Microsoft trying to hack us :D

[dyn]

Holy fuck those guys are pathetic.

Code: Select all

=-=-=-=-=-=-=-=-=-=-=-= Mon May 30 01:10:51 2011 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [5] (out of 5)

    Scanned TCP ports: [4001-6999: 2981 packets]
            TCP flags: [SYN: 2981 packets, Nmap: -sT or -sS]
       iptables chain: INPUT, 2981 packets

               Source: 111.221.109.251
                  DNS: [No reverse dns info available]

          Destination: 209.159.146.108
                  DNS: q3.vogon.vg

   Overall scan start: Mon May 30 01:10:43 2011
   Total email alerts: 0
   Complete TCP range: [4001-6999]
      Syslog hostname: ares

         Global stats: chain:   interface:   TCP:   UDP:   ICMP: 
                       INPUT    eth0         2981   0      0     


[+] TCP scan signatures:

   "BACKDOOR GateCrasher Connection attempt"
       dst port:  6969 (no server bound to local port)
       flags:     SYN
       sid:       147
       chain:     INPUT
       packets:   1
       classtype: misc-activity

   "BACKDOOR BackConstruction 2.1 connection attempt"
       dst port:  5402 (no server bound to local port)
       flags:     SYN
       sid:       152
       chain:     INPUT
       packets:   2
       classtype: misc-activity

   "BACKDOOR NetMetro File List connection attempt"
       dst port:  5032 (no server bound to local port)
       flags:     SYN
       sid:       159
       chain:     INPUT
       packets:   1
       classtype: misc-activity

   "MISC Radmin Default install options attempt"
       dst port:  4899 (no server bound to local port)
       flags:     SYN
       psad_id:   100204
       chain:     INPUT
       packets:   1
       classtype: attempted-admin

   "BACKDOOR Doly 2.0 Connection attempt"
       dst port:  6789 (no server bound to local port)
       flags:     SYN
       sid:       119
       chain:     INPUT
       packets:   1
       classtype: misc-activity

   "BACKDOOR WinCrash 1.0 communication attempt"
       dst port:  5714 (no server bound to local port)
       flags:     SYN
       sid:       163
       chain:     INPUT
       packets:   1
       classtype: misc-activity

   "P2P eDonkey transfer attempt"
       dst port:  4242 (no server bound to local port)
       flags:     SYN
       sid:       2586
       chain:     INPUT
       packets:   1
       classtype: policy-violation

   "MISC VNC communication attempt"
       dst port:  5900 (no server bound to local port)
       flags:     SYN
       psad_id:   100202
       chain:     INPUT
       packets:   1
       classtype: attempted-admin

   "P2P eDonkey communication attempt"
       dst port:  4711 (no server bound to local port)
       flags:     SYN
       sid:       2587
       chain:     INPUT
       packets:   1
       classtype: policy-violation

   "POLICY vncviewer Java applet communication attempt"
       dst port:  5800 (no server bound to local port)
       flags:     SYN
       sid:       1846
       chain:     INPUT
       packets:   3
       classtype: misc-activity

   "MISC PCAnywhere communication attempt"
       dst port:  5632 (no server bound to local port)
       flags:     SYN
       psad_id:   100073 (derived from: 507 512)
       chain:     INPUT
       packets:   2
       classtype: attempted-admin

   "DOS DB2 dos communication attempt"
       dst port:  6789 (no server bound to local port)
       flags:     SYN
       sid:       1641
       chain:     INPUT
       packets:   2
       classtype: denial-of-service

   "DOS iParty DOS attempt"
       dst port:  6004 (no server bound to local port)
       flags:     SYN
       sid:       1605
       chain:     INPUT
       packets:   1
       classtype: misc-attack


[+] Whois Information (source IP):
% [whois.apnic.net node-1]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      111.221.64.0 - 111.221.127.255
netname:      Microsoft
descr:        Microsoft
descr:        Microsoft Corp, Singapore
country:      SG
admin-c:      MP234-AP
tech-c:       SC1001-AP
status:       ALLOCATED PORTABLE
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:      This object can only be updated by APNIC hostmasters.
remarks:      To update this object, please contact APNIC
remarks:      hostmasters and include your organisation's account
remarks:      name in the subject line.
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:      [email protected] 20090714
mnt-by:       APNIC-HM
mnt-lower:    MAINT-AP-MICROSOFT
source:       APNIC

person:       MSFT POC
nic-hdl:      MP234-AP
e-mail:       [email protected]
address:      One Microsft Way
address:      Redmond, WA 98052
address:      US
phone:        +1-425-882-8080
country:      US
changed:      [email protected] 20030603
mnt-by:       MAINT-AP-MICROSOFT
source:       APNIC

person:       Sean Carlin
nic-hdl:      SC1001-AP
e-mail:       [email protected]
address:      One Microsoft Way
address:      Redmond, WA 98052
address:      USA
phone:        +1-425-705-5165
fax-no:       +1-425-936-7329
country:      US
changed:      [email protected] 20030603
mnt-by:       MAINT-AP-MICROSOFT
source:       APNIC



=-=-=-=-=-=-=-=-=-=-=-= Mon May 30 01:10:51 2011 =-=-=-=-=-=-=-=-=-=-=-=


Danger level: [5] (out of 5)
Scanned TCP ports: [4001-6999: 2981 packets]
Source: 111.221.109.251
DNS: [No reverse dns info available]
Destination: 209.159.146.108
DNS: q3.vogon.vg
Overall scan start: Mon May 30 01:10:43 2011

inetnum: 111.221.64.0 - 111.221.127.255
netname: Microsoft
descr: Microsoft
descr: Microsoft Corp, Singapore
country: SG

q3.vogon.vg 1 : Microsoft 0

[SD]

Ha! How did you spot this? Some warning?

