Re: 6112/TCP scans

From: Paul Dokas (dokasat_private)
Date: Tue Dec 11 2001 - 13:18:58 PST

Next message: Jim Harrison (SPG): "RE: Internal Machine making many attempts to connect to Internet on 137"

Previous message: Seamus Hartmann: "Internal Machine making many attempts to connect to Internet on 1 37"
In reply to: dewt: "Re: 6112/TCP scans"
Next in thread: Neil Long: "Re: 6112/TCP scans"
Reply: Neil Long: "Re: 6112/TCP scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Dec 07, 2001 at 05:57:42PM -0600, dewt wrote:
> On Friday 07 December 2001 03:14 pm, Paul Dokas wrote:
> > Is anyone else seeing large numbers of 6112/TCP scan coming from
> > 63.240.0.0 - 63.242.255.255?  I'm seeing about 10/minute destined to
> > random IPs within my networks.  The scanning technique looks exactly
> > like the TCPMUX scans that were occuring a few months ago (forgive me,
> > I can't remember what the technique was, just that it was really odd).
> >
> > Obviously, they're looking for vulnerable CDE installations.
> >
> > Paul
>
> 6112 is the port used by blizzard's battlenet, you might just have people 
> playing diablo 2,starcraft, or whatever on your network

You know, at first, this sounded right to me.  However, over the weekend
and yesterday, my IDS picked up lots of this:

Time	Source IP	Dest IP	Protocol	Src Port	Dest Port	Type	Connections/Packets

9-Dec-2001 12:56:27	63.240.202.138	A.B.C.26	6	1248	6112	bad dst port	1
9-Dec-2001 12:56:27	63.240.202.138	A.B.E.27	6	1193	6112	bad dst port	1
9-Dec-2001 12:56:37	63.240.202.138	A.B.F.69	6	1208	6112	bad dst port	1
9-Dec-2001 12:55:56	63.240.202.138	A.B.G.38	6	1128	6112	bad dst port	1
9-Dec-2001 12:56:07	63.240.202.138	A.B.G.43	6	1139	6112	bad dst port	1
9-Dec-2001 12:56:57	63.240.202.138	A.B.D.116	6	1127	6112	bad dst port	1
9-Dec-2001 12:57:37	63.240.202.138	A.B.D.105	6	1099	6112	bad dst port	1
9-Dec-2001 12:57:37	63.240.202.138	A.B.G.100	6	1176	6112	bad dst port	1
.
.
.

Where I've replace my IP addresses with 'A.B.[CDEFG].'  All of the packets
were 40bytes and not all of the destination IP addresses are being used.

The source of the packets were 63.240.202.138, 63.240.202.139 and
63.240.202.140, the destination was always 6112/TCP.  I've got ~450
packets over the 4 day period from 00:00 GMT+6 12/8 through this morning
for my /21 network.

To me, it looks like there was a slow scan with randomized destinations going
until Friday.  Then it seems to have switched to a faster type of scan, or
possibly to just scanning my class A or B network.

Also, there does appear to be legitimate battlenet traffic going to that
area of the Internet.  Perhaps someone is scanning from those IPs specifically
to hide within the legit battlenet traffic?

Paul
-- 
Paul Dokas                                            dokasat_private
======================================================================
Don Juan Matus:  an enigma wrapped in mystery wrapped in a tortilla.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jim Harrison (SPG): "RE: Internal Machine making many attempts to connect to Internet on 137"
Previous message: Seamus Hartmann: "Internal Machine making many attempts to connect to Internet on 1 37"
In reply to: dewt: "Re: 6112/TCP scans"
Next in thread: Neil Long: "Re: 6112/TCP scans"
Reply: Neil Long: "Re: 6112/TCP scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 13:56:42 PST