Re: Sustained attack, but seemingly random?

From: Alexander Reelsen (arat_private)
Date: Sun Apr 22 2001 - 09:52:24 PDT

Next message: Brian Thomas: "Sustained attack, but seemingly random?"

Previous message: Lance Spitzner: "Repeated LPR attacks against wrong OS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

I don't think those are random attackes. Vulnerable services/daemons often
listen on such ports.

On Fri, Apr 20, 2001 at 05:07:13PM -0700, Brian Thomas wrote:
> I'm seeing an interesting attack that's been going on for about a day now
> from various sites, mostly in Saudi Arabia. I'm a little puzzled because
> while these sorts of scans are nothing new, it's sustained and hitting
> some really wierd ports. A list of destination ports culled from the past
> 24 hours yields:
>
> 1024
NFS

> 1080
Wingate, good for relaying/spoofig

> 110
pop daemon, qpopper (only old ones)

> 111
portmapper (no known vulnerability, but is needed for NFS or rpc.statd,
where there is a common exploit)

> 143
imap (no recent ones, but olders)

> 19216
Not sure, might be some windows trojan

> 21
ftp, vulnerable old daemons i.e. proftpd, wuftpd

> 23
telnet

> 2766
> 33696
> 33807
> 33848
> 38061
Not sure, might be some windows trojan

> 389
LDAP. Anyone knows a vulnerability? Perhaps NT ldapd's..

> 44767
Not sure, might be some windows trojan

> 515
lpd, recent exploit

> 52
Not sure, might be some windows trojan

> 53
named, "some" exploits :)

> 555
sounds like some bindshell or so

> 6000
X

> 79
fingerd, recently cfingerd

> Some of the stuff in there (Like 44767) are pretty unique to sscan attacks,
> so my first thought is it's one of those. But whomever this person / these
> people is/are they're certainly picking some odd things to probe. The 389
> is an ldap scan, but 52? 38061? 33XXX > 33600? 19216? I have to say, I'm
> at a loss. Maybe a customized sscan probe?
A strange customized scan probe, or it might scan specifically for
bindshells. That would even save you the work to exploit a service...

Anyone has a list which worm creates bindshells on what port?


MfG/Regards, Alexander

--
Alexander Reelsen   http://joker.rhwd.de
refat_private       GnuPG: pub 1024D/F0D7313C  sub 2048g/6AA2EDDB
arat_private         7D44 F4E3 1993 FDDF 552E  7C88 EE9C CBD1 F0D7 313C
Securing Debian:    http://joker.rhwd.de/doc/Securing-Debian-HOWTO

Next message: Brian Thomas: "Sustained attack, but seemingly random?"
Previous message: Lance Spitzner: "Repeated LPR attacks against wrong OS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 13:38:13 PDT