Backdoor scans ?

From: Jens Hektor (hektorat_private-AACHEN.DE)
Date: Sat Apr 28 2001 - 03:56:40 PDT

  • Next message: Kyle Hofmann: "High load average and much suspicion" 

    Hi,

I had two scans last night from two different
machines with some indication that
they were searching for backdoors. One scan
included ingreslock & 1008
the other one just 1008. Might be that the cisco's
logging, which is rate-limited,
did not catchup all tested ports. But the
similarities between the two scans is stunning.

ScanA:
=====
Repeated access detected from 210.121.173.1 to
A.B.C.133
Apr 28 05:10:55 ... 100 denied tcp
210.121.173.1(3000) -> A.B.C.133(29369), 2 packets
Apr 28 05:09:55 ... 100 denied tcp
210.121.173.1(2706) -> A.B.C.133(10008), 3 packets
Apr 28 05:05:16 ... 100 denied tcp
210.121.173.1(2527) -> A.B.C.133(8282), 3 packets
Apr 28 05:05:13 ... 100 denied tcp
210.121.173.1(2420) -> A.B.C.133(6635), 3 packets
Apr 28 05:05:10 ... 100 denied tcp
210.121.173.1(2196) -> A.B.C.133(1524), 3 packets
Apr 28 05:05:03 ... 100 denied tcp
210.121.173.1(2994) -> A.B.C.133(22252), 1 packet
Apr 28 05:04:59 ... 100 denied tcp
210.121.173.1(2912) -> A.B.C.133(12754), 1 packet
Apr 28 05:04:51 ... 100 denied tcp
210.121.173.1(2782) -> A.B.C.133(11753), 1 packet
Apr 28 05:04:48 ... 100 denied tcp
210.121.173.1(2706) -> A.B.C.133(10008), 1 packet
Apr 28 05:04:45 ... 100 denied tcp
210.121.173.1(2652) -> A.B.C.133(9705), 1 packet
Apr 28 05:04:41 ... 100 denied tcp
210.121.173.1(2603) -> A.B.C.133(9112), 1 packet
Apr 28 05:04:38 ... 100 denied tcp
210.121.173.1(2527) -> A.B.C.133(8282), 1 packet
Apr 28 05:04:35 ... 100 denied tcp
210.121.173.1(2476) -> A.B.C.133(6723), 1 packet
Apr 28 05:04:31 ... 100 denied tcp
210.121.173.1(2420) -> A.B.C.133(6635), 1 packet
Apr 28 05:04:28 ... 100 denied tcp
210.121.173.1(2365) -> A.B.C.133(5300), 1 packet
Apr 28 05:04:25 ... 100 denied tcp
210.121.173.1(2312) -> A.B.C.133(3879), 1 packet
Apr 28 05:04:22 ... 100 denied tcp
210.121.173.1(2261) -> A.B.C.133(2400), 1 packet
Apr 28 05:04:17 ... 100 denied tcp
210.121.173.1(2191) -> A.B.C.133(1008), 1 packet

ScanB:
=====
Repeated access detected from 213.76.211.50 to
X.Y.Z.6
Apr 27 23:07:53 ... 100 denied tcp
213.76.211.50(2648) -> X.Y.Z.6(11753), 3 packets
Apr 27 23:06:52 ... 100 denied tcp
213.76.211.50(2196) -> X.Y.Z.6(2400), 4 packets
Apr 27 23:03:05 ... 100 denied tcp
213.76.211.50(2577) -> X.Y.Z.6(10008), 2 packets
Apr 27 23:02:57 ... 100 denied tcp
213.76.211.50(2336) -> X.Y.Z.6(6723), 3 packets
Apr 27 23:02:33 ... 100 denied tcp
213.76.211.50(2329) -> X.Y.Z.6(6635), 3 packets
Apr 27 23:02:28 ... 100 denied tcp
213.76.211.50(2245) -> X.Y.Z.6(3879), 3 packets
Apr 27 23:02:23 ... 100 denied tcp
213.76.211.50(2846) -> X.Y.Z.6(29369), 1 packet
Apr 27 23:02:20 ... 100 denied tcp
213.76.211.50(2841) -> X.Y.Z.6(22252), 1 packet
Apr 27 23:02:16 ... 100 denied tcp
213.76.211.50(2777) -> X.Y.Z.6(12754), 1 packet
Apr 27 23:02:09 ... 100 denied tcp
213.76.211.50(2648) -> X.Y.Z.6(11753), 1 packet
Apr 27 23:02:05 ... 100 denied tcp
213.76.211.50(2577) -> X.Y.Z.6(10008), 1 packet
Apr 27 23:02:01 ... 100 denied tcp
213.76.211.50(2523) -> X.Y.Z.6(9705), 1 packet
Apr 27 23:01:58 ... 100 denied tcp
213.76.211.50(2467) -> X.Y.Z.6(9112), 1 packet
Apr 27 23:01:54 ... 100 denied tcp
213.76.211.50(2402) -> X.Y.Z.6(8282), 1 packet
Apr 27 23:01:50 ... 100 denied tcp
213.76.211.50(2336) -> X.Y.Z.6(6723), 1 packet
Apr 27 23:01:49 ... 100 denied tcp
213.76.211.50(2313) -> X.Y.Z.6(5300), 1 packet
Apr 27 23:01:45 ... 100 denied tcp
213.76.211.50(2245) -> X.Y.Z.6(3879), 1 packet
Apr 27 23:01:41 ... 100 denied tcp
213.76.211.50(2196) -> X.Y.Z.6(2400), 1 packet
Apr 27 23:01:37 ... 100 denied tcp
213.76.211.50(2122) -> X.Y.Z.6(1008), 1 packet

Regards, Jens Hektor

    This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 11:08:46 PDT