Re: new worm scan?

From: Johannes B. Ullrich (euclidianat_private)
Date: Thu Apr 26 2001 - 07:55:46 PDT

  • Next message: Chris Baker: "Re: TCP/1008 port scans"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    
    There was a '109 peak' on DShield.org too. I guess they are
    going after very old RedHat default installs that still have
    the bad pop-2 server setup by default (is it RH6.0? or even
    5.x?.
    
    A note about the DShield data (and the peak):
    the traffic reported comes from 3 sources only so far
    (207.138.131.154, 203.232.4.4, 210.119.103.190).
    
    The reason that it shows up as such a big peak is that one of
    them hit a class B that submits to DShield (the first IP
    scanned 24556 hosts in that class B. Took about 20 minutes,
    which I guess is not bad, but definitly indicates an
    automated tool.
    
    I don't have anything but 109 scans from that source.
    
    
    - ---
    Johannes Ullrich            Join http://www.dshield.org
    jullrichat_private
    GPG Key ID: AE692033  Key: http://johannes.homepc.org/pgp.htm
    - ---
    
    On Thu, 26 Apr 2001, Leon Rosenstein wrote:
    
    > Hi everyone I just wanted to bring up something weird I saw last night.
    >
    > I have a dsl line and a computer running windows at my house.  Besides
    > getting the usual scans for ftp, dns, and RPC I also got scanned for port
    > 109 which I think is pop-2.  Another weird thing (the zonealarm warnings are
    > at the bottom) was that besides getting scanned for all 4 (the packets are
    > two seconds apart so it is probably automated) the initial packets were sent
    > with the SF bit set.  I have not seen that in the past from worms or tools.
    > Also I went to port 80 and the site was not defaced.   Another thing; when I
    > get scanned I also scan the system from 1-1024 to see what it is running.  A
    > lot of times I find a web server and sometimes I have been able to find
    > e-mail addys on the site and have mailed them and let them know there system
    > was actively probing the internet and probably was compromised (I know it
    > could be the hacker reading and responding but at least I make an attempt.
    > One disgruntling response was when I told a Korean E-Commerce company that
    > their had server scanned me and that if  they running a default install of a
    > linux system with no patches they were probably compromised and they replied
    > that they wouldn't be surprised if they were and this wouldn't be the first
    > time.  Um, sure you can have my credit card info).  Anyway when I scanned
    > this system it immediately scanned me back and the same 4 ports (21, 53,
    > 109, 11) this time with the syn bit set.  I scanned it again it scanned me
    > back (both times the machine scanned me back the packets all arrived 2
    > seconds of each other so probably some automated defense or something?)
    >
    > Anyway I just wanted to see what list thought.  The machine is still online
    > running every service under the sun as I write this.
    >
    > Leon
    >
    > 210.119.103.190
    >
    > The firewall has blocked Internet access to your computer (TCP Port 109)
    > from 210.119.103.190 (TCP Port 109) [TCP Flags: SF].
    >  Time: 4/25/2001 23:29:36
    >
    > The firewall has blocked Internet access to your computer (FTP) from
    > 210.119.103.190 (FTP) [TCP Flags: SF].
    >  Time: 4/25/2001 23:29:38
    >
    > The firewall has blocked Internet access to your computer (TCP Port 111)
    > from 210.119.103.190 (TCP Port 111) [TCP Flags: SF].
    >  Time: 4/25/2001 23:29:56
    >
    > The firewall has blocked Internet access to your computer (DNS) from
    > 210.119.103.190 (DNS) [TCP Flags: SF].
    >  Time: 4/25/2001 23:30:02
    >
    > The firewall has blocked Internet access to your computer (FTP) from
    > sky.skytech.co.kr (210.119.103.190) (TCP Port 22673) [TCP Flags: S].
    >  Time: 4/25/2001 23:46:08
    >
    > The firewall has blocked Internet access to your computer (DNS) from
    > sky.skytech.co.kr (210.119.103.190) (TCP Port 22674) [TCP Flags: S].
    >  Time: 4/25/2001 23:46:08
    >
    > The firewall has blocked Internet access to your computer (TCP Port 109)
    > from sky.skytech.co.kr (210.119.103.190) (TCP Port 22677) [TCP Flags: S].
    >  Time: 4/25/2001 23:46:10
    >
    > The firewall has blocked Internet access to your computer (TCP Port 111)
    > from sky.skytech.co.kr (210.119.103.190) (TCP Port 22678) [TCP Flags: S].
    >  Time: 4/25/2001 23:46:10
    >
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.1
    
    iQA/AwUBOug2+lTiIsyuaSAzEQK8LwCdF+9hHz16pNZsFrIGHaltWGi+b3sAnRq+
    b/Nox+GR9j3rSGIgRz4NSO1Z
    =JUaa
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 09:08:01 PDT