Re: slow scans to random IPs on port 53 (and other ports0

From: Crist Clark (crist.clarkat_private)
Date: Mon Apr 30 2001 - 12:57:41 PDT

  • Next message: Mark Challender: "Mysterious message" 

    Russell Fulton wrote:
>
> Over the last week I have detected an increasing number of machines
> probing random addressess in our address space on udp port 53.
>
> Here are some counts from this months logs:
>
> 12th       1
> 15th       8
> 20th      19
> 25th      42
> 29th      85

I have seen similar trends. Here are daily numbers for named.version probes
starting the week of April 8th (numbers on the right correspond to your
dates),

  20010408    0
  20010409    0
  20010410    0
  20010411    0
  20010412    0     0
  20010413    3
  20010414    2
  20010415    3     8
  20010416    2
  20010417    2
  20010418    6
  20010419    6
  20010420   11     27
  20010421   10
  20010422   11
  20010423   12
  20010424   22
  20010425   20     75
  20010426   32
  20010427   32
  20010428   34
  20010429   31    129

These results are for four contiguous class C address blocks and some
pieces of two other class C's. The destinations seem to be random.
Frequently the destinations are to a class C block not deployed on the
Internet. Before these apparently random scans started recently, I had
only seen version.bind queries aimed at listed nameservers or ones that
did methodical walks across whole netblocks.

So, if we assume that the rate machines are infected is proportional
to the number of machines already infected, we get exponential growth.
Fitting our two sets of five-day totals to an exponential curve gives
roughly,

  scans per five days = (0.0075/per IP) exp [ 0.17 ( days since Apr 10 ) ]

The proportionality constant is likely proportional to the number of
addresses you are watching and only used my data. That is a rough best guess.
I was about to calculate how long it is until every host on the Internet is
infected or when an entire T3 of bandwidth for a class B would be consumed,
but seeing as it is now well past April 1, people might take me seriously.

Here are all of the source IPs in the order received, should anyone wish
to correlate. As an added bonus, a quick list of the IPs that show up as
repeats follows. I have not had the opportunity to investigate the source
IPs very closely. (I have taken precautions to watch for outgoing queries,
i.e. internal infections.)

All times local, PDT (-0700).

