Here is a snippet from my Shadow IDS report on the matter... This isnt the 1st report either. We were probed at least one time more, at a later date. A Sequentially Distributed RECON probe for SubSeven V 2.1 port 27374 started on Jul-17-2002 at 15:39:31 hours and ended on Jul-17-2002 at 22:36:34 hours. The success of the attack was rated under the success rate algorythym as a -3 (criticality + lethality) - (netcounters + hostcounters) (3 + 5) - (5 + 5) = -3 The analyses proved that 23 seperate hosts were used for the attack. Each host probing the our entire external class c for approx 1 minute on one single port (27374 TCP.) There was a time lapse between each scan sweep, which indicated the attack was not used for a distributed denial of service. It also indicates that it is possible the attack was performed by one individual controlling many hosts. The TTL Values and the WINDOW SIZE values were examined for differences, and indicated that these hosts were not used as decoys, nor were their addresses spoofed. A recon probe against the attacking hosts that were up, indicated that they are all windows hosts, all with port 139 open to the public. Some hosts did show signs of being compromised and had virus' present. It was determined that all attacking hosts are unknowingly being used to attack other systems. No IP registry trace was done on the attacking hosts because of that reason. No hosts from our range responded to the attack. Below is the base information on the hosts used during the attack. 218.233.3.203 (15:39:31 - 15:40:26) TTL = 110, Win = 8192 66.24.202.248 (15:41:49 - 15:42:49) TTL = 46, Win = 4000 211.228.10.15 (15:41:49 - 15:42:41) TTL = 112, Win = 16384 24.71.34.22 (16:35:50 - 16:36:46) TTL = 112, Win = 8192 211.236.200.147 (16:41:30 - 16:42:22) TTL = 111, Win =16384 216.236.40.220 (16:47:30 - 16:47:52) TTL = 118, Win = 8192 142.179.234.35 (17:13:23 - 17:13:57) TTL = 112, Win = 8192 218.154.176.67 (17:29:55 - 17:30:40) TTL = 112, Win = 16384 61.84.235.145 (17:57:36 - 17:58:17) TTL = 112, Win = 8192 217.128.15.218 (18:50:30 - 18:51:31) TTL = 115, Win = 32768 211.207.25.102 (18:55:48 - 18:56:39) TTL = 112, Win = 8192 151.30.194.39 (20:08:26 - 20:09:17) TTL = 113, Win = 32768 24.112.88.252 (20:17:15 -20:17:49) TTL = 111, Win = 8192 65.29.80.22 (20:41:11 - 20:41:46) TTL = 112, Win = 8192 213.225.61.124 (20:56:42 - 20:57:26) TTL = 113, Win = 16384 61.79.94.143 (21:13:42 - 21:14:32) TTL = 112, Win = 8192 62.64.233.250 (21:17:02 - 21:17:53) TTL = 111, Win = 8192 206.30.150.213 (21:35:39 - 21:36:23) TTL = 109, Win = 8760 209.245.195.93 (21:36:08 - 21:36:54) TTL = 114, Win = 8760 211.200.87.28 (21:36:30 - 21:37:14) TTL = 112, Win = 16384 211.221.103.44 (22:12:23 - 22:13:11) TTL = 111, Win = 16384 213.23.55.246 (22:31:25 - 22:32:25) TTL = 113, Win = 8192 211.211.85.143 (22:35:57 - 22:26:34) TTL = 112, Win = 8192 -----Original Message----- From: Baribault, Gary [mailto:garyat_private] Sent: Monday, August 12, 2002 3:13 PM To: grdnwsl; Rob Keown Cc: incidentsat_private Subject: Re: Subseven Scans Hum .. I just found a bunch of 27374 on one of my SDSL link with a few of the 12345 scans. This link's firewall is allways way more active. My second is an ADSL and it's usually quieter, this one has no 12345 but a few 27374. Gary B At 11:08 AM 8/12/2002 -0500, Preston Kutzner wrote: >Hello Rob, > >Sunday, August 11, 2002, 8:42:50 AM, you wrote: > >RK> Anyone else seeing a huge increase in subseven scans...6708 since about >RK> 0300Z - across all of my class C's and from quite a few sources >(running the >RK> query now to see how many). > >RK> Rob > > >RK> >--------------------------------------------------------------------------- - >RK> This list is provided by the SecurityFocus ARIS analyzer service. >RK> For more information on this free incident handling, management >RK> and tracking system please see: http://aris.securityfocus.com > >I've seen quite a bit of traffic on ports tcp/12345 and tcp/27374. >According to what I've seen, 27374 is a port used by quite a few >versions of SubSeven, as for 12345, it's not mentioned that subseven >runs on that port (that I've seen), but I am seeing attempted >connections to these ports at the same time (maybe some other vuln >attempt I'm not aware of? anyone?). Hope that helps. > >-- >Preston Kutzner | IT Manager >Marketing Resources, Inc. > >_________________________________________________________________ >The information transmitted is intended only for the person or entity to >which it is addressed and may contain confidential and/or privileged >material. Any review, retransmission, dissemination or other use of, or >taking of any action in reliance upon, this information by persons or >entities other than the intended recipient is prohibited. If you received >this in error, please contact the sender and delete the material from any >computer. > > >--------------------------------------------------------------------------- - >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 08:57:13 PDT