RE: Strange connection attempts

From: Cloppert, Michael (Michael.Cloppertat_private)
Date: Tue Jan 08 2002 - 05:35:48 PST

  • Next message: Torbjorn Wictorin: "Attacks against IIS servers using ServU FTP"

    Andrea,
    
    After a cursory overview, my first guess would be that someone is using a
    tool like nmap to poke around for a hole on port 36 using multiple "decoy"
    IP addresses (the "-D" option).  
    
    The packets are too infrequent to argue for a DDoS.  However we'll notice
    that the source port is always port 137, which would also make me suspect a
    coordinated probe from bots.  I would think nmap from a single machine would
    generate packets with at least somewhat varying source ports.
    
    From http://www.iana.org/assignments/port-numbers:
    #                36/tcp    Unassigned
    #                36/udp    Unassigned
    time             37/tcp    Time
    time             37/udp    Time
    #                40/tcp    Unassigned
    #                40/udp    Unassigned
    ... no standard uses for 36 (most frequently scanned) and 40.  I wonder if
    this d00d is looking for more bots configured to listen on one of those 3
    ports.  An (admittedly brief) google search doesn't show much for these
    ports.  Anyone have more info. on these (that may know more about bots than
    I)?
    
    You may want to do a ping sweep and nslookup on the source IP's to see if
    they're legit.  Some things to think about: Is the host alive?  Does its
    reverse DNS resolve to some sort of modem pool (to indicate a home user)?
    Another thing you may want to do, if you find that one (or more) of the
    source IP's are legit and alive (and I know this flirts with the grey area
    of the law): do a portscan to see if any of the people who scanned YOU are
    listening on those three ports (keep in mind TCP/37 is UTP and may be a
    genuine service).  
    
    One thing I can't explain is why you're getting hit so many times at your
    router (one IP) for these ports.  It's not like by knocking harder the hax0r
    is going to convince you to open up the firewall door... perhaps repeated
    sweeps of the subnet that my.border.router.ip resides in?
    
    Just some thoughts... please feel free to correct me if I'm totally off-base
    with anything (I'm sure I blew the call somewhere in here :-) ).
    
    Mike Cloppert 
    Systems Analyst 
    Fifth Third Bank 
    513 534 0898 
    michael.cloppertat_private 
    
