port 80 scans under cover of code red

From: Russell Fulton (r.fultonat_private)
Date: Wed Aug 08 2001 - 21:25:01 PDT

Next message: Chad Loder: "RE: Code Red, ARP and YOU!!"

Previous message: Denis Normand: "Code Red II inspired by both Code Red and sadmind/IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,
	  I have a perl script which will take an hours argus logs and 
counts the number of IP addresses that are probing our /16 on port 80.  
It outputs the list in order of number of probes.

If all these addresses were infected by CR II (or older variants) then 
we would surely expect the other members of our /8 to be at the top of 
the list.  They are not there are a bunch of machines (maninly in asian 
blocks that we are all familiar with) that are probing at much higer 
rates than those in 130.0.0.0/8.

I then grepped my snort logs for .ida attempts from the top few 
addresses -- no joy.  Close examination of the argus logs reveals that 
these are straight port scans.  If an address responds with an ACK then 
the scanning host sends an ACK and then a RST -- no exploit.

Addresses probed appear to be random with packet rates between aprox 
200 to 1000 per hour.

Here is the top of my list...

    211.92.95.6 09 Aug 01 03:02:56 -- 09 Aug 01 03:47:15 # count 327
 211.167.93.115 09 Aug 01 02:59:22 -- 09 Aug 01 03:46:02 # count 200
     61.75.72.2 09 Aug 01 02:59:47 -- 09 Aug 01 03:47:00 # count 170
     61.75.72.1 09 Aug 01 02:59:38 -- 09 Aug 01 03:47:04 # count 167
 130.158.96.233 09 Aug 01 02:59:41 -- 09 Aug 01 03:47:16 # count 143
    130.36.20.2 09 Aug 01 02:59:18 -- 09 Aug 01 03:46:37 # count 134
 130.160.86.108 09 Aug 01 02:59:51 -- 09 Aug 01 03:47:19 # count 130
  130.160.49.99 09 Aug 01 02:59:03 -- 09 Aug 01 03:45:43 # count 127


I have blocked the worst offenders at the gateway before this, some 
were probing at nearly 1000 addresses an hour.

BTW I notice that the total number of machines probing us is dropping 
slowly, now down below 13,000 -- it peaked at nearly 50,000.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chad Loder: "RE: Code Red, ARP and YOU!!"
Previous message: Denis Normand: "Code Red II inspired by both Code Red and sadmind/IIS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 15:33:36 PDT