  Apr 13 01:28:48 196.12.46.116
  Apr 13 05:05:45 212.227.33.233
  Apr 13 10:01:42 212.227.33.233
  Apr 14 02:54:26 24.8.89.197
  Apr 14 15:21:59 62.36.146.217
  Apr 15 11:34:57 61.140.124.73
  Apr 15 15:39:16 210.183.105.161
  Apr 15 22:28:32 207.215.226.8
  Apr 16 00:47:27 210.183.105.161
  Apr 16 20:24:10 202.183.211.180
  Apr 17 02:14:19 62.110.55.180
  Apr 17 06:37:55 195.168.26.50
  Apr 18 04:44:27 202.205.107.20
  Apr 18 08:42:21 62.110.55.180
  Apr 18 12:37:51 194.85.175.6
  Apr 18 14:12:19 206.117.255.11
  Apr 18 16:43:24 211.53.198.134
  Apr 18 22:39:09 194.85.175.6
  Apr 19 05:12:42 194.228.57.189
  Apr 19 07:33:06 163.23.81.129
  Apr 19 09:29:32 195.78.2.130
  Apr 19 15:34:25 163.20.149.5
  Apr 19 19:46:15 211.79.130.3
  Apr 19 22:06:22 194.85.175.6
  Apr 20 01:22:09 62.110.55.180
  Apr 20 01:39:24 194.228.57.189
  Apr 20 05:30:35 202.205.107.20
  Apr 20 06:49:24 62.110.55.180
  Apr 20 07:40:14 211.79.130.3
  Apr 20 07:56:13 211.33.124.253
  Apr 20 09:44:55 208.154.212.24
  Apr 20 15:38:51 203.146.74.18
  Apr 20 16:43:07 203.146.74.18
  Apr 20 20:01:33 208.154.212.24
  Apr 20 21:30:30 195.168.26.50
  Apr 21 06:24:24 212.140.168.34
  Apr 21 07:11:36 24.163.38.180
  Apr 21 11:35:02 195.76.10.75
  Apr 21 13:26:13 211.33.124.253
  Apr 21 14:08:10 195.138.74.13
  Apr 21 16:42:18 208.154.212.24
  Apr 21 17:00:48 195.76.10.75
  Apr 21 18:11:43 163.20.149.5
  Apr 21 22:51:51 212.140.168.34
  Apr 21 23:17:01 202.91.69.2
  Apr 22 03:48:51 216.109.145.220
  Apr 22 06:33:57 194.152.162.202
  Apr 22 10:12:30 63.34.205.173
  Apr 22 13:18:46 195.76.10.75
  Apr 22 13:20:50 210.11.29.154
  Apr 22 15:41:23 194.152.162.202
  Apr 22 18:35:31 216.36.125.36
  Apr 22 21:00:25 202.91.69.2
  Apr 22 21:06:25 24.142.117.146
  Apr 22 22:37:04 212.140.168.34
  Apr 22 23:48:57 211.5.173.211
  Apr 23 02:39:19 217.81.74.178
  Apr 23 02:57:01 163.23.81.129
  Apr 23 04:08:17 139.223.84.141
  Apr 23 06:24:39 63.69.102.147
  Apr 23 08:32:01 212.90.205.143
  Apr 23 08:45:11 163.23.81.129
  Apr 23 13:40:05 66.60.39.132
  Apr 23 15:39:58 210.112.227.156
  Apr 23 16:21:50 62.110.55.180
  Apr 23 16:48:31 63.69.102.147
  Apr 23 21:43:03 139.223.84.141
  Apr 23 22:47:16 212.75.110.38
  Apr 24 00:23:27 203.146.74.18
  Apr 24 03:34:32 61.140.124.1
  Apr 24 03:35:29 212.75.110.38
  Apr 24 04:37:39 62.110.55.180
  Apr 24 04:48:01 211.33.124.253
  Apr 24 07:25:52 66.60.39.132
  Apr 24 07:27:40 195.168.26.50
  Apr 24 07:42:01 61.140.124.1
  Apr 24 08:02:13 203.197.148.133
  Apr 24 08:19:04 211.33.124.253
  Apr 24 12:38:24 66.60.39.132
  Apr 24 14:46:37 213.191.64.187
  Apr 24 15:10:43 202.114.119.128
  Apr 24 15:46:09 211.5.173.211
  Apr 24 16:39:39 195.168.26.50
  Apr 24 18:37:12 62.154.189.17
  Apr 24 18:38:22 195.201.39.156
  Apr 24 20:27:40 211.106.154.70
  Apr 24 21:17:47 12.17.66.135
  Apr 24 22:12:41 194.228.57.189
  Apr 24 22:16:44 203.127.25.1
  Apr 24 23:10:50 139.130.216.125
  Apr 25 03:27:23 203.127.25.1
  Apr 25 05:13:57 200.54.189.130
  Apr 25 06:25:33 61.140.124.2
  Apr 25 07:18:05 217.81.67.135
  Apr 25 07:27:14 202.91.69.2
  Apr 25 09:00:47 61.140.124.2
  Apr 25 10:07:48 211.5.173.211
  Apr 25 11:38:07 217.81.67.135
  Apr 25 13:06:53 211.106.154.70
  Apr 25 14:15:21 195.76.10.75
  Apr 25 14:26:25 195.143.43.161
  Apr 25 15:15:00 202.114.119.128
  Apr 25 15:22:35 66.60.39.132
  Apr 25 17:09:28 195.76.10.128
  Apr 25 18:14:25 203.146.74.18
  Apr 25 20:32:13 203.127.25.1
  Apr 25 21:28:57 61.219.200.212
  Apr 25 21:40:51 61.141.213.93
  Apr 25 21:48:53 202.114.119.128
  Apr 25 23:57:08 211.219.113.135
  Apr 26 00:54:58 202.205.107.20
  Apr 26 01:05:11 63.34.203.61
  Apr 26 03:02:40 210.178.7.60
  Apr 26 04:53:20 66.60.39.132
  Apr 26 06:01:53 139.130.216.125
  Apr 26 06:15:38 61.219.200.212
  Apr 26 08:42:17 211.60.218.189
  Apr 26 10:38:42 211.106.154.70
  Apr 26 10:48:27 170.210.203.2
  Apr 26 11:52:46 202.107.226.168
