Re: port 22 scans + 53 scans

From: Steven S (stevenslat_private)
Date: Sat Oct 06 2001 - 12:53:28 PDT

  • Next message: Dean Cunningham: "RE: port 22->port 22 scans"

    I got 1 probe from 131.152.102.64 @ 13:57 EDT today to port 22
    
    then a flood (81 @ present) of port 53 connection attempts within about 2
    minute time span, nothing before nothing after (so far)
    
    notice that i got two port 53 attempts in a 12+ hour period then blam!
    
    spoofed sources?
    i was forwarding these packets to from my gateway/router to another host
    for analysis (this the F at the end stands for Forward) but the host is
    currently down for upgrading.
    
    
    
    Oct  6 02:03:21 gw 1525: IP[Src=62.248.158.48 Dst=xxx.xxx.xxx.xxx TCP
    spo=02925 dpo=00053]}S06>R06mF
    Oct  6 07:00:54 gw 1525: IP[Src=216.153.214.84 Dst=xxx.xxx.xxx.xxx TCP
    spo=03997  dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
    spo=49722 dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
    spo=53496 dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
    spo=63217  dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
    spo=57907  dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
    spo=13583 dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=51224  dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
    spo=37503 dpo=00053]}S06>R06mF
    Oct  6 15:20:56 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
    spo=54565 dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP
    spo=39303 dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48593 dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=37779  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
    spo=57719  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
    spo=57174  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
    spo=52486  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
    spo=18133  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
    spo=15205  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
    spo=21712  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
    spo=55707  dpo=00053]}S06>R06mF
    Oct  6 15:20:57 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
    spo=40535  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48593  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=37923  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48739  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
    spo=57860  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
    spo=18277 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
    spo=49897 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
    spo=53671 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
    spo=63392 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
    spo=13758 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
    spo=58084 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
    spo=15380 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=51399  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
    spo=37678 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
    spo=54752 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP
    spo=39418 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
    spo=57349 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
    spo=52661 dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
    spo=21896  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
    spo=55882  dpo=00053]}S06>R06mF
    Oct  6 15:20:59 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
    spo=40710  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
    spo=53714 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
    spo=37721 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
    spo=54785 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
    spo=63435 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
    spo=13801 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
    spo=15423 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
    spo=49940 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
    spo=58127  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=51442  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
    spo=57935  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=37995  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48813  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
    spo=57392 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
    spo=18349  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
    spo=52704 dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
    spo=21939  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
    spo=55925  dpo=00053]}S06>R06mF
    Oct  6 15:21:00 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
    spo=40753  dpo=00053]}S06>R06mF
    Oct  6 15:21:01 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48739  dpo=00053]}S06>R06mF
    Oct  6 15:21:01 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
    spo=57349 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48813  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
    spo=54935 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48954  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
    spo=53890 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
    spo=37895 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
    spo=63609  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
    spo=15597 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
    spo=13975 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
    spo=50114 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
    spo=58301  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=51616  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
    spo=58101  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
    spo=38161  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
    spo=57566 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
    spo=18515  dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
    spo=52878 dpo=00053]}S06>R06mF
    Oct  6 15:21:02 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
    spo=22113  dpo=00053]}S06>R06mF
    Oct  6 15:21:03 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
    spo=56099  dpo=00053]}S06>R06mF
    Oct  6 15:21:03 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
    spo=40927  dpo=00053]}S06>R06mF
    Oct  6 15:21:04 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
    spo=48954  dpo=00053]}S06>R06mF
    
    
    
    
    On Sat, 6 Oct 2001, Pavel Kankovsky wrote:
    
    > On Thursday (Oct 4), we have detected four sweeps, looking for open
    > TCP port 22 (ssh):
    > 
    >    Approx. time   Source IP           Source FQDN
    >    07:05 GMT      162.105.195.118     skltr.mech.pku.edu.cn
    >    12:33 GMT      64.124.36.229       (none)
    >    21:01 GMT      134.100.226.18      mtgp8.zmaw.de
    >    21:41 GMT      131.152.102.64      xunil1.physik.unibas.ch
    > 
    > The traits of all those sweeps were very similar:
    > 
    > - the source port of all probes was 22
    > - all probes within one sweep had the same IP ID (*)
    > - lost/filtered probes were not retried
    > - the sweeps were pretty fast, hundreds of addresses in few seconds
    > - no actual i/o was done
    > 
    > (*) With 1 exception that had a TTL different from other logged probes
    > in the sweep as well.
    > 
    > Is there any kind of SSH worm out there?!
    > 
    > --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
    > "Resistance is futile. Open your source code and prepare for assimilation."
    > 
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 15:51:08 PDT