    > -----Original Message-----
    > From: Andrea Efstathiou [mailto:aefstathiouat_private]
    > Sent: Monday, January 07, 2002 11:49 AM
    > To: incidentsat_private
    > Subject: Strange connection attempts
    > 
    > 
    > Hi All,
    > 
    > I was wondering if anyone else was seeing, or has seen 
    > attempts like this
    > before and/or could tell me what mite be causing them.
    > 
    > Jan  2 13:42:13 my.domain.com41479: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 62.106.18.248(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:44:53 my.domain.com41482: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 208.58.230.212(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:45:08 my.domain.com41484: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.116.251.123(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:46:47 my.domain.com41485: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 195.176.180.174(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:46:58 my.domain.com41487: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:47:58 my.domain.com41502: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 141.217.10.169(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:48:56 my.domain.com41504: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 65.103.119.138(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:50:08 my.domain.com41506: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 62.56.168.38(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:51:52 my.domain.com41509: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:52:14 my.domain.com41510: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 204.210.232.253(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:56:01 my.domain.com41516: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:56:39 my.domain.com41517: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 209.107.57.252(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 13:56:56 my.domain.com41518: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 216.191.217.66(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 13:57:56 my.domain.com41519: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 204.210.232.253(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:00:58 my.domain.com41527: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:01:27 my.domain.com41528: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 212.131.230.179(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:01:57 my.domain.com41529: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:05:38 my.domain.com41534: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 207.173.208.254(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:06:00 my.domain.com41536: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 202.8.234.234(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:06:57 my.domain.com41539: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:07:39 my.domain.com41540: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 213.37.60.15(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:09:25 my.domain.com41544: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:13:53 my.domain.com41559: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 203.247.220.183(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:17:19 my.domain.com41565: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 66.168.212.107(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:19:50 my.domain.com41568: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 207.40.241.184(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:20:59 my.domain.com41569: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 65.81.200.98(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:22:59 my.domain.com41573: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 66.168.212.107(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:23:59 my.domain.com41576: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 203.247.220.183(137) -> my.border.router.ip(36), 3 packets
    > Jan  2 14:24:29 my.domain.com41578: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 158.194.80.59(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:24:59 my.domain.com41579: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 207.40.241.184(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:25:59 my.domain.com41581: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.95.243.199(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:27:28 my.domain.com41585: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 65.204.206.98(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:27:48 my.domain.com41586: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.197.234.119(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:30:00 my.domain.com41589: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 158.194.80.59(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:30:54 my.domain.com41592: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 216.191.217.66(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:32:02 my.domain.com41596: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.159.100.37(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:33:00 my.domain.com41599: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.197.234.119(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:34:38 my.domain.com41600: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 213.221.145.131(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:36:00 my.domain.com41602: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 144.92.175.159(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:40:01 my.domain.com41610: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 213.221.145.131(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:40:56 my.domain.com41612: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.65.246.247(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:41:02 my.domain.com41614: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 128.163.94.92(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:41:35 my.domain.com41615: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 168.131.57.87(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:41:53 my.domain.com41616: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.83.39.140(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:42:23 my.domain.com41618: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 62.149.128.36(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:44:21 my.domain.com41623: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 213.45.107.130(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:46:01 my.domain.com41627: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.65.246.247(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:47:01 my.domain.com41629: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.83.39.140(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:50:11 my.domain.com41632: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 142.103.165.51(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:51:03 my.domain.com41637: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 208.20.105.233(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:51:40 my.domain.com41638: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 65.33.170.194(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:54:02 my.domain.com41642: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 62.149.128.36(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:54:57 my.domain.com41644: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 211.171.214.131(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:55:18 my.domain.com41646: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 212.125.225.165(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:55:47 my.domain.com41647: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.198.44.4(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 14:57:03 my.domain.com41652: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 208.20.105.233(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 14:58:56 my.domain.com41654: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 202.180.172.8(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 15:00:03 my.domain.com41659: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 211.171.214.131(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 15:01:48 my.domain.com41663: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 211.219.43.175(137) -> my.border.router.ip(36), 1 packet
    > Jan  2 15:04:03 my.domain.com41667: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 202.180.172.8(137) -> my.border.router.ip(36), 2 packets
    > Jan  2 15:07:04 my.domain.com41672: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 211.219.43.175(137) -> my.border.router.ip(36), 2 packets
    > 
    > Jan  3 09:04:37 my.domain.com41870: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.196.28.67(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:05:48 my.domain.com41871: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 209.91.178.156(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:07:04 my.domain.com41873: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.207.157.172(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:09:43 my.domain.com41875: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 65.212.205.68(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:10:11 my.domain.com41876: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 208.63.88.86(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:10:28 my.domain.com41877: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.196.28.67(137) -> my.border.router.ip(37), 2 packets
    > Jan  3 09:10:45 my.domain.com41878: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 144.92.175.27(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:12:04 my.domain.com41880: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 156.3.31.177(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:12:13 my.domain.com41881: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 4.3.205.254(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:12:29 my.domain.com41882: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 24.207.157.172(137) -> my.border.router.ip(37), 2 packets
    > Jan  3 09:12:33 my.domain.com41883: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 62.107.131.247(137) -> my.border.router.ip(37), 1 packet
    > Jan  3 09:15:29 my.domain.com41885: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 208.63.88.86(137) -> my.border.router.ip(37), 2 packets
    > Jan  3 09:16:29 my.domain.com41886: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 144.92.175.27(137) -> my.border.router.ip(37), 2 packets
    > Jan  3 09:17:29 my.domain.com41887: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 156.3.31.177(137) -> my.border.router.ip(37), 2 packets
    > Jan  3 09:18:29 my.domain.com41888: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 62.107.131.247(137) -> my.border.router.ip(37), 2 packets
    > 
    > Jan  4 17:42:43 my.domain.com42179: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 208.63.124.173(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:43:33 my.domain.com42181: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 206.142.24.160(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:44:12 my.domain.com42183: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:44:33 my.domain.com42184: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:44:44 my.domain.com42185: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.116.246.179(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:45:51 my.domain.com42187: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 209.251.16.2(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:46:45 my.domain.com42188: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 206.69.196.90(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:47:04 my.domain.com42189: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 62.142.203.158(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:47:33 my.domain.com42190: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 66.169.232.55(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:49:51 my.domain.com42193: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 65.198.243.40(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:50:51 my.domain.com42194: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 209.251.16.2(137) -> my.border.router.ip(40), 2 packets
    > Jan  4 17:51:21 my.domain.com42195: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 134.102.68.26(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:52:30 my.domain.com42196: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 130.184.111.212(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:52:51 my.domain.com42197: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.89.162.78(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:53:22 my.domain.com42198: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 137.204.133.109(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:54:51 my.domain.com42200: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.116.246.179(137) -> my.border.router.ip(40), 3 packets
    > Jan  4 17:56:24 my.domain.com42201: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:56:28 my.domain.com42202: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 80.116.86.119(137) -> my.border.router.ip(40), 1 packet
    > Jan  4 17:56:52 my.domain.com42204: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 134.102.68.26(137) -> my.border.router.ip(40), 2 packets
    > Jan  4 17:57:52 my.domain.com42205: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 130.184.111.212(137) -> my.border.router.ip(40), 2 packets
    > Jan  4 17:58:52 my.domain.com42206: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 137.204.133.109(137) -> my.border.router.ip(40), 2 packets
    > Jan  4 18:01:52 my.domain.com42209: %SEC-6-IPACCESSLOGP: list 
    > inbound denied
    > udp 66.169.149.134(137) -> my.border.router.ip(40), 1 packet
    > 
    > Regards,
    > 
    > Andrea Efstathiou
    > 
    > 
    > --------------------------------------------------------------
    > --------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 08:09:30 PST