  Apr 26 12:03:04 217.81.76.149
  Apr 26 12:03:18 139.67.31.169
  Apr 26 12:18:54 212.140.168.34
  Apr 26 12:43:21 62.154.189.17
  Apr 26 13:20:21 151.17.32.82
  Apr 26 13:52:45 211.17.230.212
  Apr 26 14:25:57 211.57.214.84
  Apr 26 14:34:16 195.143.214.9
  Apr 26 14:46:16 203.58.12.72
  Apr 26 17:17:48 208.154.212.24
  Apr 26 17:34:22 61.219.200.212
  Apr 26 18:01:13 211.75.4.100
  Apr 26 19:26:26 195.76.10.75
  Apr 26 20:31:37 195.143.214.9
  Apr 26 21:43:24 213.29.194.62
  Apr 26 22:23:11 213.191.64.212
  Apr 26 22:26:13 195.138.74.12
  Apr 26 22:52:26 207.215.226.8
  Apr 26 23:13:34 203.195.146.97
  Apr 26 23:20:54 170.210.203.2
  Apr 26 23:24:19 195.143.214.9
  Apr 26 23:33:30 170.210.203.2
  Apr 27 00:03:19 195.138.74.34
  Apr 27 00:18:05 61.219.200.212
  Apr 27 01:46:04 211.36.13.124
  Apr 27 03:02:31 211.17.230.212
  Apr 27 04:26:08 211.106.154.70
  Apr 27 05:28:25 166.114.156.90
  Apr 27 05:52:27 61.219.200.212
  Apr 27 06:10:03 210.161.223.66
  Apr 27 07:11:43 207.171.207.31
  Apr 27 07:41:59 157.100.47.5
  Apr 27 07:50:15 210.162.194.130
  Apr 27 07:58:41 161.139.186.203
  Apr 27 08:20:57 202.114.119.128
  Apr 27 08:40:17 170.210.203.2
  Apr 27 09:13:26 202.114.119.128
  Apr 27 09:33:54 202.114.119.128
  Apr 27 10:26:31 24.164.230.170
  Apr 27 12:21:59 163.25.149.111
  Apr 27 13:31:20 198.66.160.7
  Apr 27 14:16:27 170.210.203.2
  Apr 27 14:49:00 200.33.22.40
  Apr 27 15:40:41 139.223.84.141
  Apr 27 16:05:09 202.205.107.20
  Apr 27 16:05:23 211.36.13.124
  Apr 27 21:19:03 211.52.194.33
  Apr 27 21:37:50 61.141.213.93
  Apr 27 22:06:29 210.161.223.66
  Apr 27 22:46:32 195.168.26.50
  Apr 27 22:47:19 211.124.215.163
  Apr 27 22:51:51 195.76.10.75
  Apr 27 22:54:05 198.66.160.7
  Apr 27 23:08:24 211.5.173.211
  Apr 28 00:05:45 24.222.2.9
  Apr 28 00:42:55 195.168.26.50
  Apr 28 01:15:10 211.106.154.70
  Apr 28 01:28:54 207.215.226.8
  Apr 28 01:32:05 195.143.43.161
  Apr 28 06:37:26 164.125.104.105
  Apr 28 06:57:35 163.25.149.111
  Apr 28 07:38:21 61.140.124.67
  Apr 28 07:55:17 163.25.149.111
  Apr 28 07:57:19 211.33.124.253
  Apr 28 08:12:53 138.88.45.176
  Apr 28 12:15:13 61.144.230.27
  Apr 28 12:22:41 61.219.200.212
  Apr 28 12:40:07 61.144.230.27
  Apr 28 13:45:06 164.125.104.105
  Apr 28 13:45:39 164.125.104.105
  Apr 28 14:03:06 207.171.207.31
  Apr 28 15:51:54 211.36.13.124
  Apr 28 16:27:58 62.154.189.17
  Apr 28 16:42:05 203.146.184.8
  Apr 28 17:00:38 211.219.113.135
  Apr 28 17:30:36 203.169.147.188
  Apr 28 17:31:35 61.141.213.93
  Apr 28 17:57:47 148.81.82.138
  Apr 28 18:16:15 199.216.176.3
  Apr 28 18:24:17 61.140.124.75
  Apr 28 18:55:11 212.14.194.132
  Apr 28 19:06:31 196.40.14.129
  Apr 28 20:22:59 194.228.57.189
  Apr 28 21:11:23 139.223.84.141
  Apr 28 22:22:13 210.162.194.130
  Apr 28 23:11:28 203.169.147.188
  Apr 28 23:12:55 198.66.160.7
  Apr 28 23:15:09 138.88.45.176
  Apr 29 01:09:07 202.107.226.168
  Apr 29 02:39:07 211.36.13.124
  Apr 29 02:41:41 161.139.186.203
  Apr 29 02:42:54 211.60.222.160
  Apr 29 03:48:28 217.81.73.39
  Apr 29 03:58:44 202.135.142.167
  Apr 29 05:02:10 138.88.45.176
  Apr 29 05:36:41 210.178.7.60
  Apr 29 07:32:54 211.75.54.26
  Apr 29 08:15:42 195.138.74.40
  Apr 29 08:16:04 213.42.50.23
  Apr 29 09:59:30 24.142.117.146
  Apr 29 10:01:11 211.57.214.84
  Apr 29 10:06:02 152.149.52.230
  Apr 29 10:14:46 209.184.180.184
  Apr 29 11:18:30 195.138.74.40
  Apr 29 11:24:17 200.63.22.2
  Apr 29 11:45:39 208.159.209.179
  Apr 29 12:50:18 24.142.117.146
  Apr 29 13:24:04 212.140.168.34
  Apr 29 15:14:46 210.11.29.163
  Apr 29 16:08:37 62.110.55.180
  Apr 29 16:26:15 63.164.38.46
  Apr 29 17:15:56 63.164.38.46
  Apr 29 17:50:18 209.184.180.184
  Apr 29 20:18:32 211.106.154.70
  Apr 29 20:41:07 207.97.40.2
  Apr 29 21:27:02 195.168.26.50
  Apr 29 21:32:44 203.146.74.18
  Apr 29 21:39:55 203.85.170.88
  Apr 29 22:55:01 163.23.81.129


