large scale distributed scan of port tcp 445

From: Russell Fulton (r.fultonat_private)
Date: Thu Aug 08 2002 - 15:35:32 PDT

  • Next message: Muhammad Faisal Rauf Danka: "Re: large scale distributed scan of port tcp 445" 

    Greeting All,
	    Again my apologies to those of you who receive two copies of this
note I am posting it to both unsog and incidents since a fair number of
educational sites are involved. This posting may also be related to an
ongoing discussion on the unsog list of compromised W2K boxes.

At around 0545 on the 8th Aug (UTC) we got hit by a distributed scan
from 100 machines scattered around the world.  Most of the addresses are
owned by large IPS and domain names indicate that they are cable or xdsl
customers. A significant minority of the addresses belonged to
educational institions (one Taiwanese institution was very well
represented :( ).  I have notified all the edu sites that I can identify
and will work through the ISPs later today.

For the record it took them 6 minutes to scan our entire /16 address
space.

here is a cut and paste from my index of scans, the time at the start is
just to 1 hour resolution.

2002.08.08.17.00 ip160.usw15.rb1.bel.nwlink.com[207.202.205.160] - Network_scan[tcp-445] - new
2002.08.08.17.00 208-59-162-183.hybrid.hlb-ubr.nj.cable.rcn.com[208.59.162.183] - Network_scan[tcp-445] - new
2002.08.08.17.00 [207.210.183.134] - Network_scan[tcp-445] - new
2002.08.08.17.00 d888301.MING.ab.nthu.edu.tw[140.114.213.18] - Network_scan[tcp-445] - new
2002.08.08.17.00 splash.mcs.muohio.edu[134.53.35.99] - Network_scan[tcp-445] - new
2002.08.08.17.00 lsanca1-ar11-4-60-101-060.lsanca1.dsl-verizon.net[4.60.101.60] - Network_scan[tcp-445] - new
2002.08.08.17.00 ntct41-178-dhcp.resnet.Colorado.EDU[128.138.41.178] - Network_scan[tcp-445] - new
2002.08.08.17.00 [143.132.225.148] - Network_scan[tcp-445] - new
2002.08.08.17.00 [143.132.225.73] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.191.32] - Network_scan[tcp-445] - new
2002.08.08.17.00 [192.117.109.139] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.4.123] - Network_scan[tcp-445] - new
2002.08.08.17.00 [143.132.225.106] - Network_scan[tcp-445] - new
2002.08.08.17.00 labysr6.life.nthu.edu.tw[140.114.98.166] - Network_scan[tcp-445] - new
2002.08.08.17.00 a66b8n202client208.hawaii.rr.com[66.8.202.208] - Network_scan[tcp-445] - new
2002.08.08.17.00 vdsl-130-13-107-108.phnx.uswest.net[130.13.107.108] - Network_scan[tcp-445] - new
2002.08.08.17.00 ael.ns.nthu.edu.tw[140.114.106.17] - Network_scan[tcp-445] - new
2002.08.08.17.00 converter.ee.nthu.edu.tw[140.114.25.52] - Network_scan[tcp-445] - new
2002.08.08.17.00 udp003019uds.ucsf.edu[128.218.236.169] - Network_scan[tcp-445] - new
2002.08.08.17.00 [207.49.60.91] - Network_scan[tcp-445] - new
2002.08.08.17.00 [211.214.252.147] - Network_scan[tcp-445] - new
2002.08.08.17.00 gen3-newburypark8-31.vnnyca.adelphia.net[207.175.229.31] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.4.143] - Network_scan[tcp-445] - new
2002.08.08.17.00 [206.40.138.37] - Network_scan[tcp-445] - new
2002.08.08.17.00 [143.132.224.12] - Network_scan[tcp-445] - new
