Re: port 22 scans + 53 scans

From: Steven S (stevenslat_private)
Date: Sat Oct 06 2001 - 12:53:28 PDT
Next message: Dean Cunningham: "RE: port 22->port 22 scans"
Previous message: Alvaro Soto: "RE: new pop3 exploit out?"
In reply to: Pavel Kankovsky: "port 22->port 22 scans"
Next in thread: John Sage: "Re: port 22 scans + 53 scans"
Next in thread: Dean Cunningham: "RE: port 22->port 22 scans"
Reply: John Sage: "Re: port 22 scans + 53 scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I got 1 probe from 131.152.102.64 @ 13:57 EDT today to port 22

then a flood (81 @ present) of port 53 connection attempts within about 2
minute time span, nothing before nothing after (so far)

notice that i got two port 53 attempts in a 12+ hour period then blam!

spoofed sources?
i was forwarding these packets to from my gateway/router to another host
for analysis (this the F at the end stands for Forward) but the host is
currently down for upgrading.



Oct  6 02:03:21 gw 1525: IP[Src=62.248.158.48 Dst=xxx.xxx.xxx.xxx TCP
spo=02925 dpo=00053]}S06>R06mF
Oct  6 07:00:54 gw 1525: IP[Src=216.153.214.84 Dst=xxx.xxx.xxx.xxx TCP
spo=03997  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=49722 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53496 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63217  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=57907  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13583 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51224  dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37503 dpo=00053]}S06>R06mF
Oct  6 15:20:56 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54565 dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP
spo=39303 dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48593 dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=37779  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=57719  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57174  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52486  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18133  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15205  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=21712  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=55707  dpo=00053]}S06>R06mF
Oct  6 15:20:57 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40535  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48593  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=37923  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48739  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=57860  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18277 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=49897 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53671 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63392 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13758 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=58084 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15380 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51399  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37678 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54752 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=216.220.39.42 Dst=xxx.xxx.xxx.xxx TCP
spo=39418 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57349 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52661 dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=21896  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=55882  dpo=00053]}S06>R06mF
Oct  6 15:20:59 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40710  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53714 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37721 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54785 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63435 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13801 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15423 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=49940 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=58127  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51442  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=57935  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=37995  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48813  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57392 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18349  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52704 dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=21939  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=55925  dpo=00053]}S06>R06mF
Oct  6 15:21:00 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40753  dpo=00053]}S06>R06mF
Oct  6 15:21:01 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48739  dpo=00053]}S06>R06mF
Oct  6 15:21:01 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57349 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48813  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=216.33.35.214 Dst=xxx.xxx.xxx.xxx TCP
spo=54935 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48954  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=216.35.167.58 Dst=xxx.xxx.xxx.xxx TCP
spo=53890 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=209.249.97.40 Dst=xxx.xxx.xxx.xxx TCP
spo=37895 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=207.55.138.206 Dst=xxx.xxx.xxx.xxx TCP
spo=63609  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.37.200.46 Dst=xxx.xxx.xxx.xxx TCP
spo=15597 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.78.235.14 Dst=xxx.xxx.xxx.xxx TCP
spo=13975 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.14.200.154 Dst=xxx.xxx.xxx.xxx TCP
spo=50114 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=208.184.162.71 Dst=xxx.xxx.xxx.xxx TCP
spo=58301  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=216.34.68.2 Dst=xxx.xxx.xxx.xxx TCP
spo=51616  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=194.205.125.26 Dst=xxx.xxx.xxx.xxx TCP
spo=58101  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=62.23.80.2 Dst=xxx.xxx.xxx.xxx TCP
spo=38161  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=62.26.119.34 Dst=xxx.xxx.xxx.xxx TCP
spo=57566 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=194.213.64.150 Dst=xxx.xxx.xxx.xxx TCP
spo=18515  dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=64.56.174.186 Dst=xxx.xxx.xxx.xxx TCP
spo=52878 dpo=00053]}S06>R06mF
Oct  6 15:21:02 gw 1525: IP[Src=203.194.166.182 Dst=xxx.xxx.xxx.xxx TCP
spo=22113  dpo=00053]}S06>R06mF
Oct  6 15:21:03 gw 1525: IP[Src=202.139.133.129 Dst=xxx.xxx.xxx.xxx TCP
spo=56099  dpo=00053]}S06>R06mF
Oct  6 15:21:03 gw 1525: IP[Src=203.208.128.70 Dst=xxx.xxx.xxx.xxx TCP
spo=40927  dpo=00053]}S06>R06mF
Oct  6 15:21:04 gw 1525: IP[Src=193.148.15.128 Dst=xxx.xxx.xxx.xxx TCP
spo=48954  dpo=00053]}S06>R06mF




On Sat, 6 Oct 2001, Pavel Kankovsky wrote:

> On Thursday (Oct 4), we have detected four sweeps, looking for open
> TCP port 22 (ssh):
> 
>    Approx. time   Source IP           Source FQDN
>    07:05 GMT      162.105.195.118     skltr.mech.pku.edu.cn
>    12:33 GMT      64.124.36.229       (none)
>    21:01 GMT      134.100.226.18      mtgp8.zmaw.de
>    21:41 GMT      131.152.102.64      xunil1.physik.unibas.ch
> 
> The traits of all those sweeps were very similar:
> 
> - the source port of all probes was 22
> - all probes within one sweep had the same IP ID (*)
> - lost/filtered probes were not retried
> - the sweeps were pretty fast, hundreds of addresses in few seconds
> - no actual i/o was done
> 
> (*) With 1 exception that had a TTL different from other logged probes
> in the sweep as well.
> 
> Is there any kind of SSH worm out there?!
> 
> --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
> "Resistance is futile. Open your source code and prepare for assimilation."
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Dean Cunningham: "RE: port 22->port 22 scans"
Previous message: Alvaro Soto: "RE: new pop3 exploit out?"
In reply to: Pavel Kankovsky: "port 22->port 22 scans"
Next in thread: John Sage: "Re: port 22 scans + 53 scans"
Next in thread: Dean Cunningham: "RE: port 22->port 22 scans"
Reply: John Sage: "Re: port 22 scans + 53 scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Sun Oct 07 2001 - 15:51:08 PDT