   7 62.110.55.180
   7 195.168.26.50
   6 61.219.200.212
   6 211.106.154.70
   6 202.114.119.128
   6 195.76.10.75
   5 66.60.39.132
   5 212.140.168.34
   5 211.33.124.253
   5 203.146.74.18
   5 170.210.203.2
   4 211.5.173.211
   4 211.36.13.124
   4 208.154.212.24
   4 202.205.107.20
   4 194.228.57.189
   4 163.23.81.129
   4 139.223.84.141
   3 62.154.189.17
   3 61.141.213.93
   3 24.142.117.146
   3 207.215.226.8
   3 203.127.25.1
   3 202.91.69.2
   3 198.66.160.7
   3 195.143.214.9
   3 194.85.175.6
   3 164.125.104.105
   3 163.25.149.111
   3 138.88.45.176
   2 63.69.102.147
   2 63.164.38.46
   2 61.144.230.27
   2 61.140.124.2
   2 61.140.124.1
   2 217.81.67.135
   2 212.75.110.38
   2 212.227.33.233
   2 211.79.130.3
   2 211.57.214.84
   2 211.219.113.135
   2 211.17.230.212
   2 210.183.105.161
   2 210.178.7.60
   2 210.162.194.130
   2 210.161.223.66
   2 209.184.180.184
   2 207.171.207.31
   2 203.169.147.188
   2 202.107.226.168
   2 195.143.43.161
   2 195.138.74.40
   2 194.152.162.202
   2 163.20.149.5
   2 161.139.186.203
   2 139.130.216.125
--
Crist J. Clark                                Network Security Engineer
crist.clarkat_private                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmasterat_private

    This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 13:01:22 PDT