Re: Port 10008

From: Crist Clark (crist.clarkat_private)
Date: Tue May 15 2001 - 10:53:09 PDT

Next message: Dave Elfering: "RE: Syn probes at port 100008"

Previous message: Devdas Bhagat: "Re: recent sadmin worm"
In reply to: Mike Scott: "Re: Port 10008"
Next in thread: Rob Lindenbusch: "Re: Port 10008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mike Scott wrote:
> 
> I saw the same thing over the weekend to what looks like the entire Class B.
> Here's a snip from a snort portscan log, I don't have the rest in front of me:
> 
> May 13 09:18:56 202.43.105.18:4760 -> xxx.140.18.139:10008 SYN ******S*
> May 13 09:18:56 202.43.105.18:4761 -> xxx.140.18.140:10008 SYN ******S*
> May 13 09:18:57 202.43.105.18:4762 -> xxx.140.18.141:10008 SYN ******S*
> May 13 09:18:57 202.43.105.18:4763 -> xxx.140.18.142:10008 SYN ******S*

These are the hosts that scanned us for 10008 _yesterday_ (midnight to
midnight localtime). The kiddies/worms are already well over their quota
on this port for the whole week.

The first value is the number of packets (note, packets not necessarily
individual connection attempts) we were hit with. Four class C's and some 
change are routed past the device that logged these,

   338 195.166.230.3
  2102 217.80.46.242
    12 211.100.13.100
    10 211.114.177.139
    11 207.200.89.227
  2032 217.75.0.71
    10 203.164.147.132
     4 64.12.184.25
     7 207.200.89.193
     4 155.210.88.146
     5 209.249.232.66
  2128 213.73.6.98
  2107 211.20.160.238
  1653 211.175.142.204
     4 65.196.90.10

Someone earlier in the thread asked if there was a signature to these.
I obviously have not examined each and every one of these packets, but
I looked at the ones that sent over 1000 packets my way and there were
no obvious signs of crafting or other strange signatures (incrementing
IP ID, changing ISN, changing TCP timestamp, SYN with no extra flags,
stepping source port, etc.). They all look like Linux boxen tho'. Prolly
2.1.x?
-- 
Crist J. Clark                                Network Security Engineer
crist.clarkat_private                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmasterat_private

Next message: Dave Elfering: "RE: Syn probes at port 100008"
Previous message: Devdas Bhagat: "Re: recent sadmin worm"
In reply to: Mike Scott: "Re: Port 10008"
Next in thread: Rob Lindenbusch: "Re: Port 10008"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 15 2001 - 17:31:53 PDT