2002.08.08.17.00 cdm-208-52-160-lkch.cox-internet.com[208.180.52.160] - Network_scan[tcp-445] - new
2002.08.08.17.00 alpha28.cs.nthu.edu.tw[140.114.79.228] - Network_scan[tcp-445] - new
2002.08.08.17.00 [143.132.224.220] - Network_scan[tcp-445] - new
2002.08.08.17.00 [140.114.79.64] - Network_scan[tcp-445] - new
2002.08.08.17.00 washdc3-ar2-4-64-141-090.washdc3.dsl-verizon.net[4.64.141.90] - Network_scan[tcp-445] - new
2002.08.08.17.00 lsanca1-ar1-4-62-127-184.lsanca1.dsl-verizon.net[4.62.127.184] - Network_scan[tcp-445] - new
2002.08.08.17.00 dsl226.usw-1-224.pacifier.com[207.202.224.226] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.4.73] - Network_scan[tcp-445] - new
2002.08.08.17.00 w194.z208176139.sjc-ca.dsl.cnc.net[208.176.139.194] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.4.230] - Network_scan[tcp-445] - new
2002.08.08.17.00 cpe-66-87-72-31.ca.sprintbbd.net[66.87.72.31] - Network_scan[tcp-445] - new
2002.08.08.17.00 [168.187.168.75] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.61.80] - Network_scan[tcp-445] - new
2002.08.08.17.00 cpe-66-1-194-139.co.sprintbbd.net[66.1.194.139] - Network_scan[tcp-445] - new
2002.08.08.17.00 tamqfl1-ar6-4-62-220-116.tamqfl1.dsl-verizon.net[4.62.220.116] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.143.150] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.167.189] - Network_scan[tcp-445] - new
2002.08.08.17.00 64.83.50.44.static44-ric.cavtel.net[64.83.50.44] - Network_scan[tcp-445] - new
2002.08.08.17.00 [213.226.30.50] - Network_scan[tcp-445] - new
2002.08.08.17.00 cdm-207-46-72-amro.cox-internet.com[207.50.46.72] - Network_scan[tcp-445] - new
2002.08.08.17.00 C101.mse.nthu.edu.tw[140.114.18.79] - Network_scan[tcp-445] - new
2002.08.08.17.00 gen3-elrio2-74.vnnyca.adelphia.net[207.175.230.74] - Network_scan[tcp-445] - new
2002.08.08.17.00 139.1-240-wn.cable-access.att.net[12.240.1.139] - Network_scan[tcp-445] - new
2002.08.08.17.00 208-59-250-139.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com[208.59.250.139] - Network_scan[tcp-445] - new
2002.08.08.17.00 bhm025021.beipcs.bellsouth.net[208.60.25.21] - Network_scan[tcp-445] - new
2002.08.08.17.00 a66b8n153client85.hawaii.rr.com[66.8.153.85] - Network_scan[tcp-445] - new
2002.08.08.17.00 host-244-195.resnet.pdx.edu[131.252.244.195] - Network_scan[tcp-445] - new
2002.08.08.17.00 [155.58.149.93] - Network_scan[tcp-445] - new
2002.08.08.17.00 [128.134.72.192] - Network_scan[tcp-445] - new
2002.08.08.17.00 a66b8n132client75.hawaii.rr.com[66.8.132.75] - Network_scan[tcp-445] - new
2002.08.08.17.00 [168.126.200.108] - Network_scan[tcp-445] - new
2002.08.08.17.00 lsanca1-ar11-4-60-222-221.lsanca1.dsl-verizon.net[4.60.222.221] - Network_scan[tcp-445] - new
2002.08.08.17.00 [206.40.138.11] - Network_scan[tcp-445] - new
2002.08.08.17.00 208-59-174-129.c3-0.slvr-ubr1.lnh-slvr.md.cable.rcn.com[208.59.174.129] - Network_scan[tcp-445] - new
2002.08.08.17.00 cpe-66-1-107-98.co.sprintbbd.net[66.1.107.98] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.5.135] - Network_scan[tcp-445] - new
2002.08.08.17.00 lsanca1-ar12-4-60-124-196.lsanca1.dsl-verizon.net[4.60.124.196] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.191.22] - Network_scan[tcp-80, 445] - new