[1UnRaTeD1]

ahh see..im sure they never did this before but now i guess there trying to find out whos using pirated software? or can they find out that way

[dyn]

Nah, it's most probably some unattended and never patched machine in Singapore being compromised, bot software installed, and this is the result of random scans. Well, at least i hope it is something like that, it would be really weird if they did this on purpose. About legit software, we are running Linux (currently Debian, but also CentOS, Fedora and CERN Linux) and ioquake3 (targeted IP belongs to q3.vogon.vg server). Nothing we run depends on or uses anything from Microsoft. Any probing or hacking into remote machines to verify if software is legit or not would be highly illegal.

[borgsex]

http://iptools.com/dnstools.php?tool=radb&user_data=111.221.109.251

route: 111.221.64.0/18
descr: PACNET (proxy-registered route object)
origin: AS8069
remarks: This route object is for a PACNET customer route which is
being exported under this origin AS.
+
This route object was created because no existing route
object with the same origin was found, and since some
ANC peers filter based on these objects this route
may be rejected if this object is not created.
+
Please contact [email protected] if you have any
Concerns regarding Spam/Abuses related to this object
+
Please contact [email protected] if you have any other
Questions regarding this object.
notify: [email protected]
mnt-by: MAINT-AS10026
changed: [email protected] 20100204
source: RADB

route: 111.221.96.0/20
descr: Microsoft Asian Data Centers
origin: AS8069
notify: [email protected]
mnt-by: MAINT-MICROSOFT
changed: [email protected] 20091216
source: ALTDB

route: 111.221.96.0/20
descr: Microsoft Asian Data Centers
origin: AS8071
notify: [email protected]
mnt-by: MAINT-MICROSOFT
changed: [email protected] 20091216
source: ALTDB




65.183.100.93 has not accessed this page recently
Privacy.net Browser Analyzer
Compare Hosting Plans:
Web Hosting
VPS Hosting
Dedicated Hosting





Free vulnerability scanning with GFI LANguard. Download your FREE 5-IP version now!
Ping
Lookup
Trace
Whois (IDN Conversion Tool) Express
DNS Records (Advanced Tool)
Network Lookup
Spam Blacklist Check
Convert Base-10 to IP URL Decode
URL Encode
HTTP Headers SSL
Email Verification

111.221.109.251 is from Singapore(SG) in region Southern and Eastern Asia




Whois query for 111.221.109.251...



Results returned from whois.arin.net:

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=111.221.109.251?showDetails=true&showARIN=true
#

NetRange: 111.0.0.0 - 111.255.255.255
CIDR: 111.0.0.0/8
OriginAS:
NetName: APNIC-AP
NetHandle: NET-111-0-0-0-1
Parent:
NetType: Allocated to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://wq.apnic.net/apnic-bin/whois.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/apnic-info/whois_search2/abuse-and-spamming
RegDate: 2008-11-12
Updated: 2010-07-30
Ref: http://whois.arin.net/rest/net/NET-111-0-0-0-1

OrgName: Asia Pacific Network Information Centre
OrgId: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
RegDate:
Updated: 2004-03-01
Ref: http://whois.arin.net/rest/org/APNIC

ReferralServer: whois://whois.apnic.net

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/AWC12-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Results returned from whois.apnic.net:% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 111.221.64.0 - 111.221.127.255
netname: Microsoft
descr: Microsoft
descr: Microsoft Corp, Singapore
country: SG
admin-c: MP234-AP
tech-c: SC1001-AP
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20090714
mnt-by: APNIC-HM
mnt-lower: MAINT-AP-MICROSOFT
source: APNIC

person: MSFT POC
nic-hdl: MP234-AP
e-mail: [email protected]
address: One Microsft Way
address: Redmond, WA 98052
address: US
phone: +1-425-882-8080
country: US
changed: [email protected] 20030603
mnt-by: MAINT-AP-MICROSOFT
source: APNIC

person: Sean Carlin
nic-hdl: SC1001-AP
e-mail: [email protected]
address: One Microsoft Way
address: Redmond, WA 98052
address: USA
phone: +1-425-705-5165
fax-no: +1-425-936-7329
country: US
changed: [email protected] 20030603
mnt-by: MAINT-AP-MICROSOFT
source: APNIC











This Site is Operated (since 1998) by Consumer.net © 2011 | Contact This Website | Privacy Policy

[dyn]

Reality is that part of Microsoft's network got hacked, and what our old server logged were just automated bot scans from compromised PCs there. On dedicated servers you get tons of these all the time.

[Tripredacus]

Reality is that part of Microsoft's network got hacked, and what our old server logged were just automated bot scans from compromised PCs there. On dedicated servers you get tons of these all the time.

Reality is that MS would never admit to such a fact... Although I can attest to certain functions being unavailable yesterday and today, which was slightly annoying.

Also, when checking for "source" nowadays, don't forget that TOR can lead you in the wrong directions...

[dyn]

TOR as proxies? Scans were 100% from MS network, and most certainly hackers were from somewhere else, using those compromised PCs to scan further.