a firewall blocked attempt on my computer. Read all this as the most interesting information did not come from zone alarm…
I searched the net for the IP address and came up with the info below the zonealarm report. Here is the search string. Please not that I have replaced the whois email address with “xxx” so that these entities are not spammed though if yo want to see the data just follow think.
http://www.google.com/search?hl=en&q=218.23.53.228&btnG=Search
ZoneAlarm blocked and provided the following information
11-22-2008 Firewall TCP (Flag:S) Source 218.23.53.228 (TCP Port 6000) to 76.22.58.xxx (TCP Port 2967) was blocked medium
ZoneAlarm Security Suite has blocked access to port 2967 on your computer
ZoneAlarm Security Suite has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe.
What happened?
ZoneAlarm Security Suite blocked traffic to port 2967 on your machine from port 6000 on a remote computer whose IP address is 218.23.53.228. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.
Should I be concerned?
This alert should not be a cause for concern. ZoneAlarm Security Suite has protected your machine according to the firewall settings you have selected.
What should I do?
You do not need to do anything about this alert unless one of your programs is not functioning correctly or is unable to complete a task. In that case, you can temporarily lower your security level to medium to allow traffic to reach your computer. . Additional Program configuration options can be found in the help files.
he most common cause of this alert is that ZoneAlarm Security Suite may not be configured properly to allow traffic through the firewall. Please refer to the help files for information on configuring programs to function correctly with ZoneAlarm Security Suite. Possible explanations for the alert include:
* The communication may have been a legitimate attempt by your ISP, a mail server, or another service attempting to authenticate your IP address or host name.
* The ZoneAlarm Security Suite Internet Lock may be engaged
* There may be excessive network congestion or other network problems that prevent information from being transmitted completely and correctly.
Details about 218.23.53.228, the IP address of the computer that caused the alert you received from ZoneAlarm Security Suite, are provided in the Whois report below. The information in the Whois report comes from the Regional Internet Registry (RIR) for the region where 218.23.53.228 is located: ARIN, RIPE, LACNIC or APNIC. The name of the RIR appears in the Whois report.
The Whois report includes the name, address and contact information for the Internet Service Provider (ISP) that administers the block of IP addresses that contains 218.23.53.228. The report probably does not list the administrator of the specific computer at IP address 218.23.53.228.
You should not assume that individuals listed in this report are responsible for the alert you received on your computer.
Whois Information
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.22.0.0 – 218.23.255.255
netname: CHINANET-AH
country: CN
descr: CHINANET Anhui province network
descr: Data Communication Division
descr: China Telecom
admin-c: CH93-AP
tech-c: AT318-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-AH
changed: xxx@apnic.net 20060322
source: APNIC
role: ANHUI TELECOM
address: 305 Changjiang West Road
address: Hefei Anhui China
country: CN
phone: +86 0551 5185089
fax-no: +86 0551 5185500
e-mail: xxx@anhuitelecom.com
trouble: send spam reports to xxx@ah163.com
trouble: and abuse reports to xxx@ah163.com
trouble: Please include detailed information and
trouble: times in GMT+8:00
admin-c: LW604-AP
tech-c: LW604-AP
nic-hdl: AT318-AP
remarks: http://www.ah163.net
notify: wxxx@anhuitelecom.com
mnt-by: MAINT-CHINANET-AH
changed: xxx@anhuitelecom.com 20060323
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: xxx@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: xxx@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
*****One of the Search Results was from SANS to which I have provided the link… and results below….
http://isc.sans.org/ipinfo.html?ip=218.023.053.228
IP Info (218.23.53.228)
IP Address (click for more detail): 218.23.53.228
Hostname: 218.23.53.228
Country: CN
AS: 4134
AS Name: CHINANET-BACKBONE No.31,Jin-rong Street
Reports: 91384
Targets: 55345
First Reported: 2008-08-04
Most Recent Report: 2008-11-24
Comment: - none -
Note: This data is updated periodially. In order to refresh the data, click here. Not all source IPs in our database are “attackers”. There are a few common false positives. For example, hosts that participate in P2P networks, mail servers and DNS servers are some of the most common issues. You can see more details if you click on the number of reports. This may allow you to conclude if a host is a false positive or not.
Whois Info
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 218.22.0.0 – 218.23.255.255
netname: CHINANET-AH
country: CN
descr: CHINANET Anhui province network
descr: Data Communication Division
descr: China Telecom
admin-c: CH93-AP
tech-c: AT318-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-AH
changed: xxx@apnic.net 20060322
source: APNIC
role: ANHUI TELECOM
address: 305 Changjiang West Road
address: Hefei Anhui China
country: CN
phone: +86 0551 5185089
fax-no: +86 0551 5185500
e-mail: xxx@anhuitelecom.com
trouble: send spam reports to xxx@ah163.com
trouble: and abuse reports to xxx@ah163.com
trouble: Please include detailed information and
trouble: times in GMT+8:00
admin-c: LW604-AP
tech-c: LW604-AP
nic-hdl: AT318-AP
remarks: http://www.ah163.net
notify: xxx@anhuitelecom.com
mnt-by: MAINT-CHINANET-AH
changed: xxxx@anhuitelecom.com 20060323
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: xxx@ns.chinanet.cn.net
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: xxxy@cndata.com 20070416
mnt-by: MAINT-CHINANET
source: APNIC
http://sitetheory.com/index.php?m=portsentry
Beginning 11/12/2008
13:50:20 Host: 228.53.23.218.broad.static.hf.ah.cndata.com/218.23.53.228
Port: 2967 TCP Blocked
Analysis: Stack-based buffer overflow in Symantec Antivirus
10:24:49 Host: adsl-074-172-016-248.sip.asm.bellsouth.net/74.172.16.248
Port: 135 TCP Blocked
Analysis: Possible MS Baster or various other Worm Attack
06:12:16 Host: 2.b2.374a.static.theplanet.com/74.55.178.2
Port: 1433 TCP Blocked
Analysis: Probable Scan for MS SQL Server – Most likely malicious
By: trackthehack on November 24, 2008
at 4:53 am