2002.08.08.17.00 lsanca1-ar4-099-218.biz.dsl.gtei.net[4.35.99.218] - Network_scan[tcp-445] - new
2002.08.08.17.00 209-122-246-53.c3-0.nwt-ubr2.sbo-nwt.ma.cable.rcn.com[209.122.246.53] - Network_scan[tcp-445] - new
2002.08.08.17.00 gen3-camarillo4-251.vnnyca.adelphia.net[207.175.234.251] - Network_scan[tcp-445] - new
2002.08.08.17.00 cdm-57-207.rust.tcac.net[208.180.57.207] - Network_scan[tcp-445] - new
2002.08.08.17.00 a66b8n204client111.hawaii.rr.com[66.8.204.111] - Network_scan[tcp-445] - new
2002.08.08.17.00 146-115-56-47.c3-0.wtr-ubr1.sbo-wtr.ma.cable.rcn.com[146.115.56.47] - Network_scan[tcp-445] - new
2002.08.08.17.00 tamqfl1-ar6-4-62-218-197.tamqfl1.dsl-verizon.net[4.62.218.197] - Network_scan[tcp-445] - new
2002.08.08.17.00 [207.193.250.102] - Network_scan[tcp-445] - new
2002.08.08.17.00 180degre-host141.dsl.visi.com[208.42.114.141] - Network_scan[tcp-445] - new
2002.08.08.17.00 [216.206.96.206] - Network_scan[tcp-445] - new
2002.08.08.17.00 lsanca1-ar14-4-60-151-123.lsanca1.dsl-verizon.net[4.60.151.123] - Network_scan[tcp-445] - new
2002.08.08.17.00 gen3-camarillo8-24.vnnyca.adelphia.net[207.175.245.24] - Network_scan[tcp-445] - new
2002.08.08.17.00 [143.132.226.121] - Network_scan[tcp-445] - new
2002.08.08.17.00 crtntx1-ar5-4-3-168-100.crtntx1.dsl-verizon.net[4.3.168.100] - Network_scan[tcp-445] - new
2002.08.08.17.00 gen3-newburypark8-135.vnnyca.adelphia.net[207.175.229.135] - Network_scan[tcp-445] - new
2002.08.08.17.00 a66b8n169client230.hawaii.rr.com[66.8.169.230] - Network_scan[tcp-445] - new
2002.08.08.17.00 [207.193.250.99] - Network_scan[tcp-445] - new
2002.08.08.17.00 208-59-185-221.c3-0.ded-ubr1.sbo-ded.ma.cable.rcn.com[208.59.185.221] - Network_scan[tcp-445] - new
2002.08.08.17.00 w220.z206111199.lax-ca.dsl.cnc.net[206.111.199.220] - Network_scan[tcp-445] - new
2002.08.08.17.00 a66b8n201client245.hawaii.rr.com[66.8.201.245] - Network_scan[tcp-445] - new
2002.08.08.17.00 adsl-207-214-95-179.dsl.snfc21.pacbell.net[207.214.95.179] - Network_scan[tcp-445] - new
2002.08.08.17.00 host-205-91.resnet.pdx.edu[131.252.205.91] - Network_scan[tcp-445] - new
2002.08.08.17.00 [207.224.81.81] - Network_scan[tcp-445] - new
2002.08.08.17.00 208-159-166-20.hou.accelernet.net[208.159.166.20] - Network_scan[tcp-445] - new
2002.08.08.17.00 a66b8n185client142.hawaii.rr.com[66.8.185.142] - Network_scan[tcp-445] - new
2002.08.08.17.00 [207.224.114.161] - Network_scan[tcp-445] - new
2002.08.08.17.00 cs6668189-26.austin.rr.com[66.68.189.26] - Network_scan[tcp-445] - new
2002.08.08.17.00 [138.238.22.42] - Network_scan[tcp-445] - new
2002.08.08.17.00 [211.250.176.252] - Network_scan[tcp-445] - new
2002.08.08.17.00 [206.30.3.25] - Network_scan[tcp-445] - new
2002.08.08.17.00 ucsf-81-239.ucsf.edu[128.218.81.239] - Network_scan[tcp-445] - new
2002.08.08.17.00 [12.241.222.197] - Network_scan[tcp-445] - new
2002.08.08.17.00 d-207-5-240-126.s-way.com[207.5.240.126] - Network_scan[tcp-445] - new
2002.08.08.17.00 [143.132.225.133] - Network_scan[tcp-445] - new
2002.08.08.17.00 [216.199.139.194] - Network_scan[tcp-445] - new

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu Aug 08 2002 - 16:05:47 PDT