For the past few months, I’ve been working on scans from a VPS against the North Korean IP space to watch as different sites come online. I’ve got a decent scan that runs now but still needs some work. Below is what I’ve found but there is still a lot more digging to be done on the sites, but I wanted to at least start getting this information online and work on categorizing it better later:
Default Red Hat server with an Apache test page.
Open ports for each host:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
3306/tcp open mysql
4444/tcp filtered krb524
6000/tcp open X11
The banner reported for them as well shows as Red Hat, as opposed to Red Star Linux, which show up in some of the other hosts scanned: Apache/2.2.15 (Red Hat)
- OS Identifications: Cisco 831 switch or 1760 router (IOS 12.4)
- SSH Banner: SSH-1.99-Cisco-1.25
This is one that I always keep coming back to whenever it appears online. It looks like it is a North Korean security tool of some kind. The only information that I’ve been able to gather is in the following:
# wget –no-check-certificate https://18.104.22.168
–2015-07-05 01:10:06– https://22.214.171.124/
Connecting to 126.96.36.199:443… connected.
WARNING: cannot verify 188.8.131.52’s certificate, issued by “/C=XX/ST=XX/L=XX/O=NeoTech/OU=Secure Team/CN=NetRadar/emailAddressfirstname.lastname@example.org”:
Self-signed certificate encountered.
WARNING: certificate common name “NetRadar” doesn’t match requested host name “184.108.40.206”.
HTTP request sent, awaiting response… 200 OK
Depending on the country you are connecting in from you are Rodong will load from a different IP. Connecting from Romania produced 220.127.116.11 and Canada 18.104.22.168
Other than the fact that any picture of a crowd looks Photoshopped, you can also track Supreme Leaders activity. Site runs on Red Star 3.0: Apache/2.2.15 (RedStar 3.0)
Website of a software development company founded in 2002. Focuses on mobile and web apps, games, and applications.
There’s a lot of different domains for this address. It hosts a news site Naenara but there are several other domains associated with it as well:
Website of Kim Il Sung University. Haven’t had too much of a chance to dig into this site yet, seems pretty straightforward though.
Scan results are below. Still working on tweaking the scan a little bit to get some more information.