Greetings, I have a perl script which will take an hours argus logs and counts the number of IP addresses that are probing our /16 on port 80. It outputs the list in order of number of probes. If all these addresses were infected by CR II (or older variants) then we would surely expect the other members of our /8 to be at the top of the list. They are not there are a bunch of machines (maninly in asian blocks that we are all familiar with) that are probing at much higer rates than those in 130.0.0.0/8. I then grepped my snort logs for .ida attempts from the top few addresses -- no joy. Close examination of the argus logs reveals that these are straight port scans. If an address responds with an ACK then the scanning host sends an ACK and then a RST -- no exploit. Addresses probed appear to be random with packet rates between aprox 200 to 1000 per hour. Here is the top of my list... 211.92.95.6 09 Aug 01 03:02:56 -- 09 Aug 01 03:47:15 # count 327 211.167.93.115 09 Aug 01 02:59:22 -- 09 Aug 01 03:46:02 # count 200 61.75.72.2 09 Aug 01 02:59:47 -- 09 Aug 01 03:47:00 # count 170 61.75.72.1 09 Aug 01 02:59:38 -- 09 Aug 01 03:47:04 # count 167 130.158.96.233 09 Aug 01 02:59:41 -- 09 Aug 01 03:47:16 # count 143 130.36.20.2 09 Aug 01 02:59:18 -- 09 Aug 01 03:46:37 # count 134 130.160.86.108 09 Aug 01 02:59:51 -- 09 Aug 01 03:47:19 # count 130 130.160.49.99 09 Aug 01 02:59:03 -- 09 Aug 01 03:45:43 # count 127 I have blocked the worst offenders at the gateway before this, some were probing at nearly 1000 addresses an hour. BTW I notice that the total number of machines probing us is dropping slowly, now down below 13,000 -- it peaked at nearly 50,000. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:33:36 PDT