Re: scan for 109, new worm-variant or simple scan?

From: Martin Markgraf (mm@RIEN-AG.DE)
Date: Thu Apr 26 2001 - 02:12:38 PDT

  • Next message: Philipp Stucke: "Re: Sun RPC Scans, Port 111/530/32k, slow scans" 

    Scott Nursten wrote:

> I have seen some similar scans recently but unfortunately it is on a net that we don't run IDS on (well, we do "technically" - but we don't let anything in there :))
>
> Apr 24 19:07:48 edge1-th 147637: 4w6d: %SEC-6-IPACCESSLOGP: list 103 denied tcp 203.232.4.4(21) ->  x.x.x.76(21), 1 packet
> Apr 24 19:07:58 edge1-th 147640: 4w6d: %SEC-6-IPACCESSLOGP: list 103 denied tcp 203.232.4.4(109) -> x.x.x.76(109), 1 packet
> Apr 24 19:08:13 edge1-th 147642: 4w6d: %SEC-6-IPACCESSLOGP: list 103 denied tcp 203.232.4.4(111) -> x.x.x.76(111), 1 packet
>
> As you can see, this is from the same host but doing 21,109,111 as opposed to you 53,109,111. Possibly they are looking for the (few if any) remaining POP2 boxes out there.

Here is what I have seen from this particular host:

---------------------------snip-----------------------------
Apr 24 02:10:04 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 02:10:04 vpn1 snort[6766]: spp_portscan: PORTSCAN DETECTED from 203.232.4.4
Apr 24 02:10:06 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 02:10:06 vpn1 tcplog: ftp connection (FIN) attempt from 203.232.4.4
Apr 24 02:10:14 vpn1 tcplog: pop2 request from 203.232.4.4
Apr 24 02:10:14 vpn1 tcplog: pop2 connection (SYN) attempt from 203.232.4.4
Apr 24 02:10:14 vpn1 tcplog: pop2 connection (FIN) attempt from 203.232.4.4
Apr 24 02:10:15 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH
Apr 24 02:10:29 vpn1 tcplog: sunrpc request from 203.232.4.4
Apr 24 02:10:29 vpn1 tcplog: sunrpc connection (SYN) attempt from 203.232.4.4
Apr 24 02:10:29 vpn1 tcplog: sunrpc connection (FIN) attempt from 203.232.4.4
Apr 24 02:10:29 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 24 02:11:12 vpn1 tcplog: domain request from 203.232.4.4
Apr 24 02:11:12 vpn1 tcplog: domain connection (SYN) attempt from 203.232.4.4
Apr 24 02:11:12 vpn1 tcplog: domain connection (FIN) attempt from 203.232.4.4
Apr 24 02:11:13 vpn1 tcplog: domain connection (SYN) attempt from 203.232.4.4
Apr 24 02:11:12 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 24 02:11:12 vpn1 snort[6766]: Source Port traffic: 203.232.4.4:53 -> xxx.xxx.xxx.xxx:53
Apr 24 02:11:13 vpn1 snort[6766]: Source Port traffic: 203.232.4.4:53 -> xxx.xxx.xxx.xxx:53
Apr 24 02:11:13 vpn1 snort[6766]: MISC-DNS-version-query: 203.232.4.4:2569 -> xxx.xxx.xxx.xxx:53
Apr 24 02:11:13 vpn1 tcplog: domain request from 203.232.4.4
Apr 24 02:13:13 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 2 connections across 1 hosts: TCP(1), UDP(1)
Apr 24 02:18:12 vpn1 snort[6766]: spp_portscan: End of portscan from 203.232.4.4
Apr 24 02:31:44 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 02:31:44 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 02:31:44 vpn1 tcplog: ftp connection (FIN) attempt from 203.232.4.4
Apr 24 02:31:44 vpn1 snort[6766]: spp_portscan: PORTSCAN DETECTED from 203.232.4.4
Apr 24 02:31:54 vpn1 tcplog: pop2 request from 203.232.4.4
Apr 24 02:31:54 vpn1 tcplog: pop2 connection (SYN) attempt from 203.232.4.4
Apr 24 02:31:54 vpn1 tcplog: pop2 connection (FIN) attempt from 203.232.4.4
Apr 24 02:31:54 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH
Apr 24 02:32:10 vpn1 tcplog: sunrpc request from 203.232.4.4
Apr 24 02:32:10 vpn1 tcplog: sunrpc connection (SYN) attempt from 203.232.4.4
Apr 24 02:32:10 vpn1 tcplog: sunrpc connection (FIN) attempt from 203.232.4.4
Apr 24 02:32:10 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 24 02:32:52 vpn1 tcplog: domain request from 203.232.4.4
Apr 24 02:32:52 vpn1 tcplog: domain connection (SYN) attempt from 203.232.4.4
Apr 24 02:32:52 vpn1 tcplog: domain connection (FIN) attempt from 203.232.4.4
Apr 24 02:32:53 vpn1 tcplog: domain connection (SYN) attempt from 203.232.4.4
Apr 24 02:32:52 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 24 02:32:52 vpn1 snort[6766]: Source Port traffic: 203.232.4.4:53 -> xxx.xxx.xxx.xxx:53
Apr 24 02:32:53 vpn1 snort[6766]: Source Port traffic: 203.232.4.4:53 -> xxx.xxx.xxx.xxx:53
Apr 24 02:32:54 vpn1 snort[6766]: MISC-DNS-version-query: 203.232.4.4:1050 -> xxx.xxx.xxx:53
Apr 24 02:32:53 vpn1 tcplog: domain request from 203.232.4.4
Apr 24 02:33:13 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 2 connections across 1 hosts: TCP(1), UDP(1)
Apr 24 02:38:14 vpn1 snort[6766]: spp_portscan: End of portscan from 203.232.4.4
Apr 24 03:58:26 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 03:58:26 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 03:58:26 vpn1 tcplog: ftp connection (FIN) attempt from 203.232.4.4
Apr 24 03:58:26 vpn1 snort[6766]: spp_portscan: PORTSCAN DETECTED from 203.232.4.4
Apr 24 03:58:36 vpn1 tcplog: pop2 request from 203.232.4.4
Apr 24 03:58:36 vpn1 tcplog: pop2 connection (SYN) attempt from 203.232.4.4
Apr 24 03:58:36 vpn1 tcplog: pop2 connection (FIN) attempt from 203.232.4.4
Apr 24 03:58:36 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 24 03:59:34 vpn1 tcplog: domain request from 203.232.4.4
Apr 24 03:59:34 vpn1 tcplog: domain connection (SYN) attempt from 203.232.4.4
Apr 24 03:59:34 vpn1 tcplog: domain connection (FIN) attempt from 203.232.4.4
Apr 24 03:59:34 vpn1 snort[6766]: spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH
Apr 24 03:59:34 vpn1 snort[6766]: Source Port traffic: 203.232.4.4:53 -> xxx.xxx.xxx.xxx:53
Apr 24 04:03:13 vpn1 snort[6766]: spp_portscan: End of portscan from 203.232.4.4
-----------------------------------snap--------------------------

