Backdoor scans ?

From: Jens Hektor (hektorat_private-AACHEN.DE)
Date: Sat Apr 28 2001 - 03:56:40 PDT

  • Next message: Kyle Hofmann: "High load average and much suspicion"

    Hi,
    
    I had two scans last night from two different
    machines with some indication that
    they were searching for backdoors. One scan
    included ingreslock & 1008
    the other one just 1008. Might be that the cisco's
    logging, which is rate-limited,
    did not catchup all tested ports. But the
    similarities between the two scans is stunning.
    
    ScanA:
    =====
    Repeated access detected from 210.121.173.1 to
    A.B.C.133
    Apr 28 05:10:55 ... 100 denied tcp
    210.121.173.1(3000) -> A.B.C.133(29369), 2 packets
    Apr 28 05:09:55 ... 100 denied tcp
    210.121.173.1(2706) -> A.B.C.133(10008), 3 packets
    Apr 28 05:05:16 ... 100 denied tcp
    210.121.173.1(2527) -> A.B.C.133(8282), 3 packets
    Apr 28 05:05:13 ... 100 denied tcp
    210.121.173.1(2420) -> A.B.C.133(6635), 3 packets
    Apr 28 05:05:10 ... 100 denied tcp
    210.121.173.1(2196) -> A.B.C.133(1524), 3 packets
    Apr 28 05:05:03 ... 100 denied tcp
    210.121.173.1(2994) -> A.B.C.133(22252), 1 packet
    Apr 28 05:04:59 ... 100 denied tcp
    210.121.173.1(2912) -> A.B.C.133(12754), 1 packet
    Apr 28 05:04:51 ... 100 denied tcp
    210.121.173.1(2782) -> A.B.C.133(11753), 1 packet
    Apr 28 05:04:48 ... 100 denied tcp
    210.121.173.1(2706) -> A.B.C.133(10008), 1 packet
    Apr 28 05:04:45 ... 100 denied tcp
    210.121.173.1(2652) -> A.B.C.133(9705), 1 packet
    Apr 28 05:04:41 ... 100 denied tcp
    210.121.173.1(2603) -> A.B.C.133(9112), 1 packet
    Apr 28 05:04:38 ... 100 denied tcp
    210.121.173.1(2527) -> A.B.C.133(8282), 1 packet
    Apr 28 05:04:35 ... 100 denied tcp
    210.121.173.1(2476) -> A.B.C.133(6723), 1 packet
    Apr 28 05:04:31 ... 100 denied tcp
    210.121.173.1(2420) -> A.B.C.133(6635), 1 packet
    Apr 28 05:04:28 ... 100 denied tcp
    210.121.173.1(2365) -> A.B.C.133(5300), 1 packet
    Apr 28 05:04:25 ... 100 denied tcp
    210.121.173.1(2312) -> A.B.C.133(3879), 1 packet
    Apr 28 05:04:22 ... 100 denied tcp
    210.121.173.1(2261) -> A.B.C.133(2400), 1 packet
    Apr 28 05:04:17 ... 100 denied tcp
    210.121.173.1(2191) -> A.B.C.133(1008), 1 packet
    
    ScanB:
    =====
    Repeated access detected from 213.76.211.50 to
    X.Y.Z.6
    Apr 27 23:07:53 ... 100 denied tcp
    213.76.211.50(2648) -> X.Y.Z.6(11753), 3 packets
    Apr 27 23:06:52 ... 100 denied tcp
    213.76.211.50(2196) -> X.Y.Z.6(2400), 4 packets
    Apr 27 23:03:05 ... 100 denied tcp
    213.76.211.50(2577) -> X.Y.Z.6(10008), 2 packets
    Apr 27 23:02:57 ... 100 denied tcp
    213.76.211.50(2336) -> X.Y.Z.6(6723), 3 packets
    Apr 27 23:02:33 ... 100 denied tcp
    213.76.211.50(2329) -> X.Y.Z.6(6635), 3 packets
    Apr 27 23:02:28 ... 100 denied tcp
    213.76.211.50(2245) -> X.Y.Z.6(3879), 3 packets
    Apr 27 23:02:23 ... 100 denied tcp
    213.76.211.50(2846) -> X.Y.Z.6(29369), 1 packet
    Apr 27 23:02:20 ... 100 denied tcp
    213.76.211.50(2841) -> X.Y.Z.6(22252), 1 packet
    Apr 27 23:02:16 ... 100 denied tcp
    213.76.211.50(2777) -> X.Y.Z.6(12754), 1 packet
    Apr 27 23:02:09 ... 100 denied tcp
    213.76.211.50(2648) -> X.Y.Z.6(11753), 1 packet
    Apr 27 23:02:05 ... 100 denied tcp
    213.76.211.50(2577) -> X.Y.Z.6(10008), 1 packet
    Apr 27 23:02:01 ... 100 denied tcp
    213.76.211.50(2523) -> X.Y.Z.6(9705), 1 packet
    Apr 27 23:01:58 ... 100 denied tcp
    213.76.211.50(2467) -> X.Y.Z.6(9112), 1 packet
    Apr 27 23:01:54 ... 100 denied tcp
    213.76.211.50(2402) -> X.Y.Z.6(8282), 1 packet
    Apr 27 23:01:50 ... 100 denied tcp
    213.76.211.50(2336) -> X.Y.Z.6(6723), 1 packet
    Apr 27 23:01:49 ... 100 denied tcp
    213.76.211.50(2313) -> X.Y.Z.6(5300), 1 packet
    Apr 27 23:01:45 ... 100 denied tcp
    213.76.211.50(2245) -> X.Y.Z.6(3879), 1 packet
    Apr 27 23:01:41 ... 100 denied tcp
    213.76.211.50(2196) -> X.Y.Z.6(2400), 1 packet
    Apr 27 23:01:37 ... 100 denied tcp
    213.76.211.50(2122) -> X.Y.Z.6(1008), 1 packet
    
    Regards, Jens Hektor
    



    This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 11:08:46 PDT