Timestamp is GMT+1
After I came in the office this morning I decided to scan him back just to see
what kind machine it is. Here is the output nmap generates:

------------------------snip--------------------
21/tcp     open        ftp
80/tcp     open        http
98/tcp     open        linuxconf
111/tcp    open        sunrpc
113/tcp    open        auth
510/tcp    open        fcp
515/tcp    open        printer
991/tcp    open        unknown
1024/tcp   open        kdm
1521/tcp   open        ncube-lm
9000/tcp   open        unknown
17081/tcp  open        unknown
54321/tcp  open        unknown
60712/tcp  open        unknown
-----------------------snap----------------------

Hmm, interesting, what might be behind these unusual high ports ? Let's see:

# netcat 203.232.4.4 54321
SSH-1.5-1.2.27
 punt!
# netcat 203.232.4.4 60712
SSH-1.5-1.2.27
 punt!

I would say, these host is definitively hacked.

Oh, and as soon as I started the scan, I was scanned back:

-------------------------snip---------------------
Apr 24 09:18:19 vpn1 icmplog: destination unreachable from 203.232.4.4
Apr 24 09:22:31 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:22:31 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:22:36 vpn1 tcplog: domain request from 203.232.4.4
Apr 24 09:22:36 vpn1 tcplog: domain connection (SYN) attempt from 203.232.4.4
Apr 24 09:22:38 vpn1 snort[6766]: MISC-DNS-version-query: 203.232.4.4:1954 -> xxx.xxx.xxx.xxx:53
Apr 24 09:22:57 vpn1 tcplog: pop2 request from 203.232.4.4
Apr 24 09:22:57 vpn1 tcplog: pop2 connection (SYN) attempt from 203.232.4.4
Apr 24 09:23:09 vpn1 tcplog: sunrpc request from 203.232.4.4
Apr 24 09:23:09 vpn1 tcplog: sunrpc connection (SYN) attempt from 203.232.4.4
Apr 24 09:23:13 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:23:13 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:23:26 vpn1 tcplog: sunrpc request from 203.232.4.4
Apr 24 09:23:26 vpn1 tcplog: sunrpc connection (SYN) attempt from 203.232.4.4
Apr 24 09:23:40 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:23:40 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:23:40 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:23:40 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:23:42 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:23:42 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:23:47 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:23:48 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:23:49 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:24:15 vpn1 tcplog: ftp request from 203.232.4.4
Apr 24 09:24:15 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:24:30 vpn1 tcplog: sunrpc request from 203.232.4.4
Apr 24 09:24:30 vpn1 tcplog: sunrpc connection (SYN) attempt from 203.232.4.4
Apr 24 09:30:48 vpn1 tcplog: sunrpc connection (SYN) attempt from 203.232.4.4
Apr 24 09:30:49 vpn1 tcplog: sunrpc request from 203.232.4.4
Apr 24 09:33:42 vpn1 tcplog: pop2 request from 203.232.4.4
Apr 24 09:33:42 vpn1 tcplog: pop2 connection (SYN) attempt from 203.232.4.4
Apr 24 09:49:46 vpn1 tcplog: domain request from 203.232.4.4
Apr 24 09:49:46 vpn1 tcplog: domain connection (SYN) attempt from 203.232.4.4
Apr 24 09:49:48 vpn1 snort[6766]: MISC-DNS-version-query: 203.232.4.4:4659 -> xxx.xxx.xxx.xxx:53
Apr 24 09:52:22 vpn1 tcplog: ftp connection (SYN) attempt from 203.232.4.4
Apr 24 09:52:23 vpn1 tcplog: ftp request from 203.232.4.4
----------------------------snap---------------------------

Haven't seen such a behaviour before.

Martin

--
Martin Markgraf
Rien Informationssysteme AG                         fon: +49 2841 9083061
Eurotec-Ring 15                                     fax: +49 2841 9083069
D-47445 Moers            http://www.rien-ag.de          mm@rien-ag.de

    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 08:03:35 PDT